Setting up nested routers

[AlphaMagus]

I have an office LAN (let's call it LAN A) and within that LAN, I want to setup another LAN that is wireless for guest users (let's call this LAN B). I don't want LAN B to be able to reach any computers or devices on LAN A.

Here is my current setup, LAN A is comprised of several office computers connected through switches to an Astaro firewall/router. The WAN port of the router is connected to a cable modem. The LAN port is connected to a switch that is connected to the rest of the office. IP address space for computers on this LAN are 192.168.100.x with the IP of the Astaro router being 192.168.100.8

The guest network, LAN B is a D-Link router with the WAN port connected to a switch that is connected to the Astaro firewall (hence it is within LAN A) The WAN IP of the D-Link is 192.168.100.2 and the address space for computers on this LAN is 192.168.30.x with the LAN IP address of this router being 192.168.30.1

I have it all working and people on both LAN A and LAN B are able to get internet access. We have file servers, printers, etc on LAN A and I don't want guest computers on LAN B to be able to see the devices in LAN A.

Right now, if I am on LAN B I can't type in a UNC path to reach a file server but I am able to put the IP address of the file server and connect to it and I am able to reach any of the printers on the LAN A network.

Is there any configuration I can set on either router to prevent devices on LAN B from seeing devices on LAN A?

 

[cajuntank]

Do you have any additional network ports on your Astaro firewall? You didn't mention a Astaro model and I know some of their appliances have several network ports that would make what you are wanting much easier.

So you should have a route on the Astaro that states to get to LAN B, hit WAN port of D-LINK. The D-Link in turn would need to be able to do an ACL of some form so that you could permit traffic to the IP address of the Astaro LAN port, but deny all other hosts on LAN A. I really don't think that capability is built in the D-Link. You also don't mention what switch you have...is it possibly a Layer 3 switch that can do VLANs and routing?
The only other thing I can think of is if maybe the switch can at least do VLANs and if the Astaro (I don't know much about them) can support VLAN trunking so that subinterfaces can be defined on the Astaro and you can define the security there. Almost like you had another network port on the Astaro like I mentioned earlier.

 

[AlphaMagus]

The switches are HP Procurve 1800-24G
The D-link is a WBR-2310 B1
The Astaro is a 110/120

Here is an outline of what ports the different things are using:

Dlink WAN port --> port 3 of Procurve1
Procurve1 port 23 --> port 24 of Procurve2
Procurve2 port 3 --> port eth0 of Astaro
Astaro port eth2 --> cable modem


I have been able to make an internal network and a guest network setup in the past (for a different place) but they used two providers with two separate modems, so the external network wasn't nested within the internal network.

I'm thinking that if I can make a rule on the Astaro that says any traffic from the D-Link (192.168.100.2) going to any address other than the gateway (192.168.100.8) should be blocked. Is that possible?

 

[cajuntank]

Ok, just looked on Astaro's website and according to their specs for the 110 and 120, they both have 4 x 1Gb Ethernet ports (like you said Eth0 for LAN and Eth2 for WAN) which means you can do what I mentioned about connecting your wireless LAN B to port Eth1 or Eth3 on your Astaro. This becomes something like a DMZ or separate LAN segment zone whose security you define in the Astaro box. Hope that helps.

 

[AlphaMagus]

Thanks CajunTank!

I'll give that a shot. Do I need to set up something on the switches that will separate the traffic until it gets to the Astaro?

 

[cajuntank]

Unless you feel there is a security potential for someone to change their IP address to match that of the other subnet for some nefarious purpose, then not really. The switch only talks layer 2, so there will be no communication between the two LANs. If this is an issue for you, you can set up VLANs and untag certain ports to certain VLANs, so even if the user does change IP address to something in the other subnet, then it won't do any good since VLANs are basically like having another physical switch...he wouldn't be able to talk to the other subnet and no longer be able to talk to his local subnet either until he changed his addressing back. Like I said, might not be an issue for you.


Star this post if you found it truly helpfully. Thanks.