How to isolate two groups of people sharing one internet connection?
Ok, so I have a single internet connection that comes into a router. That router is then used by a certain group of people to get on the internet. What I then want to do is take an ethernet cable from that router to some other device (router/firewall, whatever) that will then provide internet to a second group of people. The issue that I need to solve is that I want to make sure there is some type of complete isolation between the two groups of people. Mainly, I don't want any computers on the first main router to be able to see or access any devices on the second router/device. Also, I cannot change anything that has to do with the first main router. I need a hardware solution, simply turning off or passwording file sharing on the computers will not do what I need.
I am sure I can make it work fine with the right options in the right router or hardware firewall but I am not sure what I need. A second internet connection is out of the question. I have a spare D-link DIR-615 router that I daisy chained off the first main router (ethernet cable from a port on first main router to WAN port on DIR-615) and I can get internet to come out of the DIR-615 to the second group of people, but there is no type of wall between the two groups of people on the two different routers. People on the first router can see people on the second router and vice-versa, that is what I am trying to eliminate. Maybe the DIR-615 can be configured to separate its users from the users on the first router that are coming in through the WAN port? I know the DIR-615 has a ton of settings/options but I have know idea what one to use that would make this work. If the DIR-615 won't work, what other device could I use and how do I configure it properly? Any suggestions would be greatly appreciated! I am sure there is a simple/cheap solution. Thanks so much guys!
- Mike
Re: How to isolate two groups of people sharing one internet connection?
With it attached like you describe ...
R2(dir615) ---> R1 ----> internet
I can't figure out how the other clients attached to directly to R1 are able
to see the ones attached to the (R2)dir615
Is uPnP enabled on the dir615? if so - disable it
also disable any port-forwarding
I would have said it should work (at least for one-way protection)
if you could put the dir615 clients in their own 172.16.0.x subnet
but noticed the dir615 dhcp address pool is predefined to start with 192.168.0.x
Does the R1 router use the same DHCP pool range?
You may be able to statically assign all dir615 clients
into their own subnet
Could you give more info on the current setup for each router?
are any wireless clients involved?
Re: How to isolate two groups of people sharing one internet connection?
Based on the DIR-615 emulator, port-based VLANs isn't a supported feature.
Mr Black's cabling suggestion is feasible for keeping one network accessible from the other. Fancy subnetting should not be necessary. A different subnet is good for NAT reasons, but the lack of it isn't enabling undesired access.
My guess as to why you see the other network is because either 1) you didn't cascade it properly (one network entirely behind NAT) or 2) just looked at the network browser rather than verifying accessibility.
Re: How to isolate two groups of people sharing one internet connection?
If I remember correctly the dir-655 supports WAN bridging which allows you to extend your network between routers using the same subnet.
To avoid that issue you'd have to implement a second separate subnet on router 2 to avoid bridging. ( However, you'd have to contend with Double NAT.)
The dir-655 vlan capability is strictly for wireless client isolation from other wireless clients as well as wireless guest network.
Since you have access to two routers and you are not able to change the settings on the main router you'd be better off with getting a second ip and using a switch to hook both routers up to the modem.
This would accomplish total isolation of the two networks and would avoid having to mess with the main router.
LEO: Bob Thibodeau from Coral Springs, Florida is worried because he's got both WEP and WPA at the same time: During Episode 118 you guys discussed using a router that had both WEP and WPA available at the same time so that WEP-enabled devices can attach to the network. You seemed to indicate that this was a safe way to accommodate WEP-only devices. Actually I don't know if that's what we said. I can see that using WPA on my computers and WEP for my ReplayTV will keep my computer traffic from being sniffed. But doesn't the WEP hole in my network allow someone to get on my network and see any shares? And of course they would have access to my Internet connection. If they were able to get into some illicit trafficking, wouldn't I be liable? So I think you said that. I think that exactly was your point.
STEVE: Yes. As we've discussed, due to the problem with ARP poisoning that we discussed some time ago, which allows somebody bad who had accessed your network to insert themselves, essentially create a man-in-the-middle and be able to filter any traffic coming and going from your Internet gateway, which is absolutely possible. That means that any access to your packet traffic is a problem. The only safe way that I can see to solve the problem is to have three routers. You would have your main router, which is your Internet connection. Then you would have a router running WEP and a router running WPA, both connected to that first router. So you essentially have a Y, and two routers running different WiFi. The reason this works is that you still have the potential for an ARP poisoning problem except that ARP will not cross a router. ARP is only used within a local Ethernet. So you end up with essentially three Ethernets. You've got an Ethernet on the inside of your WPA router, an Ethernet on the inside of your WEP router, and then you've got a little tiny Ethernet that's linking those three routers.
