Can a router give me a personal local network inside my corporate network?

Could I have a little network, somewhat like my simple home network, in my office at work, and still operate the same way on the corporate network?

Our corporate network is, to me, huge and complicated and has various security and automation features like pushing software onto our computers and doing remote support.

There are simple things I know how to do on my home network, like using an instrument that has a fixed IP and allows telnet and ftp. But, I don’t know how to do these things on the corporate network, and am not sure I want to learn or they’d want me messing with it.

Could I possibly have a little network inside my office, through the use of a router, and plug the WAN side of the router into the wall jack, and have everything work right from the point of view of the corporate network?

I think this should work, with one exception: I think a router isolates its LAN users from visibility on the WAN side, at least in some ways. But I don’t know much about this.

Thanks!

I recommend that you not install a router on your corporate network. It can cause various problems for the entire network and corporate IT will detect it, track it down, and slap you around for having done so.

Plus, I’m not sure what you think you’ll accomplish and why you feel it’s necessary. (If it really is, get corporate IT involved.)

File sharing on a corporate network is easier to set up than on a home network (you don’t need to know IPs, nor do you need a static one. With Windows, file sharing doesn’t require ftp or telnet (It’s probably the same on Macs, too).

You just have to activate file sharing. Your corporate IT network probably has to set it up, but they also may have other solutions to do exactly what you want. That, BTW, is how you want to ask for things from an IT department – tell them what you want to do, not what you think you need to do it. They would know better how to achieve what you want.

I agree that it’s a bad idea to do this without getting your IT department involved first. Especially if the router has wireless. Don’t do that.

This is a terrible idea, an instant sacking one.

Edit: Sorry this is the bit meant to quote:

You may get blocked. We have our networks setup so any computer that we do not want on our system will not get an IP, sure you could guess one and assign a static one but we were in an envoirment with many users so we had to block people from doing things like what you want because they would want to bring in their laptops for p2p. It would be easy to see/catch

What exactly are you trying to do? Do they block telnet and other services? It would probably just be easier to setup a VPN on your home machine and use that as your internet connection. They won’t even be able to see what you are doing other then you have a connection, sans any screen monitoring software

To answer your question, yes, you probably could just plug the WAN side of a router into the jack in your office at work, and then have your own little private network on the inside portion of the router. It does depend on how your corporate IT is setup, but if they will give an IP address to anything which asks for one, then it should work. If they require registration of MAC addresses (the unique address everything which uses ethernet has) before giving an IP address to a particular device, then it won’t work unless you manage to register the router’s MAC address with them.

Of course, your little private network has to traverse the corporate network to reach the outside world, so any blocking or such the corporate network uses will still apply to your private network’s external communication. For example, if the corporate network blocks outgoing port 25 (e-mail) connections, then a port 25 connection from your desktop on your private net will go through the router and be blocked when the router tries to connect through the corporate network.

If the corporate network blocks certain internal connections, such as port 23 (telnet) between internal machines, then machines on your private network should be able to talk to each other over port 23, because they’re never hitting the corporate network.

As others have said, though, is this a good idea? Definitely not. If your just curious, then no harm, if you want to accomplish something specific and think this might be a good way, then ask your IT people. As others have said, ask them what you want to accomplish, not how to do what you think you need to do to accomplish it: “How do I share files between my laptop and desktop?” is better than “Why can’t I have administrator privileges on my desktop (because I want to create a network share that my laptop can see)?”

InfoSec Guy chiming in (even the IT people hate us):

By installing an unauthorized router, you would be compromising the entire network. Any traffic into or out of your router (despite the fancy-schmancy but surely mismanaged firewalls on the company’s perimter), all of the traffic hitting your endpoint can traverse to dol-garn near any other endpoint that’s in the “trusted” zone.

Don’t do this.

Your home firewall, even if not actively managed, is likely more robust than your company’s.

Don’t be the cause of a breach.

It makes InfoSec guys cry.

