PDA

View Full Version : Computer networking, question isolating network and internet


The Surb
02-24-2010, 02:09 PM
I want to isolate a tenant from my network but still give him internet access to his network.

I tried to put a switch from the internet cable into two routers, giving each router an IP scheme. One uses 192.168.0.1 and the other is 192.168.1.1. From each router, they go into their respective network switches.

Router o and switch are working just fine. Router 1 works ok with IP address and internet access but when I plug it into the switch, it quits. I can get an IP address at the switch but I can't get internet access.

I have tried two different switches, so I don't think that is the problem. But I don't know what the problem is.

Any ideas? Thanks in advance.

Quartz
02-24-2010, 02:41 PM
Things will be much easier for you to work out if you use two different private IP ranges: 192.168.x.x (A) and 172.16.x.x. (B). This will help immensely with debugging. Further, at a guess, you only get 1 IP address from your ISP.

I'm also going to guess that these are standard home internet routers. 4 port jobbies.

Set both routers up as DHCP servers for their respective networks. Set router B to be a DHCP client for its WAN (internet) port. Plug all your stuff into router A. Plug router B into router A. Set router A to only allow access from router B straight to the WAN port, so he can't see your network at all. Test by putting a PC on router B. Now let him plug his stuff into router B. Voila! His network is totally separate from yours and you can control his access.

HorseloverFat
02-24-2010, 04:44 PM
Your issue probably is that your ISP wont let you have two different mac addresses plugged into their modem. Once you plug the other router it causes the lockup. Probably be easiest to pay for two IP addresses from your ISP and they'll allow two devices.

UncleFred
02-24-2010, 08:18 PM
Your issue probably is that your ISP wont let you have two different mac addresses plugged into their modem. Once you plug the other router it causes the lockup. Probably be easiest to pay for two IP addresses from your ISP and they'll allow two devices.

Could he put a third router 'ahead' of his existing two routers? Then the cable/dsl modem would only see one MAC address.

Khendrask
02-25-2010, 06:40 AM
The simplest method, would be to add a VLAN by Port capable switch between the router and the two separate networks, but that would be fairly expensive.

I suppose a cheaper way out (but still expensive) would be to get a decent quality MANAGED switch, connect the two networks, and use the switch itself to block all traffic between the two 'Network' ports, but allow traffic between the network ports to the internet router port.

The Surb
02-25-2010, 07:23 AM
Actually, I have a Dell 3048 switch left over from the previous owner. I can't figure out how to isolate just the internet.

I didn't know the switch would do that, I thought it was all or nothing. I'll look up the manual online and see if I can figure that out.

The Surb
02-25-2010, 07:43 AM
I found the manual online, how do you isolate access to the internet and not allow certain ports to see the network? I don't know what I should be looking for.

si_blakely
02-25-2010, 08:33 AM
As Quartz noted, your internet cable can only connect to one device at a time, so the first device to connect has to be a NAT router. This is your network, with your devices. Then connect the sub-network router into a port on your router for your tenant. You don't need the switch at all (unless you don't have enough ports for yourself).

<internet cable>--------<internet IP Your Router 192.168.0.x>--------<192.168.0.2 Tenant Router 192.168.1.x>

Your tenant will go through two NAT devices, but this should not be a problem, but P2P networks may require significant configuration on both routers. Both networks should be set up for DHCP in their respective subnets, and as long as you don't set up routes from one network to another, the tenant will not get any access to your network. Even safer would be a third router as such

<internet cable>--------<internet IP DMZ Router 192.168.0.x>--------<192.168.0.2 Tenant Router 192.168.1.x>
__________________________________ L------------------------------<192.168.0.3 Your Router 192.168.2.x>

In this case, both you and your tenant have two layers of NAT to traverse.
You could use the switch, but switches (even managed ones like the Dell) manage collision domains. VLANs create isolated sections within the switch, but you will still need the routers to configure the subnets, so I think that the switch is redundant.

Si

md2000
02-25-2010, 09:26 AM
si_blakely has it right. Your internet provider does not allow 2 devices on the internet - just one. After all, that one uses a public IP address (usually) and they only plan to have enough addresses for one per household.

You have the two choices; either cascade one router through the other, or cascade both through a third.

If you cascade one through the other - who's on top? If you can program the router(s) to not allow the secondary router to see the primary network (In si's diagram, can the tenant router be told not to talk to 192.168.0.x?) then great.

Otherwise if he can guess your IP addresses, he can see your stuff (hint - I bet your DHCP starts at 100?); try the cascade, see if the 1.x network can get to the 0.x network. Try ping, try opening files with "\\192.168.0.100" or whatever. He can't use computer names, because the router should block the braoadcasts by which the network learns who else is out there.

I never fiddled with the home router stuff that deeply, but I doubt you can easily reprogram the router for privacy - I don't recall seeing the settings. If you try to add a table entry for rerouting 0.x to neverneverland, then how will the secondary's traffic get from there to the internet? Usually a table entry for a direct-attach network is ignored.

For best results, the triple router scenario is best. They are what nowadays, $30? If you're that worried about separating networks, it's money well spent.

butler1850
02-25-2010, 10:51 AM
Everyone is saying that the ISP won't allow 2 connections. That may be their default, but often it's an available service. Doesn't cost too much, if they charge for it at all.

HorseloverFat
02-25-2010, 11:35 AM
Could he put a third router 'ahead' of his existing two routers? Then the cable/dsl modem would only see one MAC address.

Sure, but in those scenarios you'll be double-nat'ing. That tends to mean a lot of things that listen on ports or arent simple TCP will not work like VOIP, VPN, P2P, etc. Getting a 2nd IP is the optimal solution here.

Id also just consider the lazy approach of letting him on your subnet but making firewall rules on all your computer to drop traffic from his IP address.

The Surb
02-25-2010, 10:26 PM
Ok, I think I've got it.



internet----->switch ------> router with DHCPoff and MAC filtering --->tenant

The Surb
02-25-2010, 10:35 PM
I forgot, can I still use MAC filtering with DHCP off?

We get our internet for free so it's not like I'm trying to avoid paying. I asked my ISP, but the junior level tech said they don't help with internal issues.