Using 2 routers for stronger home network security?

Gillbot

Lifer
Jan 11, 2001
28,830
17
81
ok, I though I might give this a shot since I have a spare wired router laying around but after about an hour of messing with it, I can't seem to get it to work.

I'm trying to accomplish something similar to this: http://people.delphiforums.com/gjc/dual-belkin.html

However, I'll be using a WRT54G as my main router and a SMC7004BR as the secondary. I don't need wireless clients on the secondary side, I'd just like to segregate the wireless and wired systems due to more sensitive information on the wired pcs.

Unfortunately, using Dynamic or Static in the 7004BR setup, it will not get a connection while using the WAN port on the 7004BR connected to a LAN port on the WRT54G. Any ideas?

EDIT> WRT54G has an IP address of 192.168.123.254 and the WAN is Dynamically configured. Using an IP address of 192.168.123.253 on the WAN of the 7004BR and gateway of 192.168.123.254 just yields host unreachable messages, same as setting it to dynamic. LAN IP is set to 192.168.123.252 on the 7004BR (if that matters).
 

Atheus

Diamond Member
Jun 7, 2005
7,313
2
0
The WAN and LAN should be on different subnets on both routers, e.g. modem ---> WRT WAN dynamic (NOT receiving an IP on 192.168.0.0/24) ---> WRT LAN 192.168.0.1 ---> 7004BR WAN 192.168.0.2 ---> 7004BR LAN 192.168.1.1

You don't really need to do this though, unless you want two wireless networks. All you really need to do is seperate wireless from wired clients, which you can do with a firewall on one router. I know there are free 3rd party firmwares for the WRT54G which provide advanced firewalls.
 

Wyck

Senior member
Jun 13, 2001
940
1
0
The poorman's DMZ. I like it. Atheus is is right about the subnet on the LAN side of the 7004BR needing to be different than the WAN side. If they're the same then the 7004BR won't pass traffic to 192.168.123.X out over the WAN port since that's what it knows the internal network to be. Have fun!
 

Gillbot

Lifer
Jan 11, 2001
28,830
17
81
Hmm, Maybe that's the issue since I had everything on the same subnet, I'll try again. Thanks!

There won't be two wireless setups BTW, it's to seperate my wireless clients from my wired clients.
 

Tiorapatea

Member
Oct 7, 2003
145
0
0
I am trying to achieve something similar but I'm not sure what device I need to buy to make it work.

I have an ADSL router (without wireless). Recently, I picked up an Orinoco AP-2000 wireless access point, which I could just hang off my router. It has reasonably good security features (static ARP tables, rogue AP checks, MAC address filtering) in its own right but I would like to put it on a different private LAN from my wired network. The plan is that wireless clients will use ipsec to a VPN server behind the Access Point. From there, they will be able to get to either the internet or my wired LAN.

My problem is that I don't think my existing ADSL router (a Draytek 2600) will be able to cope with all this. For one, it will only NAT for one private network so internet access would not be feasible from wireless and wired clients simultaneously. Secondly, I doubt it can act as a VPN end-point for clients on its "trusted" LAN ports. Thirdly, I doubt that it can firewall all of its ports from each other - most likely the WAN port can be firewalled flexibly from the collective LAN ports but not from each LAN port independently, and most likely the LAN ports cannot be fully firewalled from each other.

So I would like to interpose a second router between the Access Point and the ADSL router, or alternatively buy a dual WAN port ethernet router (with at least one 10/100 WAN port) and place both the Access Point and the ADSL router on the untrusted WAN ports (the AP on a 10/100 port).

However, from what I can see, most of the dual WAN port routers either have serial leased line WAN ports or else they are SOHO load-balancing DSL/cable routers. These SOHO devices look promising in theory but I doubt that they were designed with the idea that untrusted LAN traffic would come in one WAN port, hit the internal VPN end-point, then be routed through an internal firewall out of the other WAN port to the Internet. Why would I want to do this? Well, internet banking from the sofa would need to be VPN'ed to somewhere the other side of the Wireless Access Point but would then need to go to the internet; meanwhile, local war-drivers will be trying to use the Access Point to download illegal material via my ADSL connection. (Note, this is just an example of what might possibly occur and does not necessarily reflect intended or forecast usage.)

So I think I need a router with at least one WAN/untrusted 10/100 ethernet port and a VPN server to filter and route wireless traffic to my existing Draytek ADSL router. The Draytek can then treat the traffic that originated from wireless clients as trusted (it has got through the other router's firewall and only Un-VPN'ed traffic will be allowed to do this).

Do such devices exist? What do they sell for on auction sites? Most consumer devices seem to be 10BaseT only on the WAN side.

Edit: If this is too much of a hijack, let me know and I'll take it to a new thread.
 

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
Originally posted by: Gillbot
There won't be two wireless setups BTW, it's to seperate my wireless clients from my wired clients.
You'll separate them, all right....but what's the point of having a network if you can't access resources on the network?

I'd suggest using client firewalls, WiFi encryption, strong and long passwords and NTFS share and file security. Putting your network on two different subnets makes life a lot more complicated than it needs to be in a home setting.

 

Gillbot

Lifer
Jan 11, 2001
28,830
17
81
All of the wired clients will be able to see each other perfectly and that is all that is really needed.
 

Atheus

Diamond Member
Jun 7, 2005
7,313
2
0
Tiorapatea - You don't need a VPN or a dual-wan router, you just need a normal wireless router with flexible firmware installed. Put the three interfaces (LAN, WAN, wireless) on different subnets and control traffic between them. E.g. allow new connections from LAN/wireless to WAN, but not wireless to LAN or WAN to LAN. You could set it up so you could still VPN into the LAN from wireless if you wanted.

I know for sure there are router firmwares that support this, Openwrt for example. Have a look around for anything that will run on the Draytek.