Can a router give me a personal local network inside my corporate network?

Factual Questions
21

Most corporate networks (that I’ve seen…big caveat there) don’t use auto-discovery of network resources or peer to peer networking. Most of them use scripted login mappings for drives and setting up printers and such (and most I’m familiar with actually use hidden shares, even for the printers). None of this would be hampered by setting up a router.

For that matter, assuming the workstations are in the domain they should still be search-able (or whatever Windows calls it when you can look at the network neighborhood) if you have WINS and DNS set up correctly.

I don’t really work much on the systems side, so you can take the above with a pretty large grain of salt…I THINK that’s how it works, and based on the corporate networks I’ve seen (most of which don’t have a single IP subnet), it shouldn’t be a major problem I shouldn’t think. Of course, the OP’s IT guys told him to ping around to find a static address that might be available, so…

:wink:

(ETA: If it comes down to having to search for an IP address, OP, there are a lot of IP subnet scanners you can download. I’m not going to link to it, but I have Advanced IP Scanner on a thumb drive for just such emergencies…though, generally not to give out static IP addresses on our corporate network)

-XT

22

To be even more precise it’s auto discovery using broadcasts that will break. I don’t know much about WINS so I’ll leave that to the experts.

23

Really?

Suppose the corporate network uses DDNS and lets Windows domain members register their IP addresses with the DNS server.

What address with get registered by a Windows client behind the little firewall? (Hint: it will start with 192.168.)

24

I would consider that misconfiguration. I’m not sure what is your point.

25

Ah, thanks - now THIS is the kind of information I was looking for. All of it!

Let me answer this bit from xtisme, as it seems to cover a lot of ground:
“You want to set up an appliance (a router or firewall) that will tie into your corporate network via an inbound port, and then set up a switch or something inside your new network for your PC, other workstations and other IP devices. Correct? And you want your PCs, workstations and other devices to be able to get out and reach other corporate assets and your corporate internet access? Correct?”
That’s pretty close. What I want is a subset of that. Substitute “inside your new network for your PC and other IP devices”. I was picturing only one PC in my little office network. Though I guess the ability to add more might turn out useful. Also, substitute “And you want your PC to be able to get out and reach other corporate assets and your corporate internet access”. I don’t need any of the other IP devices to talk to anything but my own PC.

In re the later comment “Most corporate networks (that I’ve seen…big caveat there) don’t use auto-discovery of network resources or peer to peer networking. Most of them use scripted login mappings for drives and setting up printers and such (and most I’m familiar with actually use hidden shares, even for the printers). None of this would be hampered by setting up a router.”:
I don’t know about the auto-discovery or peer to peer things, but we do have scripted login mappings for drives and I think some other things.

Pedro comments “Unless, of course, they have corporate software to access your PC remotely.” And they do.

I am not aware there is any file sharing set up for files sitting on my PC, though I’m not sure I would know if there was.

Francis Vaughn, you suggest “What you want to do is probably better achieved by adding a second network interface to your PC. Then run the private network off that. Just don’t set up any routing at all between the networks. Nor even set up DHCP. You would need to get your IT guys involved enough that the private network uses one of the private non-routing network addresses (making sure that you don’t conflict with any already in use) and have them feel happy that all is well. Once you have this set up you have a personal network fifedom.” This sounds all kinds of interesting. I can picture it doing everything I hope to accomplish and seems as though it would create zero risk for everybody else, especially considering I would not use wireless. But tell me, does that require adding hardware to the PC? It’s a pretty Dell laptop in a docking station. Would that be difficult? BTW this 4 month old laptop seems kind of cranky in other ways (I can’t get a USB to RS232 converter to work on it, nor compact flash card in a PCMCIA adapter, my only attempts so far at “adding” hardware).

Many thanks - there is already a great deal of stuff here to digest and leads to follow. I do appreciate it.

26

Napier, I followed this forum (Can a router give me a personal local network inside my corporate network? - Factual Questions - Straight Dope Message Board)with interest, as I would like to do the same thing (small private subnets using routers), and I am wondering what you ended up doing in the end. Since the posts are all more than 1 year old, did you come up with a solution that works for you (either using a router, or using separate NICs)?

27

Napier, I’m just going to reiterate the DON’T DO THIS bit from before (it really does make security guys cry). Think about it this way - when I do a penetration test (aka “ethical hacking,” where a company pays me to break into their network), one of my first moves is to gain physical access to the building and drop in a wireless router so that I can launch exploits from the comfort of my car in the parking lot. What you’re proposing is literally creating a back door into the network. The difference between you doing this and me doing this is in one detail - I have a “get out of jail” card signed by your CEO authorizing me to be evil.

In regard to previous comments about WINS configurations, if the corporate network is still relying on WINS/NetBIOS… well, they’re probably being breached already. There’s no excuse for using these in a post NT world (other than the fact that some legacy applications might break…).

Would it not be easier just to get management approval? If you can get that, your IT department will actually support the dang router (and buy it for you). Also, when your IP addressing scheme fouls up other clients on the network, the IT team can actually troubleshoot; in all likelihood, you’d just be stealing someone else’s IP and causing address conflicts without realizing that you were being a pain in someone’s butt. In my sysadmin days, I encountered this several times, and spent many hours literally crawling under desks after-hours to track down some idiot’s “clever” installation.

