Question

  • Creator
    Topic
  • #2161559

    Separate networks accessing one router with subnet mask

    Locked

    by eric ·

    Hello All,

    I am trying to setup multiple separate networks that all access the same Internet router. I don’t want the networks to be able to “see” each other, i.e; you can ping network A from network B. All networks need to be able to access the single Internet router.

    In my lab I was toying with using subnet masks to accomplish this but I don’t think I am setting it up right. Here’s a sceanario;

    Internet Router:
    Internal Network 192.168.1.1
    Subnet mask: 255.255.0.0

    Network A machine 192.168.1.1 255.255.255.0
    Network B machine 192.168.2.1 255.255.255.0

    Both machines can ping the Ineternet router but they can also both ping each other. What configuration should I use so that they can’t?

    TYIA,

    Eric

All Answers

  • Author
    Replies
    • #2450668

      Clarifications

      by eric ·

      In reply to Separate networks accessing one router with subnet mask

      Clarifications

    • #2450663

      What type of equipment

      by synner ·

      In reply to Separate networks accessing one router with subnet mask

      What type of equipment are you using? If they are on the same router, they will be able to communicate with each other. You can put ACLs in place to limit that.

      • #2450658

        Router should not matter

        by eric ·

        In reply to What type of equipment

        My router is a Check Point safe@office but it really wouldn’t/shouldn’t matter what that piece of hardware is. My goal is to create LAN side networks that cannot see each other but can get to the same gateway ip address.

        • #2450645

          The router does matter

          by dumphrey ·

          In reply to Router should not matter

          in the sense that some will “auto create” “access rules” so that there is full connection between directly connected networks.
          One way around this is to make sure no routing protocols are enabled, write an acl to explicitly block communications, and flushing the routing table.

          The router needs at least 2 LAN interfaces for this to work, but I do not see this as much of an issue as most do these days. the only route you would need on the router is a default route going out the WAN interface.

          Looking at your routing tables may key you in as to why the 2 networks can talk.

        • #2450631

          No routes

          by eric ·

          In reply to The router does matter

          In my lab Check Point there are currently no static routes, but that does not mean that there are not some that I can’t see. In my VMware lab setup I put two test machines on a VLAN and the put the nics on two different networks. Now they can’t ping each other so the access may be coming from the router.

    • #2450656

      Perhaps a VLAN configuration would help

      by whirl3d ·

      In reply to Separate networks accessing one router with subnet mask

      Although I think the purpose of implementing a VLAN solution may be to unite geographically disparate LANs, I believe that they can also be used to separate traffic on two separate LANs using the same equipment (even switches, routers, etc.)

      Here is a Wikipedia link that may help:
      http://en.wikipedia.org/wiki/VLAN

      Best wishes,

      jase

      • #2450644

        VLAN config

        by eric ·

        In reply to Perhaps a VLAN configuration would help

        Yes, I had been testing that as well. The firewall supports VLAN LAN networks but I have not been able to get that to work yet. So I was trying to set it up without it first. Forgeting the gateway aspect of this for the moment I don’t see how two pc’s on the same network switch can ping each other if they are on different networks, say 192.168.1.1 and 192.168.2.1.

        • #2450629

          Check your routing tables

          by dumphrey ·

          In reply to VLAN config

          I would be willing to bet the checkpoint is auto connecting them since its a turn-key solution. But you should also be able to disable this communication, its either a routing issue or acl. Spend some time looking at your routers acls and routing tables.

        • #2450621

          As I said in my other post, they are on same network

          by jdclyde ·

          In reply to VLAN config

          because of the 255.255.0.0 it would take a 255.255.255.0 to put them on different networks.

        • #2450577

          Subnet’s

          by eric ·

          In reply to As I said in my other post, they are on same network

          Thanks,

          This thread is getting a little confusing and I have also tried a lot of different config’s so I’ll clarify here;

          Router: 192.168.1.1 255.255.0.0
          Machine A: 192.168.1.1 255.255.255.0
          Machine B: 192.168.2.1 255.255.255.0

          Machine A can ping machine B so the router must be translating the traffic with a hidden rule. I don’t want it to so I need to find out how to stop it…

          Even if I setup machine A as 192.168.3.2 it can still ping 192.168.2.2

        • #2571120

          The Router is Doing its Job

          by whirl3d ·

          In reply to Subnet’s

          If you want to send data from one PC to another and they are both connected to the same router, the router is going to send the data directly. That’s it’s job.

          If you don’t want that to happen, you can manually configure routing tables (not a lot of fun) to tell the router not to take the most obvious, efficient and easiest path of transferring data from port 1 to port 2, but rather to send the data to, what port 3 first? It’s up to you.

          Or you can setup VLANS that let the router know that all the PCs on one VLAN can see each other and ALL PCs on another VLAN can see each other, but none of them can see the other VLAN. This allows two separate LANS to exist on the same wiring using the same router and the same physical ports.

          Try traceroute to determine if your router is transferring data directly.

          jase

        • #2571121

          Switch, Hub, or Router?

          by whirl3d ·

          In reply to VLAN config

          It’s an interesting situation when you find that the semantic differences between Switches, Hubs, and Routers actually have very explicit implications for your network.

