[allochthonous]

I got my hands on another Linksys router and want to attempt a dual router setup creating two distinct networks. I want to be able to connect "rogue" or unknown machines to the internet, but keep my primary network isolated and protected.


So I was thinking something like this:

MODEM -- Internet port on ROUTER1 (network 192.168.6.0)
LAN ports 2-4 ----"rogues"
LAN port 1 -- Internet port on ROUTER2 (network 192.168.1.0)
LAN ports 1-4 on ROUTER2 ----- regular network


So anything that is done on the first layer "rogue" network will not affect my main network, right? Is there anything else that needs to be done to prevent traffic (or viruses, etc) from jumping the networks?

I am apprehensive because in my mind, it does not seem like it would be terribly difficult for a piece of malware to quickly ping all networks within the 192.168 range until it is successful and then make note of that address and exploit it.

Is the technology not there? Am I oversimplifying?

I tried this configuration a few minutes ago and i was not able to reach the internet on the second layer. It looks like the second layer router would not get an IP address from the first layer. Or do i need to try to get an IP on the second layer router from the modem?

Any thoughts?

[Callum_Dawson]

So you want to make a WAN?

[zx10guy]

Your proposed setup is fine for the majority of probable issues concerning isolating your trusted (protected) network. To get better isolation, you may want to set up a DMZ and then place a router there. Then put your "dirty" clients on that router on the DMZ and use the LAN ports on your ISP attached router for your protected network. The DMZ setup provides an extra degree of isolation between the two networks.

But either way would be fine.

[allochthonous]

I don't believe either of my routers (WRT54GL and WRT54G) allow a DMZ to be created on just one port..I think it is all or nothing. So how would I do that with the hardware that I have?


Also, if my proposed idea is fine, then do you have any idea why it is not working for me?

PK

[zx10guy]

I'm certain the you can set up the DMZ on those routers. You may have to direct the DMZ setup to a specific IP on the LAN subnet for the main router.

As far as you current setup, what is the IP address you've assigned to the WAN port of router 2?

[allochthonous]

I guess that is the problem. I don't know exaclty what settings ROUTER2 should have.

Do I have to change the Mode on ROUTER2 to Router instead of Gateway?

PK

[zx10guy]

I'm not familiar with the settings on that router and what router mode means compared to gateway.

For the WAN port of router 2, I would set the port to a static IP and assign it a low number in the subnet like 192.168.6.2. You don't have to assign the router a host address of .2 but I have a standard I follow which works for me. Low numbers in the octet range I usually reserve for routers and high numbers I set for switches. There are times I set all the network IPs to something low in the range of IPs. I just make sure I have enough addresses reserved/set aside in the block to allwo for future growth.

[JohnWill]

I use the DMZ option for this task, it allows the secondary router to use port forwarding.

[allochthonous]

I don't know how to access the WAN port directly.

On the Basic Setup, I can choose the Internet Connection Type (DHCP, Static, etc)

Is this where i make the settings?

The only option for DMZ (on the GL anyway..have not looked on G yet) is to assign a certain host IP address.

Is DMZ on the first router what i really want? I mean, i don't necessarily want it open to the world either.

HELP! How do i get this accomplished?

PK

[zx10guy]

Yes. Set your internet connection type to static and you should see additional options to manually enter the IP address for the WAN port.

As far as the DMZ option goes, you would enter the IP address of the WAN port of the second router.

[Mordreneth]

1. Malware can't ping 192.168 addresses.....it's a internal, non-routable subnet.....

2. The 'DMZ' option on most home router's isn't a true DMZ....it's just somewhere for the router to forward packets when it doesn't know the true destination...(i.e when you make a request for a internet page, it knows the response is to go back to your pc...if a new request is made from the internet, it doesn't know which pc on the local lan made the request (because no pc did) - therefore it send's it to the 'DMZ')

[JohnWill]

Mordreneth, I have no idea what you're trying to say here, but it's confusing at best.

1. If the malware is on the local network, there's certainly no reason it doesn't have access to all of the local network, so that appears to simply be incorrect.

2. Your description of the DMZ confuses me, what do you think the term means?

[Mordreneth]

JohnWill:

1. What I meant was, Malware cant scan the local private network from the Internet...Yes, of course if it's on the local network already...it has neytwork access. I assumed we was talking about stopping the malware from the internet

2. DMZ stand for DeMilitarized Zone...is (supposed to be) a secure area of the network with minimal access...

[zx10guy]

Quote:

Originally Posted by Mordreneth

JohnWill:

1. What I meant was, Malware cant scan the local private network from the Internet...Yes, of course if it's on the local network already...it has neytwork access. I assumed we was talking about stopping the malware from the internet

2. DMZ stand for DeMilitarized Zone...is (supposed to be) a secure area of the network with minimal access...

On point one, you can gain quite a bit of network reconnaissance from doing a port sweep of a firewall. You can craft an IP packet with a TTL to see if a port is open but the firewall is blocking the communication via an ACL. I would say the majority of home firewalls would just have open ports without any ACL restrictions which would then be easily mapped by doing a port sweep of the public IP.

On point two, I understand what you're saying about the DMZ configuration on pretty much all home based routers being IP based. This still doesn't negate the usefullness of putting a router into an IP based DMZ.

[JohnWill]

AAMOF, the very characteristics of the DMZ configuration make it ideal for daisy-chaining routers, since you can put the secondary router's WAN in the DMZ and allow full access through the primary router.

Mordreneth, I have no idea what point you were trying to make, but it certainly added nothing to the discussion at hand.