Odd Network Layout
19 years 9 months ago #7039
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Odd Network Layout
The problem MTHome is facing is a 'classic' one, due to the fact the current setup is not adequate to accommodate fully his requirements. As such, workarounds become problematic, solving in one way his needs, but producing other new problems!
After reading through the posts and what we are trying to achieve here, I've come to deposit my 2cents worth - 3 different scenarios which will work but also require some work in order to stop each network from accessing each other:
Scenario 1:
This scenario will work fine if you do not want to make any major changes in the current setup, but will require a lot of work on the 2nd router.
As shown, the WAN interface of router 2 is given the IP address of 192.168.0.2, while the LAN is on a different network (192.168.1.0/24). This effectively splits your two network legs into two different networks, but you must place the appropriate access lists on Router 2, to ensure no traffic will pass between the networks.
Scenario 2 [Recommended]:
This is what should have been done from the beginning. Since we have no idea on how your Internet connection works (if there's a 3rd router in front of the two you've mentioned), we'll assume that you are able to obtain at least one more real or private IP address. This additional address, along with the existing ones are named "WAN IP's". The routers WAN interface are part of the same network (e.g 10.0.0.0/24) and their LAN interfaces are on two separate networks.
Assuming there is a 3rd router in front of the switch, then you would create two static route entries for each network (192.168.0.0/24 & 192.168.1.0/24) and then place an access list on Router 1 & Router 2, to deny routing between these networks.
Scenario 3 (much like the 1st):
Here we follow the same technique as the 1st scenario, but enable NAT on Router2. By placing a static route on Router 1 ( 192.168.1.0/24 via 192.168.0.2), we can guarantee Internet access for the 192.168.1.0/24 network, but you must place some access lists to ensure only host 192.168.0.1 is reachable from the 192.168.1.0/24 network.
Summary
All the above solutions are messy and I personally do not like them, but given the fact you need a solution with the current setup, that's what I can recommend at 3am in the morning.
My advice to ensure you get a good job done, is to purchase one more router, modify your setup like the one in the 2nd scenario and have the 3rd router placed in front of the switch.
Hope this helps.
Cheers,
After reading through the posts and what we are trying to achieve here, I've come to deposit my 2cents worth - 3 different scenarios which will work but also require some work in order to stop each network from accessing each other:
Scenario 1:
This scenario will work fine if you do not want to make any major changes in the current setup, but will require a lot of work on the 2nd router.
As shown, the WAN interface of router 2 is given the IP address of 192.168.0.2, while the LAN is on a different network (192.168.1.0/24). This effectively splits your two network legs into two different networks, but you must place the appropriate access lists on Router 2, to ensure no traffic will pass between the networks.
Scenario 2 [Recommended]:
This is what should have been done from the beginning. Since we have no idea on how your Internet connection works (if there's a 3rd router in front of the two you've mentioned), we'll assume that you are able to obtain at least one more real or private IP address. This additional address, along with the existing ones are named "WAN IP's". The routers WAN interface are part of the same network (e.g 10.0.0.0/24) and their LAN interfaces are on two separate networks.
Assuming there is a 3rd router in front of the switch, then you would create two static route entries for each network (192.168.0.0/24 & 192.168.1.0/24) and then place an access list on Router 1 & Router 2, to deny routing between these networks.
Scenario 3 (much like the 1st):
Here we follow the same technique as the 1st scenario, but enable NAT on Router2. By placing a static route on Router 1 ( 192.168.1.0/24 via 192.168.0.2), we can guarantee Internet access for the 192.168.1.0/24 network, but you must place some access lists to ensure only host 192.168.0.1 is reachable from the 192.168.1.0/24 network.
Summary
All the above solutions are messy and I personally do not like them, but given the fact you need a solution with the current setup, that's what I can recommend at 3am in the morning.
My advice to ensure you get a good job done, is to purchase one more router, modify your setup like the one in the 2nd scenario and have the 3rd router placed in front of the switch.
Hope this helps.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
19 years 9 months ago #7054
by MTHOME
Replied by MTHOME on topic Re: Odd Network Layout
Chris I appreciate your respones and as you said the 2nd option would be the best but I am limited in that I can only obtain 1 public IP. I think I am going to have to just go buy a third router as my routers do not have to ability to setup access lists. Thanks for the help.
19 years 9 months ago #7062
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Odd Network Layout
Okay you'll excuse me for not having read the posts at all, but does the idea of Smoothwall with blue zone setup sound like a solution here.
Chris -- I bow before your Visio skills
Chris -- I bow before your Visio skills
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
19 years 9 months ago #7069
by MTHOME
Replied by MTHOME on topic Re: Odd Network Layout
This is what I was trying to achive in my network setup. I found out it can be done but my equipment will not accept the parameters needed for it to work. Thanks again for all your help.
If you want more details on how to make this setup work let me know and I will post the details.
http://www.midnightsquadron.com/msbb2/index.php?act=Attach&type=post&id=9377
If you want more details on how to make this setup work let me know and I will post the details.
http://www.midnightsquadron.com/msbb2/index.php?act=Attach&type=post&id=9377
Time to create page: 0.134 seconds