Separate networks accessing one router with subnet mask

By eric ·
Hello All,

I am trying to setup multiple separate networks that all access the same Internet router. I don't want the networks to be able to "see" each other, i.e; you can ping network A from network B. All networks need to be able to access the single Internet router.

In my lab I was toying with using subnet masks to accomplish this but I don't think I am setting it up right. Here's a sceanario;

Internet Router:
Internal Network
Subnet mask:

Network A machine
Network B machine

Both machines can ping the Ineternet router but they can also both ping each other. What configuration should I use so that they can't?



This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

What type of equipment

by SYNner In reply to Separate networks accessi ...

What type of equipment are you using? If they are on the same router, they will be able to communicate with each other. You can put ACLs in place to limit that.

Collapse -

Router should not matter

by eric In reply to What type of equipment

My router is a Check Point safe@office but it really wouldn't/shouldn't matter what that piece of hardware is. My goal is to create LAN side networks that cannot see each other but can get to the same gateway ip address.

Collapse -

The router does matter

by Dumphrey In reply to Router should not matter

in the sense that some will "auto create" "access rules" so that there is full connection between directly connected networks.
One way around this is to make sure no routing protocols are enabled, write an acl to explicitly block communications, and flushing the routing table.

The router needs at least 2 LAN interfaces for this to work, but I do not see this as much of an issue as most do these days. the only route you would need on the router is a default route going out the WAN interface.

Looking at your routing tables may key you in as to why the 2 networks can talk.

Collapse -

No routes

by eric In reply to The router does matter

In my lab Check Point there are currently no static routes, but that does not mean that there are not some that I can't see. In my VMware lab setup I put two test machines on a VLAN and the put the nics on two different networks. Now they can't ping each other so the access may be coming from the router.

Collapse -

Perhaps a VLAN configuration would help

by Whirl3d In reply to Separate networks accessi ...

Although I think the purpose of implementing a VLAN solution may be to unite geographically disparate LANs, I believe that they can also be used to separate traffic on two separate LANs using the same equipment (even switches, routers, etc.)

Here is a Wikipedia link that may help:

Best wishes,


Collapse -

VLAN config

by eric In reply to Perhaps a VLAN configurat ...

Yes, I had been testing that as well. The firewall supports VLAN LAN networks but I have not been able to get that to work yet. So I was trying to set it up without it first. Forgeting the gateway aspect of this for the moment I don't see how two pc's on the same network switch can ping each other if they are on different networks, say and

Collapse -

Check your routing tables

by Dumphrey In reply to VLAN config

I would be willing to bet the checkpoint is auto connecting them since its a turn-key solution. But you should also be able to disable this communication, its either a routing issue or acl. Spend some time looking at your routers acls and routing tables.

Collapse -

As I said in my other post, they are on same network

by jdclyde In reply to VLAN config

because of the it would take a to put them on different networks.

Collapse -


by eric In reply to As I said in my other pos ...


This thread is getting a little confusing and I have also tried a lot of different config's so I'll clarify here;

Machine A:
Machine B:

Machine A can ping machine B so the router must be translating the traffic with a hidden rule. I don't want it to so I need to find out how to stop it...

Even if I setup machine A as it can still ping

Collapse -

The Router is Doing its Job

by Whirl3d In reply to Subnet's

If you want to send data from one PC to another and they are both connected to the same router, the router is going to send the data directly. That's it's job.

If you don't want that to happen, you can manually configure routing tables (not a lot of fun) to tell the router not to take the most obvious, efficient and easiest path of transferring data from port 1 to port 2, but rather to send the data to, what port 3 first? It's up to you.

Or you can setup VLANS that let the router know that all the PCs on one VLAN can see each other and ALL PCs on another VLAN can see each other, but none of them can see the other VLAN. This allows two separate LANS to exist on the same wiring using the same router and the same physical ports.

Try traceroute to determine if your router is transferring data directly.


Related Discussions

Related Forums