To clarify the security threat a bit more, popping your own wireless router into the middle of the network creates a huge backdoor into the network. Especially if it is not secured. Someone could be sitting in the parking lot with access to file shares all over the network.

Another reason not to do it is that your router is probably set up to hand out DHCP addresses. If you just plug it in, your IT department may find, for example, that computers are suddenly getting addresses in the 192.168.1.* subnet, instead of the 10.10.. subnet they’re supposed to be getting. The IT department will have to drop everything else to locate and eliminate the source of rogue IP addresses. I very much doubt they’ll be very happy with you if they find that you’re responsible for this emergency. As someone suggested, it’s something for which termination is not out of the question.

Routers generally don’t hand out addresses on the WAN port.

True. I think I was conflating two emergencies.

Thanks. But I want to stress I am not trying to do anything illicit or cheat the system somehow. I want to understand the issues and be self sufficient where it is practical to do so.

Here are some things I want to be able to do:

  1. Talk to an instrument that requires telnet through a static IP.

  2. Set up instruments that perform FTP through static IP, either to my computer’s c: drive or a separate little network drive.

  3. Use hardware devices like PLCs that require a static IP connection to my PC which is running their dedicated software.

  4. Do all of these things conveniently and still be able to access the internet or my email, which means not reconfiguring my PC back and forth between being a DHCP client with one set of address and masks, and using static IP with a different set. It never fails - as soon as I switch it one way, I need something that requires the other way, back and forth.

Here are things I do NOT want to do:

  1. I don’t want to access any of the things on the corporate net, like fileservers and email and printers and internet access, by any means other than the ones they intended.

  2. I don’t want to set up anything wireless. I have ZERO interest in wireless. It’s a huge security hole, as far as I know.

  3. I don’t want to be a DHCP server to anything either upstream or in my office.

I did ask my IT department about this, twice. Once they said I should add anything I want to our network, and give it a static IP if I want, just keep pinging addresses until I find one that doesn’t respond. This doesn’t sound right - if it’s another static IP device that happens to be offline that morning, everything will stop working when it’s plugged back in. The other time, they said they could assign me a static IP if I really, really, really needed one, but there’d have to be some kind of review of the need, and it all sounded very cumbersome.

What I would like to do is get some idea whether what I had in mind is easy, or impossible, or somewhere in between, and learn the reasons why. And, since some of the devices are not PCs and aren’t supported by IT anyway, I have to do at least some of this myself.

What do you all say?

Let me caveat all this by stating at the start that I’m not tracking 100% right now (as if I ever am), so if my reply seems incoherent or isn’t answering the question feel free to completely ignore me.

You seem to be asking if you could have a sub-network on our corporate network that uses corporate assets but is segregated from the corporate network, presumably using a firewall or router and on a separate subnet. Assuming that is the case, and assuming your IT department allows it and will work with you to ensure you can do this, my answers to your follow up questions are:

Telnet to a static IP address that is on your local subnet is no problem. Telnet to a device that is on the corporate network shouldn’t be an issue either, as long as you have your default gateway set to your router or firewall (which will presumably be on a routable subnet on your corporate network, and have a valid IP address). Going from your corporate network to your new network would entail either setting up a port forward or having your router participate in an active routing protocol (say, RIP or EIGRP, OSPF or whatever it is your corporate network is using). If you are wanting to go from outside your corporate network (say, on the internet on travel or from home) to your new network then that’s do-able as well, though it will take your IT guys to re-direct traffic to make it happen (it wouldn’t be all that hard, but if it were me I’d tell you no unless it was a requirement and unless we’d set up this new network for you).

The other two seem to be the same answer, assuming I’m getting what you are asking here.

Well…if you are putting in a router or firewall, simply have it serve up a new DHCP address on the new subnet. As long as the router has an outside address on your corporate network and you have your default gateway set up correctly (and with some other caveats about your corporations IT security), you won’t have to switch IP addresses back and forth…and your email and such will work fine. What you are really doing is an old style routed network here, simply using a router/NAT device to further segregate your network. We do this using VLANs on our network.

