San Francisco, CA
Question on Public Routed or Proxied Subnets
The 2wire modems have a section in the advanced home network settings for setting up direct internet access to a small range of public IP addresses. I saw the document that describes how to set that up and understand it, but the document does not describe the network topology used by these features and the help for them is somewhat ambiguous. These features, I believe, used to be called "Public Network" and "Bridged Network".
My basic question is whether other internal IP addresses are visible to the machines in these public networks (whether routed or proxied)?
Both features are documented to not require NAT and both include an "Auto Firewall Open" checkbox which further implies that these virtual subnets can be placed outside the firewall - or do they?
My end goal is to take a small business network in which every internal computer has been assigned a private IP address and connects through the 2wire firewall using NAT and to be able to open up the wireless access to customers in such a way that they can access the internet, but not the internal machines. Can these features be used to implement that kind of routing/topology?
Basically is sounds like you want to run 2 separate networks on the same DSL connection. If you are paying for a block of static IPs there is something you can try but support from your ISP if it doesn't work will be limited. What I would suggest is getting a second router and connect it to the 2Wire then assign it one of the public IP addresses (Through the Public Proxied Subnet section) and put it in DMZ mode. This should allow you to have them connect while your computers connect directly to the 2Wire and are on a separate network from your customers. This should stop them from accessing your network. I would also suggest changing the 2Wire to a 10.x.x.x IP scheme since the second router will probably be using a 192 address. If I misinterpreted your request let me know and I'll see if I can suggest an alternative solution.
San Francisco, CA
Here is my crude ascii picture of your suggestion to make sure we are on the same page:
| | | |
office1 office2 office3 WAP
That's an interesting suggestion - I hadn't thought of DMZ mode. My impression has been that DMZ mode directs all incoming traffic that doesn't have a predetermined destination from the NAT operations to the DMZ host - which would be important for making sure the NAT on the WAP router works, but it does not block access between the DMZ host and the other local computers. In other words, it is just a "default host for incoming connections" setting. Am I misinterpreting something, or is this impression not valid if I am also using the Public Proxied Subnet option as you describe?
Another complication is the fact that the 2wire modems implement "DMZplus" which appears to keep the DMZ host firewalled - furthering my impression that there will still be residual visibility between the two subnets. And if I keep the firewall active on the WAP router that will be providing the public access then I would think that the office machines hooked to the 2wire would be blocked from accessing the public machines on the wireless network, but not (the all important) vice versa - no?
I can try this tomorrow or Sunday, but I will probably only have one shot to get it right before I have to wait for my next trip.
Also, you recommend switching to a 10.x scheme for the local computers, but since they are all manually assigned to 192.168.1 addresses I'd like to avoid disrupting that and have the new router on a different subnet (probably just using a 192.168.N variant - I'm guessing that won't be a problem, but I'm not familiar with the purpose of the 10.x space...)
|reply to flar |
Sodagreen's interpretation/suggestion of two seperate networks is probably the best solution. Depending on what exactly you want to accomplish your ASCII diagram may work just fine. I have modified it for clarification and to point out a couple of other possibilities:
|*-------your public, broadband ip
|2wire router |
allocated |network from |
addy via | yours |
| |*-------192.168.2.x or 10.10.x.x
| | | | | |
+----*| | | | wireless
+---------+ P P P clients
|Router to| O O O
|separate | R R R
|networks | T T T
+---------+ 2 3 4
| | | | office wireless
office1 | office3 |
You indicate that your office machines have ip addresses such as 192.168.1
.x, since this is the case you will need to modify the network settings in the 2wire to utilize a different network such as 192.168.2
.x or the suggested 10.10.x.x. This gives you two separate networks.
By segregating the networks in this manner you basically have your office network behind your untrusted client network. The 2nd router acts as a firewall between your office network and the untrusted client network. You can add a static route on the 2nd router that will allow your office network to initiate communicate with the computers on the untrusted client network but without adding a static route to the 2wire the untrusted clients will not be able to initiate communication with your office computers. BTW, the 2nd router need not be a WAP if there is no need to connect any office computers wirelessly. In fact, if you use a device here that can run OpenVPN or another VPN package then you would be able to establish a tunnel from either the internet or the untrusted wireless network that would allow you to connect computers securely to the office network from those remote locations as well.
I have seen this very implementation used successfully by several businesses that offer wireless access to their walk in customers while maintaining a protected business network.
muiredisedESSE QUAM VIDERI
|reply to flar |
I believe the "public proxied subnet nat routed" and "public network??" features are used only when you are leasing a block of fixed IP addresses from your ISP.
If the ISP has these ip addresses configured to be "sticky" to you, you would use the "public proxied subnet/nat routed" or "bridge network" feature which would enable you to allocate those public ip addresses to machines on your private network.
If your ISP has you configured as a "true static" account then you would utilize the other feature, cannot recall at the moment what they are calling it these days but it used to be called "public network". Both features seem to accomplish the same thing, allowing use of public/internet routable ip addresses on your LAN. I believe that the differences between the two accomodate differences in the way your ISP has your connection configured upstream.
I don't believe either feature can be used to segregate your wireless clients from wired clients, but the above suggestions about a second router and 2 separate networks sound like the way to go.
San Francisco, CA
|reply to ERR_ID10T |
Thanks for the suggestion err - that was what I originally thought that I might have to do, but I am not familiar enough with the impact of double-NAT on a network to make sure I get it right before I leave.
I'm pretty sure I could set it up so that their browsers and email worked fine, but they have custom network applications that need to connect to trade network services through private protocols. If I was going to be around another week to address any problems that might come up then I would be happier doing it that way. But I've never used a 2wire router before and I didn't design their current network or applications suite so I don't know what it's connection requirements might be or how to make sure they can still connect after I put them behind a second firewall other than to let them return to operations for a few days and see. (And the people running the business are not savvy enough to be able to fix the problem on the phone with me and AT&T would not troubleshoot such a setup for them either.)
At the time I thought of that (when I spotted a wired VPN firewall in an office supply store) I hadn't thought of using the DMZ feature to make the internal firewall relatively transparent through the 2wire so combining the 2 suggestions makes me a little more secure with doing it that way, but I'd still rather do something like that when I'm around to troubleshoot... :-(
There was a good price on the VPN firewall so I'm tempted to go that route even though they don't (currently) need VPN.
San Francisco, CA
|reply to muiredised |
Thanks muiredised - that echoes/confirms my suspicions. If only I had the time to properly vet such a setup... :-(