          In other words, the way a hub works is this: Any traffic sent to any port on the hub is echoed to every port on the hub. This is useful when you have to go long distances because the echo-feature allows you to boost or maintain the signal strength as it hops from hub to hub.Becaus the signal is replicated to all ports, hubs are also good for broadcast transmissions of data.

          Switches are similar to hubs in so much as they provide universal access to data from all ports on all ports. Switches, like hubs, do not care what data is being transferred through them and therefore they have no problem switching packets to to disparate, but connected networks. Newer switches, of course, offer enhanced mechanisms that actually look at the packet header to determine the best switching path, but that is almost stepping on the toes of the router.

          Routers disect the data packets, stripping off the header to determine which port to send the stream. If the destination of the stream is within the scope of the router’s list of ports, it transfers it directly. If not, the packets are forwarded to another router or a gateway depending on it’s predifined route plans.

          Gateways, though very similar to routers, are specifically designed to route data outside of the scope of your lan. A gateway is usually connected to modem or some means of transferring your packets to the Wan or to a separate physical network. For the most part, gateways are like routers with the added ability to send packets upstream to the next wan segment.

          —————————–
          Now, you want to know how two pcs on the same network SWITCH can ping each other….

          Simple all traffic on a switch is sent to all nodes on the network without knowing anything about the data. It’s an electrical thing for the most part and that’s it.

          If you mean how do two pcs on a the same ROUTER ping each other on separate subnets,

          It’s because your router, in the name of efficiency, keeps track of the addresses that come into each port and it inspects every packet of data being sent through it to determine how to most efficiently get the packets where they need to go. So, if it knows that PC1 has an ip address of 10.0.0.1 and PC2 has an address of 192.168.1.1, it can choose to send the data back and forth directly in the name of expedience.

          That is why they made VLANS. Sometimes you want to have two unique networks that work independently of each other yet share the same wiring. Routers use the concept of VLANS to ensure that packets between VLAN 1 and VLAN 2 do not skip any steps. In other words, even if the router knows that PC1 is on port 1 and pc2 is on port 2, if they are on separate VLANS, it will forward the data to the next router/gateway on its routing table as though it didn’t know.

          This can be useful for strong security typing where you have PC1 on a secure channel with SERVER 1 and PC2 on a separate secure channel with SERVER 1. Although SERVER 1 can forward packets back and forth between the two PCS (encrypting each portion of the conversation with a different secure key), you can see that if a router tried to skip SERVER1 and let PC1 talk directly to PC2 (because they are both physically connected to the router), they wouldn’t understand each other because they didn’t share the same key.

          WIth a VLAN, the router won’t try to skip SERVER 1 and PC1 won’t be able to see PC2 without the help of SERVER 1.

          Am I making any sense at all? Or am I talking in circles? Let me know if this helps or confuses the matter.

          Best wishes,

          jase

    • #2450626

      You still have them on the same subnet

      by jdclyde ·

      In reply to Separate networks accessing one router with subnet mask

      255.255.255.0 is the subnet you need.

      You will also need to setup a subinterface on your lan port for both 192.168.1.1 AND 192.168.2.1.

      This will have them on separate subnets, but still able to access the router.

      You then need to setup an access list that only allows the systems to hit the WAN port, not each other.

      • #2450598

        Lan port and subnet setup

        by eric ·

        In reply to You still have them on the same subnet

        You said – You will also need to setup a subinterface on your lan port for both 192.168.1.1 AND 192.168.2.1.

        Reply – My firewall only supports setting up VLAN based additional LAN networks. Unfortunately I have not been able to get this to work yet. I’ll check out the how the acl’s are configured.

        Thanks,

        Eric

        • #2450142

          Sounds like port-based VLAN only

          by churdoo ·

          In reply to Lan port and subnet setup

          This sounds like a SOHO appliance and so it’s missing the functionality that you would normally use to achieve what you’re asking.

          As the other posters have indicated, and as you’ve started down that path (kindof), one would normally create two separate IP networks with appropriate virtual interfaces in the router, and simply not route between the subnets, but route from each of the networks to/from 0.0.0.0 so each can have internet access. Creating a 16-bit network on the router that encompasses multiple 24-bit networks is not how that’s done but it’s interesting and I’m surprised that that has the effect that it does in your case; who’d-a thunk it?

          For the VLAN functionality I’ve seen on similar appliances, all the networks are expected to be the same network, say 192.168.1.0/24 for example (the appliance will even DHCP if you wish, but will be from the same scope to all VLANS). You assign switchport 1 to VLAN 1 and switchport 2 to VLAN 2 for example, and even though a device or devices connected to switchport 1 are on the same network as those on switchport 2, since you’ve assigned each switchport to different VLANs, the appliance will not let traffic cross from switchport 1 to switchport 2 nor vice versa — BUT the appliance WILL NAT from any connected device on any switchport for internet access.

          This is sloppy, and it’s also a support nightmare for all but the smallest installations since you can’t tell by looking at an IP which segment a particular workstation should be on, but it does work.

          But if you want the cleanliness of having separate networks, you’ll have to upgrade to a non-SOHO grade router that will allow you to create multiple networks and more clearly define your segments.

Viewing 3 reply threads