Yikes. If you have any say, fire them for the ‘ping IP addresses until one comes back with no reply and just use that’ thingy. :eek:

For the other, I can see why they would want to review what you are wanting to do. Putting a router or other network device on an existing network can be touchy, especially if you screw up (there are a number of ways to screw up that can affect the corporate network). Still, it’s not all THAT hard to do this. Heck, if your network is at all modern, they could probably do this for you at the switch level using VLANs and you wouldn’t even need to stand up a separate router appliance.

Let me go over what I assume you are trying to do…if this bears no resemblance to what you are asking, just ignore it all and go with the other posters (I haven’t read the other responses in the thread yet):

You want to set up an appliance (a router or firewall) that will tie into your corporate network via an inbound port, and then set up a switch or something inside your new network for your PC, other workstations and other IP devices. Correct? And you want your PCs, workstations and other devices to be able to get out and reach other corporate assets and your corporate internet access? Correct? All of that is pretty easy, to be honest. It would be a matter of getting a valid static IP address (you could even grab a corporate DHCP address) on the external or ‘WAN’ port, and then setting up the router or firewall to give out DHCP addresses to a new subnet on the internal or ‘LAN’ side. You would also need to ask your IT guys what the corporate gateway for the subnet you are attaching this thing to on the ‘WAN’ side is (unless you go the DHCP route on the external link). That’s it for basic connectivity.

Now, if you want to set it up so that folks on the corporate network (or like I said, going from outside your corporate network to inside your new network) can access your internal resources, that will be a bit more complicated. Still do-able, though, and not all that hard (I could set it up in maybe 5 minutes, if it were our network).

-XT

In that case I say you’re right about this. IT doesn’t seem very cooperative (while punting their job on to you) and with your needs it seems a pain to get them involved because of every simple instrument you might need to use to do your job.

You can set up a wired router, receiving it’s address on the WAN like your PC currently does (DHCP or static) and doing NAT to your internal network on a different subnet. You can configure your network as you please. From the point of view of the corporate network everything will be same. They won’t even be able to detect that anything is different. You’ll be doing double NAT to access the Internet (assuming you are assigned a private IP) which while not very elegant should work fine for email and web surfing.

What you want to do is probably better achieved by adding a second network interface to your PC. Then run the private network off that. Just don’t set up any routing at all between the networks. Nor even set up DHCP. You would need to get your IT guys involved enough that the private network uses one of the private non-routing network addresses (making sure that you don’t conflict with any already in use) and have them feel happy that all is well. Once you have this set up you have a personal network fifedom.

Any IT department that says “just keep pinging until you don’t get a reply” seriously worries me.

However, having personal networks hanging about is still a bit of a ticking bomb. It only takes a trivial mistake, or moments inattention, to cause a network outage. Plugging a device into the wrong network port might be enough to cause a cascading failure across the entire company network. It doesn’t need to be you that does it.

Unless, of course, they have corporate software to access your PC remotely.

Although an important caveat is that this will break Windows file sharing with the corporate network (using SMB/CIFS) which is typically a critical service in corporate environments. If you have administrator privileges using a second network adapter might be a better solution like Francis Vaughan suggested.

I’m not a windows guru, but I think this would only affect peer to peer file sharing (all that WINS stuff)…and maybe not even that. What the OP seems to be doing is no different than having your windows domain servers on VLAN 1 and your workstations on VLANS 2-8. We do that all the time without any notice-able problems. In fact, just use a boot-p forwarder statement and you can have the domain serve up your DHCP and DNS info to your workstations, and all the shares and such are completely accessible…no problem.

Of course, there is a real possibility that I’m simply not following you and what you are getting at here.

-XT

I’m not a windows guru either but to be precise it’s auto discovery of network shares and printers that needs to be on the same subnet to work. That might not be as critical as simple availability come to think of it.