Question
-
CreatorTopic
-
June 6, 2008 at 8:00 am #2161559
Separate networks accessing one router with subnet mask
Lockedby eric · about 15 years, 9 months ago
Hello All,
I am trying to setup multiple separate networks that all access the same Internet router. I don’t want the networks to be able to “see” each other, i.e; you can ping network A from network B. All networks need to be able to access the single Internet router.
In my lab I was toying with using subnet masks to accomplish this but I don’t think I am setting it up right. Here’s a sceanario;
Internet Router:
Internal Network 192.168.1.1
Subnet mask: 255.255.0.0Network A machine 192.168.1.1 255.255.255.0
Network B machine 192.168.2.1 255.255.255.0Both machines can ping the Ineternet router but they can also both ping each other. What configuration should I use so that they can’t?
TYIA,
Eric
Topic is locked -
CreatorTopic
All Answers
-
AuthorReplies
-
-
June 6, 2008 at 8:00 am #2450668
Clarifications
by eric · about 15 years, 9 months ago
In reply to Separate networks accessing one router with subnet mask
Clarifications
-
June 6, 2008 at 8:06 am #2450663
What type of equipment
by synner · about 15 years, 9 months ago
In reply to Separate networks accessing one router with subnet mask
What type of equipment are you using? If they are on the same router, they will be able to communicate with each other. You can put ACLs in place to limit that.
-
June 6, 2008 at 8:09 am #2450658
Router should not matter
by eric · about 15 years, 9 months ago
In reply to What type of equipment
My router is a Check Point safe@office but it really wouldn’t/shouldn’t matter what that piece of hardware is. My goal is to create LAN side networks that cannot see each other but can get to the same gateway ip address.
-
June 6, 2008 at 8:22 am #2450645
The router does matter
by dumphrey · about 15 years, 9 months ago
In reply to Router should not matter
in the sense that some will “auto create” “access rules” so that there is full connection between directly connected networks.
One way around this is to make sure no routing protocols are enabled, write an acl to explicitly block communications, and flushing the routing table.The router needs at least 2 LAN interfaces for this to work, but I do not see this as much of an issue as most do these days. the only route you would need on the router is a default route going out the WAN interface.
Looking at your routing tables may key you in as to why the 2 networks can talk.
-
June 6, 2008 at 8:38 am #2450631
No routes
by eric · about 15 years, 9 months ago
In reply to The router does matter
In my lab Check Point there are currently no static routes, but that does not mean that there are not some that I can’t see. In my VMware lab setup I put two test machines on a VLAN and the put the nics on two different networks. Now they can’t ping each other so the access may be coming from the router.
-
-
-
June 6, 2008 at 8:14 am #2450656
Perhaps a VLAN configuration would help
by whirl3d · about 15 years, 9 months ago
In reply to Separate networks accessing one router with subnet mask
Although I think the purpose of implementing a VLAN solution may be to unite geographically disparate LANs, I believe that they can also be used to separate traffic on two separate LANs using the same equipment (even switches, routers, etc.)
Here is a Wikipedia link that may help:
http://en.wikipedia.org/wiki/VLANBest wishes,
jase
-
June 6, 2008 at 8:23 am #2450644
VLAN config
by eric · about 15 years, 9 months ago
In reply to Perhaps a VLAN configuration would help
Yes, I had been testing that as well. The firewall supports VLAN LAN networks but I have not been able to get that to work yet. So I was trying to set it up without it first. Forgeting the gateway aspect of this for the moment I don’t see how two pc’s on the same network switch can ping each other if they are on different networks, say 192.168.1.1 and 192.168.2.1.
-
June 6, 2008 at 8:40 am #2450629
Check your routing tables
by dumphrey · about 15 years, 9 months ago
In reply to VLAN config
I would be willing to bet the checkpoint is auto connecting them since its a turn-key solution. But you should also be able to disable this communication, its either a routing issue or acl. Spend some time looking at your routers acls and routing tables.
-
June 6, 2008 at 8:45 am #2450621
As I said in my other post, they are on same network
by jdclyde · about 15 years, 9 months ago
In reply to VLAN config
because of the 255.255.0.0 it would take a 255.255.255.0 to put them on different networks.
-
June 6, 2008 at 9:28 am #2450577
Subnet’s
by eric · about 15 years, 9 months ago
In reply to As I said in my other post, they are on same network
Thanks,
This thread is getting a little confusing and I have also tried a lot of different config’s so I’ll clarify here;
Router: 192.168.1.1 255.255.0.0
Machine A: 192.168.1.1 255.255.255.0
Machine B: 192.168.2.1 255.255.255.0Machine A can ping machine B so the router must be translating the traffic with a hidden rule. I don’t want it to so I need to find out how to stop it…
Even if I setup machine A as 192.168.3.2 it can still ping 192.168.2.2
-
June 8, 2008 at 1:12 am #2571120
The Router is Doing its Job
by whirl3d · about 15 years, 9 months ago
In reply to Subnet’s
If you want to send data from one PC to another and they are both connected to the same router, the router is going to send the data directly. That’s it’s job.
If you don’t want that to happen, you can manually configure routing tables (not a lot of fun) to tell the router not to take the most obvious, efficient and easiest path of transferring data from port 1 to port 2, but rather to send the data to, what port 3 first? It’s up to you.
Or you can setup VLANS that let the router know that all the PCs on one VLAN can see each other and ALL PCs on another VLAN can see each other, but none of them can see the other VLAN. This allows two separate LANS to exist on the same wiring using the same router and the same physical ports.