Well, that ends up being sacred, that little three-router Ethernet, because there's no way for anybody even who breaks your WEP security to mess around with the little network that links the routers. So essentially the routers provide isolation. But if you allowed WEP access to, for example, your main core router, the router on the outside, then it would be able, if that were hacked, to gain access to all your network traffic. So there's no way to do it that I've been able to think of with two routers. You would need three. But if you had three routers you would be able to use WEP services on one, WPA services on the other, and there's no way that even somebody with access to the WEP router would be able to gain access to any of your WPA traffic.
LEO: Okay. So it's somewhat more secure. At least they can't sniff you.
STEVE: Yeah. Well, they can't sniff you. Now, on the other hand, you also have complete isolation between those two networks. There would also be - there would be no way for filesharing to work across them. So they would be completely isolated segments.
LEO:[edit to the beginning of the question] Don Sherman in Clawson, Michigan is looking for a shorter route: Steve, he says, I'm a graduate student in engineering and a huge fan of the show. I just finished listening to the most recent Listener Feedback episode. It occurred to me that on several occasions I've heard you say you need three routers to safely employ WEP and WPA without allowing - both WEP and WPA without allowing any nefarious activity on the WEP side to compromise the WPA side of things. Is there any reason why you need to use a router and not a switch to split the two networks? If so, please let me know, as this is how I have my network set up. I cannot use WPA with my TiVo boxes.
STEVE: Okay. Let's review briefly this idea of chaining routers. The idea was that you could have your outside Internet connection go to Router #1, and that would be a wireless router running WPA or WEP. And then you would chain it to a second router which was also wireless, running WPA or WEP. Now, the problem is, if the inside router is the insecure one, then it is potentially able, that is, somebody who cracks WEP, and we know how easy that is now, remember it's less than a minute to do that now. If someone cracks that, then due to the fact that it's possible to make upstream connections through a router, which of course is how the Internet works, we're all downstream of our routers, and we're able to make upstream connections through the router. That allows somebody on the inside, that is, on the inner router, to connect to devices on that outer level router because upstream connections are permitted. So that's why it's not safe to have an insecure network chained off of your secure network.
Now let's swap the routers around so that now the outer router, that is, the one connected to the Internet, let's make that one the WEP, the insecure WiFi router, and our WPA router where we have all of our crown jewels and our high-security WiFi due to using WPA. That's the inner one. Now the problem is that all of the precious, super secure network traffic goes out through the inner router to the outer router, which is the insecure one. The problem is, as we've discussed before, in the face of ARP spoofing, which is well mature now and developed for Ethernet networks and for Ethernet WiFi, it is possible for - it would be possible for a wireless attacker to convince the inner router, the secure router, that its IP is the gateway, so that all of the precious Internet traffic on the inside would route through an attacker's machine on its way out to the Internet. So there is a, if you assume that ARP spoofing could be present, then it is not secure to have the insecure router upstream of the secure one because ARP spoofing absolutely allows essentially man-in-the-middle traffic rerouting.
So it is not safe to chain an insecure and a secure router together in either order. The only thing you can do that is safe is to have two routers that are joined by a third router.
LEO: So you need the NAT. You can't just use a switch.
STEVE: Well, no, actually. So what the outward-most router in a three-router configuration would be doing really is just giving each of the interior routers an IP. So to answer Don's question, if his ISP has given him two IP addresses, then you absolutely could use a switch.
LEO: I see. You have to have two segments, basically.
STEVE: Well, actually you have to have three segments. You've got your insecure LAN, your secure LAN, and then a third little mini LAN that only has three devices on it. It's got the switch, and then it's got the two routers. And the reason you're safe from WEP there is that, I mean, the only real attack that's possible would be an ARP attack. And you say, well, wait a minute, why can't I still spoof ARP in order to fool the outside interface of the super secure router? The reason is ARP never crosses a router. ARP is specifically used for local area networks. No router will allow ARP to cross across from its LAN side to its WAN side. So the only secure solution would be either to use three routers, or as Don has asked, if his ISP is giving him two IPs, then he could use a switch to connect those two routers.
LEO: Got it.
STEVE: And be completely secure.
__________________
[START SIG] Chris Heath: ASE Certified GM Parts Consultant by day, tech support and consulting by night.
[END SIG]
Re: How to isolate two groups of people sharing one internet connection?
I will try a different subnet for router 2 and I will try disabling UPNP on router 2 as well.
Maybe between those two things it will work properly.
