Recommendation for 2 sub-net 1 connection network

ngoonee · 2010-12-01 07:27:56

Hi all,

Here's the most relevant topic I've found on google - http://forums.techguy.org/networking/83 … 1-dsl.html

I have two wifi-routers, a switch, and one internet connection. Routers A and B, switch C.

Let's assume Router A is connected to switch C and the internet connection, this part is working fine. So anything which connects to A by wifi or C by lan gets the internet connection. The sub-net is 192.168.1.x.

I'd like to set up Router B as a 'non-priviledged' internet connection. Router A's wifi password will only be known to certain people (employees) while Router B's password will be distributed to anyone wanting to use our connection.

My idea is that if Router B has a different sub-net and I connect it's WAN port to one of A's lan ports, I should be able to have a separate sub-net for 'general' people who can't see the machines on Router A.

The link above implies however that its reversed, router A users will not be able to see router B users, while router B users can see router A users (IP addresses). Would I then need to swap them (router A is generally available, router B only to priviledged)?

Also, will wiring B's WAN to A's LAN result in shared internet connections, or is there anything else I need to do?

Thanks.

CountDuckula · 2010-12-01 08:00:30

Where you have devices chained together like this there's always an issue with security in my view. If you have a closed and basically open wireless users then they should be on different subnets - even the LAN users through the switch should be on a separate subnet to those of wireless users.

My preferred option in this scenario (if I understand it correctly) would be to deploy something like pfSense on a PC with enough network cards (4 in this case) for (2x)wireless routers, LAN switch and connection to internet. It can all then be controlled from one web console too.

If cost was not the agenda then you could go for an all in one solution based on a PC-Engines ALIX 2D2 embedded board

I know this might be not what you want but if you're going to do it, do it right - but thats my opinion...

Last edited by CountDuckula (2010-12-01 08:19:13)

ngoonee · 2010-12-01 08:25:36

Well, the only reason I'm looking at this sort of scheme is that I have an additional wireless router lying around. The situation I'm in doesn't justify additional spending on hardware (that would of course be best).

Thanks for your feedback

fukawi2 · 2010-12-01 10:59:42

I don't fully understand, so I hope this is correct... If not, it will help clarify it for me

Internet <--> Router A <---> Router B <--> LAN

LAN users default route to B, then B default routes to A, and A to your ISP.
Router A serves your wireless guests, B serves your 'trusted' wireless.

That should do what you want. From the guests (and router A's) point of view, router B is just another address in the guest wireless network. They can't see, nor route, to the internal network.

As CountDuckula said, personally I'd throw together an old PC with Arch or CentOS and 3 NIC's, then use husk* to set firewall rules to ensure the untrusted hosts can't get to the trusted network.

* Shameless self promotion

tpolich · 2010-12-04 16:33:40

A simple solution is just to alter the routing information on both routers. A (the trusted router) needs a route that say all traffic going to X subnet goes to IP Y (the ip of router B). Router B (untrusted) needs it's default route to be router A's ip. You then need to set 2 more static routes on router B. One that points directly to router A, this is import and needs to be ahead of the next route on the routing table. The second route need to say all traffic going to the subnet of router A should go to a unused IP on subnet B. This will route all traffic not targeted to router A or the internet to nothing. All the people on router B will get is host unreachable.

If I didn't explain this very well or you need some further information feel free to pm me.

ngoonee · 2010-12-04 23:28:33

@tpolich, yes, I understood that fine. If I'm not mistaken however wouldn't what you mention be unnecessary? In my experience something one 192.168.1.* can't contact what's on 192.168.2.* anyway, without any special re-routing. The mask of 255.255.255.0 prevents this.

fukawi2 · 2010-12-05 06:11:52

ngoonee wrote:

In my experience something one 192.168.1.* can't contact what's on 192.168.2.* anyway, without any special re-routing. The mask of 255.255.255.0 prevents this.

Without a router, that's correct... However you have 2 routers that are aware how to route to both networks.

Arch Linux

#1 2010-12-01 07:27:56

Recommendation for 2 sub-net 1 connection network

#2 2010-12-01 08:00:30

Re: Recommendation for 2 sub-net 1 connection network

#3 2010-12-01 08:25:36

Re: Recommendation for 2 sub-net 1 connection network

#4 2010-12-01 10:59:42

Re: Recommendation for 2 sub-net 1 connection network

#5 2010-12-04 16:33:40

Re: Recommendation for 2 sub-net 1 connection network

#6 2010-12-04 23:28:33

Re: Recommendation for 2 sub-net 1 connection network

#7 2010-12-05 06:11:52

Re: Recommendation for 2 sub-net 1 connection network

Board footer