I am attempting to split an internet connection between two networks, and not allow the users of one network to see the users of another. More specifically, I want one connection to serve both the house and the basement apartment, but not let the users of apartment access the house users’ network and vice versa. Would this setup allow this to happen?
I have a switch splitting the internet connection between the two networks, each headed by a gateway/router. I would set two different IP addresses to the routers to avoid conflict, and then (here is the part I’m unsure of) use different subnet masks so users would not be able to connect cross network. If this is even feasable, would users on one network be able to manually config their IP to connect to the other network? I think that the router would block them from going back over, but I’m not sure. I can’t claim to be a networking expert of any sort, so all help is appreciated.
BTW, the addtional switch on the house side is just to expand the number of ports on the router.
Your setup looks good, except for a few things. First, there’s no need to use different subnet masks or even different IP blocks. Second, does the cable company give you two external IP addresses? If they don’t, you won’t be able to pull an IP address for the second router. Or, the network might give you one, but the cable company won’t appreciate it and may suspend service. If you don’t want to pay for a second IP, a third router in place of the switch will suffice.
A subnet mask does segment a network, but not in the manner you describe. Say you have one very large LAN. Users in one building have one subnet mask, and the users in another building have another subnet mask. The buildings are isolated even though they are on the same physical network - unless you install a router. By installing a router, traffic intended for another computer in the same building won’t leave it, while traffic intended for another building can. This cuts down on network congestion and increases security. Since you are probably using NAT, though, this doesn’t apply.
I can’t really verify your setup in more than general terms, but as Cleophus points out, you’ll need to be able to use two external IPs for the two-router setup to work.
The good news about the two-router set-up is that you’re basically very secure against crosstalk between the two LANs, as long as you keep the routers ignorant of each other’s networks - be sure to turn off any routing protocol (probably RIPv2) they may be running…
With the small caveat about the external IPs, that should work.
The way you use “subnet mask” makes me a little uneasy. A subnet mask is really just a bitstring telling the hosts on the net where in the the 32-bit IP address the delineation between net and host is. With your setup, a subnet mask of 255.255.255.0 (24 bits net address, 8 bits host address) would be just fine on both user LANs.
Well, yeah. It would do them little good, though: Their local router wouldn’t pass traffic to them. If you’re smart, the router on the 192.168.0.0 network won’t even know that there’s a 192.168.1.0 network and vice versa.
Not as much block as just not know what the heck to do with the packet. The routers do not know about the neigbour network.
In short: The solution will (probably) work as intended. One caveat, though: If you decide one day that you need some sort of controlled crosstalk between the two LANs, you may have quite an undertaking ahead of you.
Anecdote alert: I recently did an install to solve the same problem, although I approached from another and admittedly Cisco-centric angle. I went with just one router with three LAN interfaces: Upstream to cable modem via a crossover cable, and two LANs (on separate IP address segments) for users. (For those technically interested, it was actually two VLANS over an ISL trunk on one physical cable to a switch, but it works the same.) Cross-traffic between the two user LANs was prevented by outgoing filters (Cisco access-lists) on the interfaces, refusing packets with a source address on LAN 1 access to LAN 2 and vice versa.
The same router ran NAT and IOS firewall as well. (I’m a firm believer in putting my eggs all in one basket, provided I’m sure I’ve made a really good basket.)
Thanks a lot for the help. I knew I would need two WAN IPs, and I know other people who have multiple users connected through a hub or switch, so that shouldn’t be a problem. I will test it to make sure, though, before going all out with this setup.
Yeah, I figure I can just pull the comp from the apartment router, and plug it into the house one. Thanks, again, for your help.
Actually, I think you don’t need two WAN IP’s if you replace the switch with another router, as Cleophus mentioned. This may require some additional configuration. Nothing too terribly complicated, I’m pretty sure the newest Linksys cable modem routers could even handle it.
Well, I was thinking about something a leetle more controlled than that - say, administrator logins to servers or something like that. I’ve certainly been caught in the trap of installing 100% watertight, bulletproof, armorplated network separation and then having to kludge a backdoor (“Oh, by the way, we’ll of course need to share this one server!”) more than once.
Thanks, again, for your help.