The problem with getting two IPs from the ISP and/or a managed switch with isolation to setup each router on it's own VLAN is that I cannot modify the existing router OR modem in any way. Basically my starting point is an ethernet cable coming off of the first router. I know its not an ideal setup by any stretch, but I am just trying to come up with a solution for the cards I am dealt.
Here is a quick pic that shows my starting point:
Re: How to isolate two groups of people sharing one internet connection?
Alright guys, well I figured out a little bit tonight.
I hooked it up where I just daisy chained the two routers (plugged an ethernet cable from the main router to the WAN port on my D-link DIR-615)
Initially, I had though that this setup wouldn't do what I want because when connected to the second router I could still see items connected to the first router. I mistakenly assumed that since computers on the second router could see the first that the opposite was true and people on the first router could see people on the second router. This isn't the case. I tried every trick I know and while connected to the first router there was no way I could access anything on computers connected to the second router. I guess this is where the NAT comes in and does it's job. That is ultimately what I was trying to achieve, so I am probably going to leave it at that for now. Thanks guys!
- Mike
Re: How to isolate two groups of people sharing one internet connection?
It would've been much easier to ask the ISP for a second ip address and setup the second router through a plain jane switch. ( Don't need a managed one for this setup.)
Gibson's suggestion for a three router setup was overkill and based on a completely different setup.
Basically the setup is referred to as a DMZ where you have two firewalls between the internet, internet facing network and the private network.
The top router naturally handles the internet side of things and the internal router separates the internal network traffic.
Between both of these routers you place your internet facing servers and often place a proxy server in there as well.
Then you restrict all traffic flowing from the internal network through the proxy, and avoid dynamic NAT tables. ( Both routers generally use static routes.)
The wireless notes were for when soho routers didn't support AP isolation, multiple radios and guest zones. ( The dir-655 has all 3 features.)
Here's the other kicker with multiple routers, the WAN interface for the internal traffic now has to accept private subnets which can lead to arp poisoning and can lead to issues with multiple NAT tables.
Getting a second ip address and sticking the modem on a switch eliminates this issue entirely when you place one router for each network on the switch. ( You also have to make no changes to the original router, where potentially you will have to change settings on the original router with the three router setup.)
Re: How to isolate two groups of people sharing one internet connection?
Interesting. I managed to figure out how to join networks while having seperate internet IP addresses, but never how to separate them. Having two IP addresses is a great idea though.
This thread is a interesting read.
__________________
Two Enermax 700 and Antec 350 power supplies in one case (Connected the green wire) and a Thermaltake 550 PSU in the other.
Two ASUS M2N-SLI Delux Motherboard
Athlon X2-6000 and a Phenom 9850
Big azz 11 bay server tower and a regular 4 bay full size tower. (Noname)
A speedy PCIe based ATI 1950 chipset and a cool running Nvidia 8400GS video card.
4 Gig or 2 Gig Kingston brand (Total 6) DDR2-800 memory
Around 10 Terabytes in 17 hard drives, with 4TB free space.
I refuse to use DVD disks as they die by oxidization, get scratched and would take too many of them to write for the data I have.
Re: How to isolate two groups of people sharing one internet connection?
Quote:
Originally Posted by Bryan
It would've been much easier to ask the ISP for a second ip address and setup the second router through a plain jane switch. ( Don't need a managed one for this setup.)
Gibson's suggestion for a three router setup was overkill and based on a completely different setup.
Basically the setup is referred to as a DMZ where you have two firewalls between the internet, internet facing network and the private network.
The top router naturally handles the internet side of things and the internal router separates the internal network traffic.
Between both of these routers you place your internet facing servers and often place a proxy server in there as well.
Then you restrict all traffic flowing from the internal network through the proxy, and avoid dynamic NAT tables. ( Both routers generally use static routes.)
The wireless notes were for when soho routers didn't support AP isolation, multiple radios and guest zones. ( The dir-655 has all 3 features.)
Here's the other kicker with multiple routers, the WAN interface for the internal traffic now has to accept private subnets which can lead to arp poisoning and can lead to issues with multiple NAT tables.
Getting a second ip address and sticking the modem on a switch eliminates this issue entirely when you place one router for each network on the switch. ( You also have to make no changes to the original router, where potentially you will have to change settings on the original router with the three router setup.)
Yeah, I wish multiple IPs was an option, but it isn't. As I've said, my starting point is the end of an ethernet cable coming from the first router and I do not have access to any equipment or setting before the end of that cable. My daisy chained routers seem to work fine now. I know it has double NAT which isn't ideal, but for my purposes it works fine. Thanks guys!
- Mike
Processors
Motherboards
Chipsets
Memory
Graphics Cards
Storage
Cases and Cooling
Mobile
Systems
Displays
Shows and Expos
Linear Mode
