 janderso1JimPremium,MVM
join:2000-04-15
Saint Petersburg, FL | Using two routers for securtity without double NATUsing two routers to secure a subnet without double NAT
Doing NAT in two routers is undesirable because it tends to break some software such as VPN and online games. By purchasing the correct equipment you can eliminate double NAT.
Router one must support NAT for IP addresses that are not on the same subnet as the router and support static routes. If router one is providing wireless access, it needs to support WPA to be secure. Router one should also have SPI firewall for security. You could also use a wired router and a separate wireless access point. For testing this I used a Netgear WGR614 version 5 wireless router ($20 after rebate). As far as I know, all the Zyxel routers, firewalls, and DSL modem/routers support all of these requirements except wireless/WPA and some of them support WPA. Router one will support the DMZ/wireless subnet.
The second router must support a SPI firewall with NAT disabled to secure the protected LAN. To use DHCP on the protected “LAN”, the second router must support manually assigning DNS servers (which will be given to the DHCP clients). I used a Zyxel P334WT for the second router (less than $62 shipped). As far as I know, all the Zyxel routers and firewalls currently in production support these requirements. Router two will provide Internet access to the “secure” LAN through router one.
You must use two subnets. For this example I use 172.30.100.0 for the DMZ and 192.168.8.0 for the LAN both with masks of 255.255.255.0 (172.30 is a class B block under the now obsolete IP class rules and the normal mask for a class B is 255.255.0.0 but you could always subnet a class B). You can use your existing subnet for the LAN as long as you use a different subnet for the DMZ.
Assign router one a LAN IP address of 172.30.100.1 mask 255.255.255.0
Create a static route in with a destination of 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2
Set the DHCP server start address to 172.30.100.100 end address to 172.30.100.149 (or any range you want as long as it doesn’t include .1 and .2 and is part of the same subnet)
Optionally Set the default DMZ server to 172.30.100.2 if you want to see port probes in the P334WTs logs.
If you are going to be using wireless, setup and enable router ones wireless LAN
Connect the WAN port of router one to your DSL or cable modem.
Disable router twos wireless LAN if it has one.
Assign router two a LAN IP address of 192.168.8.1 mask 255.255.255.0
Set the DHCP start address to 192.168.8.100 end address to 192.168.8.149 (or any range you want as long as it doesn’t include .1 and is part of the same subnet)
Set the first DNS server to IP address assigned by you ISP as first choice (You can get these from router ones status)
Set the second DNS server to IP address assigned by you ISP as second choice (You can get these from router ones status)
Set the third DNS server to 172.30.100.1 (LAN IP of router one)
Set Windows networking (Netbios over TCP/IP to allow between LAN and WAN (on the LAN setup page)
Assign router two a WAN IP address of 172.30.100.2 mask 255.255.255.0 gateway 172.30.100.1
Set address translation to NONE on a Zyxel P334WT (uncheck enable NAT on a Zywall 5)
Set Windows networking (Netbios over TCP/IP to allow between LAN and WAN (on the WAN setup page)
Connect the WAN port of router two to a LAN port of router one.
You should install a software firewall on all the wireless and DMZ PCs. I use the free version of Zone Alarm and set it to trust the LAN subnet.
Connect any wired “DMZ” PCs to LAN ports on router 1 (use a switch if you need more ports)
Connect your “secure” LAN PCs to LAN ports on router 2 (use a switch if you need more ports)
If you need to access shares on a PC attached that connects to the DMZ subnet (wired or wireless), go to the PC and at a cmd prompt enter
Route add 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2
Or
Route -p add 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2
Then use find compute to find the DMZ PC. If you share a folder read/write on the PC, you can transfer files in both directions.
If you need to access share on the LAN from a DMZ PC, the cheap way is to temporally disconnect the PC from the DMZ an connect it to the LAN.
Since the P334WT has a limited VPN server the other option to access the LAN from the DMZ is to setup a VPN rule on the P334WT and install VPN client software on the DMZ PC(s). I use this method to access a shared printer from my wireless notebook PC. You can download a free (but old) VPN client here.
»ftp.up.ac.za/pub/linux/ssh/pub/sentinel/
This link is from the top of the VPN forum here.
If you are using P2P software, you may want to consider a more router more robust than the Netgear WGR614 such as a second P334WT for router one. I did a second successful test using my P334T as router one and my Zywall 5 as router two.
I think this should go in an FAQ, but I am not sure which one because it applies to both wired and wireless network security.
