I am trying to setup multiple separate networks that all access the same Internet router. I don't want the networks to be able to "see" each other, i.e; you can ping network A from network B. All networks need to be able to access the single Internet router.
In my lab I was toying with using subnet masks to accomplish this but I don't think I am setting it up right. Here's a sceanario;
Internet Router: Internal Network 192.168.1.1 Subnet mask: 255.255.0.0
Network A machine 192.168.1.1 255.255.255.0 Network B machine 192.168.2.1 255.255.255.0
Both machines can ping the Ineternet router but they can also both ping each other. What configuration should I use so that they can't?
TYIA,
Eric
This conversation is currently closed to new comments.
What type of equipment are you using? If they are on the same router, they will be able to communicate with each other. You can put ACLs in place to limit that.
My router is a Check Point safe@office but it really wouldn't/shouldn't matter what that piece of hardware is. My goal is to create LAN side networks that cannot see each other but can get to the same gateway ip address.
in the sense that some will "auto create" "access rules" so that there is full connection between directly connected networks. One way around this is to make sure no routing protocols are enabled, write an acl to explicitly block communications, and flushing the routing table.
The router needs at least 2 LAN interfaces for this to work, but I do not see this as much of an issue as most do these days. the only route you would need on the router is a default route going out the WAN interface.
Looking at your routing tables may key you in as to why the 2 networks can talk.
In my lab Check Point there are currently no static routes, but that does not mean that there are not some that I can't see. In my VMware lab setup I put two test machines on a VLAN and the put the nics on two different networks. Now they can't ping each other so the access may be coming from the router.
Although I think the purpose of implementing a VLAN solution may be to unite geographically disparate LANs, I believe that they can also be used to separate traffic on two separate LANs using the same equipment (even switches, routers, etc.)
Yes, I had been testing that as well. The firewall supports VLAN LAN networks but I have not been able to get that to work yet. So I was trying to set it up without it first. Forgeting the gateway aspect of this for the moment I don't see how two pc's on the same network switch can ping each other if they are on different networks, say 192.168.1.1 and 192.168.2.1.
I would be willing to bet the checkpoint is auto connecting them since its a turn-key solution. But you should also be able to disable this communication, its either a routing issue or acl. Spend some time looking at your routers acls and routing tables.
Collapse -
As I said in my other post, they are on same network
Machine A can ping machine B so the router must be translating the traffic with a hidden rule. I don't want it to so I need to find out how to stop it...
Even if I setup machine A as 192.168.3.2 it can still ping 192.168.2.2
If you want to send data from one PC to another and they are both connected to the same router, the router is going to send the data directly. That's it's job.
If you don't want that to happen, you can manually configure routing tables (not a lot of fun) to tell the router not to take the most obvious, efficient and easiest path of transferring data from port 1 to port 2, but rather to send the data to, what port 3 first? It's up to you.
Or you can setup VLANS that let the router know that all the PCs on one VLAN can see each other and ALL PCs on another VLAN can see each other, but none of them can see the other VLAN. This allows two separate LANS to exist on the same wiring using the same router and the same physical ports.
Try traceroute to determine if your router is transferring data directly.
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
Separate networks accessing one router with subnet mask
I am trying to setup multiple separate networks that all access the same Internet router. I don't want the networks to be able to "see" each other, i.e; you can ping network A from network B. All networks need to be able to access the single Internet router.
In my lab I was toying with using subnet masks to accomplish this but I don't think I am setting it up right. Here's a sceanario;
Internet Router:
Internal Network 192.168.1.1
Subnet mask: 255.255.0.0
Network A machine 192.168.1.1 255.255.255.0
Network B machine 192.168.2.1 255.255.255.0
Both machines can ping the Ineternet router but they can also both ping each other. What configuration should I use so that they can't?
TYIA,
Eric