Also, in regard to the P2P issue - stay the hell off the torrents and such. Most likely, your company has a policy forbidding them because they are cesspools of copyright violation. If you set up a private LAN on the corporate WAN and use it to rip off the latest Harry Potter movie or whatever, the company is legally/financially responsible. And yes, if they’re doing things right, they can detect it (P2P traffic is pretty easy to detect with rudimentary IDS/IPS and firewall log review).

Don’t do it. If you’re desperate for your own network, buy a cell card.

28

I’ve set this sort of thing up occasionally on my company network (it helps that I am the IT guy). E.g. because the NAT on the main gateway was not capable of NAT-ing certain types of traffic that we needed - the little £50 box could handle NAT that the enterprise-class Check Point gateway couldn’t, at the time.

Technically it’s straightforward, although of course the cautions about security risk are valid. e.g. if it’s a multi-purpose device, like your typical consumer “router” which includes a switch, a wireless access point, a NAT device, you might want to disable the wireless. You only really need the NAT and switch features.
I didn’t have any trouble accessing Windows SMB/CIFS servers on the main network from behind the device. I didn’t need DDNS, don’t know if that would have been affected.

29

I’ve done this all the time. Of course, it’s a small place and I am part of the network support. It’s convenient for cnfiguring client equipment in isolation.

Basically, a firewall/router prevents unsolicited incoming conversations. (Unless you set it up to direct all unsolicited packets on all ports or a certain port to a particular internal address.)

You could always configure your firewall to use DHCP on the WAN (outside); almost every decent sized corporate network uses that. The DHCP will give your router the corporate DNS server addresses, too - so you can find all the needed resources by name. Unless there is an urgent needto have a fixed address, or DHCP addresses are tight or all specifically reserved(assigned), why risk messing up the network by stealing what may be a turned off machine’s address?

Inside the private network, you configure DHCP (usually on this router) to hand out addresses; it MUST NOT duplicate the corporate address scheme. Since many places default to 192.168.0.x (or …1.X) this may require specific configuring. Fortunately, many bigger corporations hav a different numbering scheme.

You also configure DHCP to hand out the router address as the DNS for internal. This means you can find the corporate servers, etc. by name. This gives you their services - login, login scripts, file shares, printers, etc.

If the goal was to avoid “push” then this will work. You will register with the corporate DNS using the address of the router (DHCP from WAN side) and it will not pass pushes. however, a lot of what passes for push are actually your machine executing login scripts, which start processes which will go out and look for something every so often. Odds are most of what happens on the corporate network will happen on your machine.

If you login to the domain, your PC is part of the domain, and they hav implemented Windows Policies, those will be loaded to your PC via the login process; so any limitation on what you can do on your PC will still be there.

yes, file sharing is blocked incoming - people cannot “see” your files on your PC unless you specifically forward a lot of IP ports to your PC. Broadcasts will not go through the firewall, in our out (usually).

The major advantage of this arrangement is that you can configure test equipment, create a different numbering scheme for test PC’s, you won’t flood the corporate network with your problems, etc. For simple privacy - just turn on your firewall.

30

I do this all the time at work as part of my job. I’m connected to the company network wirelessly with a 10.x.x.x IP, then my copper port is plugged into a little 5-port switch on my desk with a 192.168.x.x IP.

So I can network all the devices I need to test and control them from my computer, while still accessing the network folders and internet when I need to.

31

Switch - OK.
Router - OK.
Router used as switch - dangerous.
If you plug in a router out of the box as a switch, it will hand out likely incorrect addresses; wrong IP, wrong DNS, user won’t find login server or anything - major chaos.

There’s a setting on the fancy Cisco switches to disallow multiple MAC (ethernet hardware device) addresses. If it detects more than 3 devices in a certain time 915 minutes) it disables the port until you contact network management. 3 devices allows your VoIP phone, Your PC, and then you switch the wire to a different PC. Switch to a 3rd PC and the port shuts down.

Of course, if you have a router (doing NAT) it all appears to come from the one device, so you’re safe. This was to prevent people from adding mysterious extra devices like switches to over-extend the network, and because some IT people just like anal control levels.

32

I don’t think we’re talking about real routers here. We’re talking about those little consumer boxes from the likes of D-Link that people call “routers”, but which would be more accurately called something like wireless switches with broadband modems (although I also dislike the term “modem” because it suggests that the carrier is analogue). They do a lot of things, and actual routing is way down the list. You could argue about the extent to which they are actually routers at all. I mean, I guess they connect IP networks together.

33

yeah, home routers would more accurately be described as “NAT Firewalls”. I don’t think they do any of the classic routing protocols (RIP etc.).

34

Yeah I’m not using a router at all. Just a five port unmanaged switch.

From what I can tell, Napier’s use case didn’t require a router, and is in fact similar to mine. I work with microprocessor based protective relays (similar to PLCs, only mainly used for power system protection rather than industrial automation), and often have to network them together to test out, for example, a new SCADA system or HMI.

Since I have both a wireless card and an Ethernet port, I can easily set them to different IPs and connect to the company network and the little network at my desk at the same time. Without two network cards, however, I’m not sure how he should go about it without switching IP addresses whenever he wanted to access different networks. I agree just throwing a router on the company network is not a good idea.

Maybe you could install a PCMCIA network card? I bet they’re pretty cheap if your laptop accepts it. I happen to know desktop NICs can be had for ~$20.