--
Jim Anderson |
|
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | Why not just get the ZyWALL 5, which has a DMZ interface with which to have a private LAN and a Public LAN. |
|
janderso1JimPremium,MVM
join:2000-04-15
Saint Petersburg, FL | I agree that a Zywall five is a better solution if you need most of its features. However, a Z5 costs almost $400 dollars and is overkill if all you want to do is protect a wired home network from wireless intruders. Also, the Z5 doesn’t have a DHCP server for the DMZ and wireless costs extra. The purpose of my post is to explain how to set up a DMZ using relatively inexpensive equiptment (less than $125 if you use two P334WTs).
--
Jim Anderson |
|
 TheGiantNext Year Is Here.
join:2001-03-28
Augusta, GA
1 edit | reply to Anav
Re: Using two routers for secur without double NAT I would hate to put the wireless client in a DMZ without even simple NAT protection from the internet. I think the Idea of separate IP address and XP firewall with Blocked Ips to local LAN to be the simplest solution. |
|
ShootistPremium
join:2003-02-10
Decatur, GA
kudos:3 Reviews:
 ·AT&T Southeast
| DMZ on a Zywall5 is/can be totally different than any home routers DMZ. You can set firewall rules to allow or not allow all kinds of stuff. DMZ on most if not all home router is like placing the PC/s connected to it on the NET. Not so with the Z5 or it can be. It's all how you set it up.
--
Shooter Ready--Stand By BEEP ******** |
|
|
|
apara0
join:2005-07-03
La Crescenta, CA | reply to janderso1
Re: Using two routers for securtity without double Will this setup prevent wireless users from seeing the wired lan thereby creating a firewall between those users accessing the wireless lan and those connected with a wire? I also would like to be able to see the wireless users without them seeing me. Will this work in this fasion?
Thanks.
-AP_ |
|
janderso1JimPremium,MVM
join:2000-04-15
Saint Petersburg, FL | With this setup the wireless users can’t see anything on the wired LAN. The wireless users will only be accessible if the route add is done on the wireless PC.
--
Jim Anderson |
|
apara0
join:2005-07-03
La Crescenta, CA | Jim,
So if on the wireless PC a route add is done, will wired users be able to see the wireless users and vice versa?
Is there a way to make it so that wired uses always see wireless users but wireless users cannot see wired users?
I really want to isolate my wireless users from my wired lan. In case there is a break into the wireless network, I don't want them to be able to break into my wired lan.
Thanks.
-AP_ |
|
janderso1JimPremium,MVM
join:2000-04-15
Saint Petersburg, FL | The route add tells the wireless PC to use the alternate gateway to reply to a request from the wired PC. The wireless PCs are still blocked from initiating a request to the wired segment by the firewall in R2. In my case I forwarded port 515 to the IP address of my print server on the wired segment to allow wireless PCs to print to it.
--
Jim Anderson |
|
apara0
join:2005-07-03
La Crescenta, CA | With the NAT disabled in R2, 192.168.8.0 addresses reach R1 and then use R1's NAT to go out to the internet?
So there is still a firewall even with NAT disabled? I always thought that NAT was the firewall in most routers. I guess the SPI firewall is separate from NAT and still does not allow arbitrary traffic INTO the router?
Thanks.
-AP_ |
|
janderso1JimPremium,MVM
join:2000-04-15
Saint Petersburg, FL | Yes, R1 must do NAT for both subnets (not all routers will doe this, the ones I mentioned will). On the Zyxel routers you can enable/disable NAT and the SPI firewall separately. You may be able to do this with some of the Linksys routers.
--
Jim Anderson |
|
seezarPremium
join:2001-07-01
Rochester, NY
2 edits | You could always get a soekris box (net4801) for about $275, »www.soekris.com/ which has a WAN port and 2 LAN ports and then run M0n0wall on it, »m0n0.ch/wall/ . I have my wired LAN on one LAN interface and my wireless on the other. Then configure each interface for 2 different subnets and a firewall rule on the wired LAN to block all traffic from the wireless LAN. That way the wireless network is behind NAT but cant get to my wired LAN but I can access the wireless network via the wired. |
|
 dnoyeBFerrous Phallus
join:2000-10-09
Southfield, MI | Its not clear to me how this avoids double NAT. Its seems like both routers are on seperate subnets!? |
|
janderso1JimPremium,MVM
join:2000-04-15
Saint Petersburg, FL | When you disable NAT on R2 (the Zyxel) it acts as a pure router. When a PC on the R2 LAN accesses the Internet its real 192.168.8.x address is passed to R1 by R2. R1 then replaces the 192.168.8.x with its WAN IP address (which is why R1 must be able to do NAT for more than one subnet).
