 kba4
join:2001-10-23
Canton, OH
 ·Time Warner Cable
| multiple subnets I have a wi-fi router used for guest Internet access, it has a DHCP assigned 192.168.1.0/24. I also have a small LAN consisting of workstations and NAS, it has a DHCP assigned 192.168.0.0/24. The DHCP is running on a 2k3 server (two scopes defined). There is one Internet connection on this server using a single public IP. I want to be sure that clients on the wi-fi router cannot see clients on the LAN. Being separated by different subnets should make this so, right? Thing is, I downloaded an app called Fing to my android phone and it sees my LAN from behind the wi-fi router. How can I better secure this network?
edit: app name changed from Fring to Fing |
|
 tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | said by kba4:How can I better secure this network? some routers/firmwares have support for a "guest" ssid -- or user isolation, etc. this, in effect, filters traffic between the "trusted" and "untrusted" subnets to prevent access to any resources.
this is possible if your router supports granular firewalls or such.
another alternative is to "tier" your routers -- with guest being closest to the internet, with your "local" lan attaching to your "guest" network -- but you'd be doing double nat to your lan.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." |
|
Reviews:
 ·voip.ms
·link2voip
| reply to kba4
Placing two hosts on separate subnets will prevent them from seeing each other by broadcast, but it does not prevent them from seeing each other through unicast or other routable protocols.
To achieve your goal you need a firewall between your two subnets. I don't know if this is possible with Windows, but I don't recommend it. My recommendation would be to use something with an established reputation as a firewall. As tubbynet mentioned, your router may be qualified to fill this role. Otherwise, purchasing an inexpensive router to run Tomato, or installing a firewall distro such as m0n0wall on your server are other options.
--
db |
|
|
|
| reply to kba4
said by kba4: I want to be sure that clients on the wi-fi router cannot see clients on the LAN. 2nd what clarknova  said about what putting two different hosts on two different subnets does.
You're basically looking at redesigning the network... or getting equipment that will do what you want
it to do.
Regards |
|
kba4
join:2001-10-23
Canton, OH Reviews:
·Time Warner Cable
| so my current setup consisting of one WAN and two LAN NIC's should be set up as two WAN to LAN RRAS connections instead? I'll be building a new server sometime in the future, so a total of 4 network interfaces will be necessary for this. I should mention also that I have access to up to 3 public IP's from my modem, so this would work if it is indeed what I need to do to achieve my goal. |
|
tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | said by kba4:so my current setup consisting of one WAN and two LAN NIC's should be set up as two WAN to LAN RRAS connections instead? a more appropriate question is 'what are you using for a router'? if you have something like m0n0wall or pfsense -- what you're talking about doing should be easily accomplishable with two lan nics (in unique subnets and firewalled accordingly) and a single wan.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." |
|
| reply to kba4
No, you only need 3 network interfaces (1 WAN, 2 LAN), but this computer must be able to firewall the 2 LAN connections off from each other. m0n0wall or pfsense or any Linux box will do this easily.
/M |
|
Reviews:
·voip.ms
·link2voip
| reply to kba4
said by tubbynet:what you're talking about doing should be easily accomplishable with two lan nics (in unique subnets and firewalled accordingly) and a single wan. m0n0wall and pfsense are great options (I use them both), but you don't even have to go as far as that. Any router running a modern flavour of Tomato with vlan support (Shibby, RAF, etc) can do this as well. And since the Tomato can tag and untag the router's inbuilt ports, you don't even need a separate vlan switch to make this work.
--
db |
|
tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ
kudos:1 | said by clarknova:m0n0wall and pfsense are great options (I use them both), but you don't even have to go as far as that. understood. i remember working with earlier versions of ddwrt that had tagging available as well.
i've not kept up with a lot of the 3rd party options for firmware -- as i've been running cisco kit in my network for quite some time, but i figured this would be available.
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." |
|
| One of the down sides to Tomato is that the outgoing (from local) firewall is pretty limited. You can block traffic to and from a specific host or network, but not individual ports or protocols.
--
db |
|
kba4
join:2001-10-23
Canton, OH Reviews:
·Time Warner Cable
| reply to tubbynet
I have a Buffalo whr-hp-g54 g router. I know it's old but all it's used for right now is my android phone and guest access. I have server 2003 running RRAS with two DHCP scopes: one goes to this router, the other to my wired LAN.
--
I see what you're saying, even though I'm really just listening... |
|
| reply to kba4
So are you going to keep the Buffalo, or are you looking for new gear?
Corollary of this is whether the Buffalo can be loaded with alt firmware or not.
If new gear, what's your price range?
Are you comfortable with DIY, like the options mentioned -- pfsense, m0n0wall -- or the flashing of gear to alt firmwares?
Regards |
|