Try traceroute to determine if your router is transferring data directly.
jase
-
June 8, 2008 at 1:05 am #2571121
Switch, Hub, or Router?
by whirl3d · about 15 years, 9 months ago
In reply to VLAN config
It’s an interesting situation when you find that the semantic differences between Switches, Hubs, and Routers actually have very explicit implications for your network.
In other words, the way a hub works is this: Any traffic sent to any port on the hub is echoed to every port on the hub. This is useful when you have to go long distances because the echo-feature allows you to boost or maintain the signal strength as it hops from hub to hub.Becaus the signal is replicated to all ports, hubs are also good for broadcast transmissions of data.
Switches are similar to hubs in so much as they provide universal access to data from all ports on all ports. Switches, like hubs, do not care what data is being transferred through them and therefore they have no problem switching packets to to disparate, but connected networks. Newer switches, of course, offer enhanced mechanisms that actually look at the packet header to determine the best switching path, but that is almost stepping on the toes of the router.
Routers disect the data packets, stripping off the header to determine which port to send the stream. If the destination of the stream is within the scope of the router’s list of ports, it transfers it directly. If not, the packets are forwarded to another router or a gateway depending on it’s predifined route plans.
Gateways, though very similar to routers, are specifically designed to route data outside of the scope of your lan. A gateway is usually connected to modem or some means of transferring your packets to the Wan or to a separate physical network. For the most part, gateways are like routers with the added ability to send packets upstream to the next wan segment.
—————————–
Now, you want to know how two pcs on the same network SWITCH can ping each other….Simple all traffic on a switch is sent to all nodes on the network without knowing anything about the data. It’s an electrical thing for the most part and that’s it.
If you mean how do two pcs on a the same ROUTER ping each other on separate subnets,
It’s because your router, in the name of efficiency, keeps track of the addresses that come into each port and it inspects every packet of data being sent through it to determine how to most efficiently get the packets where they need to go. So, if it knows that PC1 has an ip address of 10.0.0.1 and PC2 has an address of 192.168.1.1, it can choose to send the data back and forth directly in the name of expedience.
That is why they made VLANS. Sometimes you want to have two unique networks that work independently of each other yet share the same wiring. Routers use the concept of VLANS to ensure that packets between VLAN 1 and VLAN 2 do not skip any steps. In other words, even if the router knows that PC1 is on port 1 and pc2 is on port 2, if they are on separate VLANS, it will forward the data to the next router/gateway on its routing table as though it didn’t know.
This can be useful for strong security typing where you have PC1 on a secure channel with SERVER 1 and PC2 on a separate secure channel with SERVER 1. Although SERVER 1 can forward packets back and forth between the two PCS (encrypting each portion of the conversation with a different secure key), you can see that if a router tried to skip SERVER1 and let PC1 talk directly to PC2 (because they are both physically connected to the router), they wouldn’t understand each other because they didn’t share the same key.
WIth a VLAN, the router won’t try to skip SERVER 1 and PC1 won’t be able to see PC2 without the help of SERVER 1.
Am I making any sense at all? Or am I talking in circles? Let me know if this helps or confuses the matter.
Best wishes,
jase
-
-
-
June 6, 2008 at 8:43 am #2450626
You still have them on the same subnet
by jdclyde · about 15 years, 9 months ago
In reply to Separate networks accessing one router with subnet mask
255.255.255.0 is the subnet you need.
You will also need to setup a subinterface on your lan port for both 192.168.1.1 AND 192.168.2.1.
This will have them on separate subnets, but still able to access the router.
You then need to setup an access list that only allows the systems to hit the WAN port, not each other.
-
June 6, 2008 at 9:05 am #2450598
Lan port and subnet setup
by eric · about 15 years, 9 months ago
In reply to You still have them on the same subnet
You said – You will also need to setup a subinterface on your lan port for both 192.168.1.1 AND 192.168.2.1.
Reply – My firewall only supports setting up VLAN based additional LAN networks. Unfortunately I have not been able to get this to work yet. I’ll check out the how the acl’s are configured.
Thanks,
Eric
-
June 9, 2008 at 4:00 pm #2450142
Sounds like port-based VLAN only
by churdoo · about 15 years, 9 months ago
In reply to Lan port and subnet setup
This sounds like a SOHO appliance and so it’s missing the functionality that you would normally use to achieve what you’re asking.
As the other posters have indicated, and as you’ve started down that path (kindof), one would normally create two separate IP networks with appropriate virtual interfaces in the router, and simply not route between the subnets, but route from each of the networks to/from 0.0.0.0 so each can have internet access. Creating a 16-bit network on the router that encompasses multiple 24-bit networks is not how that’s done but it’s interesting and I’m surprised that that has the effect that it does in your case; who’d-a thunk it?
For the VLAN functionality I’ve seen on similar appliances, all the networks are expected to be the same network, say 192.168.1.0/24 for example (the appliance will even DHCP if you wish, but will be from the same scope to all VLANS). You assign switchport 1 to VLAN 1 and switchport 2 to VLAN 2 for example, and even though a device or devices connected to switchport 1 are on the same network as those on switchport 2, since you’ve assigned each switchport to different VLANs, the appliance will not let traffic cross from switchport 1 to switchport 2 nor vice versa — BUT the appliance WILL NAT from any connected device on any switchport for internet access.
This is sloppy, and it’s also a support nightmare for all but the smallest installations since you can’t tell by looking at an IP which segment a particular workstation should be on, but it does work.
But if you want the cleanliness of having separate networks, you’ll have to upgrade to a non-SOHO grade router that will allow you to create multiple networks and more clearly define your segments.
-
-
-
-
AuthorReplies