--
Jim Anderson |
|
dnoyeBFerrous Phallus
join:2000-10-09
Southfield, MI | reply to janderso1
If I map R2's MAC address to 172.x.x.2 in R1. Then in R2 enable DHCP for the WAN port. R2 should get the proper IP address from R1 based on MAC, and possibly it will get the DNS servers as well?
Just trying to get automatic DNS address updating as my ISP likes to tinker.
--
dnoyeB
"Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard. " Ecclesiastes 9:16
|
|
janderso1JimPremium,MVM
join:2000-04-15
Saint Petersburg, FL | That should work but I haven’t tried it. 172.16 through 172.31 are valid private Ips.
--
Jim Anderson |
|
dnoyeBFerrous Phallus
join:2000-10-09
Southfield, MI
2 edits | reply to janderso1
Well it was all good until I tried to ssh into my linux box. Having issues.
When you don't NAT you cant ssh to the WAN IP of the Zyxel, you must use the actual LAN address of the computer you want.
So the first router does NAT and the 2nd router doesen't. But this raises the question of what kind of protection is being provided by the 2nd router? Port forwarding don't make sense on the 2nd router since its not doing NAT. Ports only get forwarded when they are targeted towards the routers WAN address, but this don't work with NAT off if I am comprehending correctly.
On this same notion it does not make sense to have the first router target the 2nd router as its DMZ since stuff targeted toward the router with NAT off just gets blocked.
The scheme just does not work. With NAT off it basically walls off the whole thing. You can initiate connections from within the router, but nothing can be initiated from without. You can't tell the router what to do with an incoming port without NAT... |
|
AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3 | If you want fidelity and flexibility, stop trying to put a round peg into a square hole.  There is nothing wrong with Janders methods but there are limitations as one should expect with a process, which is a work around from the get go.
--
Ain't nuthin but the blues! "Albert Collins". Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"LlamaWorks Equipment |
|
janderso1JimPremium,MVM
join:2000-04-15
Saint Petersburg, FL | reply to dnoyeB
It is true that with NAT off you must use the LAN IP address of the computer you want to access, not the WAN IP of the Zyxel. You have two subnets with R2 routing between them.
The firewall in the second router protects its LAN segment. Try to telnet to a PC on R2s LAN and you will see in the log that the firewall blocked it.
Port forwarding also creates a firewall rule in these low end Zyxels to allow the incoming traffic so if you forward the SSH port to your SSH servers LAN IP you should be able to connect. I forwarded port 515 to my print server and port 53 to my DNS server and they work. In other words port forwarding does what you want with NAT off or ON.
Setting R2 as the DMZ/default server of R1 allows R2 to log incoming port probes (and I indicated that it was optional). If you are using the Netgear WGR614 as R1, it doesn’t log incoming port probes. Another benefit of setting R2 as the DMZ target is you don’t need to set up any port forwarding on R1 unless you have a server on its LAN segment that needs to be accessed from the Internet.
--
Jim Anderson |
|
dnoyeBFerrous Phallus
join:2000-10-09
Southfield, MI | said by janderso1:It is true that with NAT off you must use the LAN IP address of the computer you want to access, not the WAN IP of the Zyxel. You have two subnets with R2 routing between them. The firewall in the second router protects its LAN segment. Try to telnet to a PC on R2s LAN and you will see in the log that the firewall blocked it. Port forwarding also creates a firewall rule in these low end Zyxels to allow the incoming traffic so if you forward the SSH port to your SSH servers LAN IP you should be able to connect. I forwarded port 515 to my print server and port 53 to my DNS server and they work. In other words port forwarding does what you want with NAT off or ON. ... Wehn with NAT off you need to target computers by IP, and when you do that port forwarding makes no sense. I have not found port forwarding to work the same with nat on and off. With NAT off I have found I have no port forwarding because the Zyxel assumes you are trying to connect to it and not some device on the LAN when NAT is off. You are experiencing different?
I think you may be seeing some netbios forwarding because that is outside of the port forwarding page/NAT. but if you try to telnet into a computer on the LAN with NAT off I don't think you can.
--
dnoyeB
"Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard. " Ecclesiastes 9:16
|
|
