How to isolate a second router from the rest of your local network

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

I was recently asked how to solve a particular problem and I came up with what I think is an interesting solution, especially given my overall rather limited knowledge of networking.  The issue was this: In the home in question, they have cable broadband and a router that feeds jacks throughout the house.  For security reasons, the homeowner never installed any kind of wireless networking (even though his primary router supports it, he keeps it turned off).  Also his primary router is down in the basement.

Recently he got his wife a Motorola XOOM table computer and wouldn’t you know, it requires Wi-Fi access to connect to the Internet.  In order to extend the range, and so that he or his wife could easily turn off the Wi-Fi when the XOOM isn’t in use, he bought a second Wi-Fi router and put it upstairs.  Note that this router is connected BEHIND the original router in the basement.  In other words, the sequence of connection is as follows:

Cable Modem —> Basement (Primary) Router —> Upstairs (Wi-Fi) Router —> Tablet Computer

Now, as I said, he is very security conscious.  So the question he asked me is, if someone managed to break into his Wi-Fi, is there a way to set it up so that they could ONLY get to the Internet, and not to any other system on his local network.  I said I didn’t know, but to first try accessing other machines on his network (the ones that had web interfaces, anyway) from the XOOM.  Turned out that he could do so without any problem.  Because the Wi-Fi router used a different network segment from the original (addresses in the 192.168.2.x range, whereas the original router handed out address in the 192.168.0.x range), as far as anything connected to the Wi-Fi router was concerned, anything on the primary router might as well have been on the Internet (please forgive the non-technical explanation, I’m probably missing several technical details here, but that’s the gist of the problem).

I didn’t think it would be a good idea to try to make the Wi-Fi router use the same address space for both WAN and LAN, and while I could assign it a static IP address on the WAN side, it had to be able to reach the router/gateway at 192.168.0.1.  So here is what we did.

On the PRIMARY router, we took a look at the LAN settings and found that its DHCP server was assigning addresses starting at 192.168.0.2.  We changed that to start at 192.168.0.5 (probably could have used 192.168.0.4 in retrospect).

This way, we could change the WAN address of the Wi-Fi router to use a STATIC IP address of 192.168.0.2, and (this is the important part) a NETMASK of 255.255.255.252.

This means that as far as the Wi-Fi router is concerned, there are only four valid IP addresses in the 192.168.0.x range:

192.168.0.0 (not used)
192.168.0.1 (primary router/gateway)
192.168.0.2 (Wi-Fi router)
192.168.0.3 (Reserved for “broadcast” as far as Wi-Fi router is concerned)

One thing to remember is that after changing the DHCP assignment on the PRIMARY router is that computers already using IP address 192.168.0.2 and 192.168.0.3 will not automatically vacate those addresses until their DHCP lease comes up for renewal.  So if you change the second router’s WAN address to 192.168.0.2, it may not actually be able to connect until the computer or device currently on 192.168.0.2 “loses its lease”.  Rebooting the primary router may help, but in some cases you may have to track down the computer with the conflicting address and shut it off, or if you know how, renew its IP address assignment (this can usually be done from within the network settings panel).  Eventually, though, it should work, and at that point you should find that devices connected to the secondary router cannot connect to any addresses in the 192.168.0.x range outside the three mentioned above, which means they won’t be able to “see” anything else on your network that’s been assigned a DHCP address.

This tip falls into the category of “it worked in this particular situation, but I don’t guarantee it will work for you”.  So if you try this, be sure to test to make sure that the other machines on your primary network are actually unreachable from the secondary router.

Now let the comments begin, telling me how there’s a better way to do this, or why it won’t work, or something to that effect…

21 thoughts on “How to isolate a second router from the rest of your local network

  1. I use a single router (pfSense) with multiple VLANs and a (PoE) access point that supports multiple SSIDs (each separate VLAN, PSK, …). Easy, full proof. The access point gives great range (100m). pfSense is monitoring capabilities beyond other routers.

    1. Eric — I just re-read your comment again and I just want to point out one thing. You said:

      “I use a single router (pfSense) with multiple VLANs and a (PoE) access point that supports multiple SSIDs (each separate VLAN, PSK, …).”

      Do you realize how many people would only understand the word “router” among all the nouns in that sentence? 🙂

  2. Mismatched netmasks can cause some funky problems. Also its probably not very secure.

    Why not just use WPA2 with a strong password? I like GRC’s password generator or keepass.

    https://www.grc.com/passwords.htm
    http://keepass.info/

    The chances that a 63 character alpha-numeric wifi key will be broken are pretty slim. Especially when you consider the minimal amount of traffic/connection attempts that any single tablet will generate.

    Poor network engineering is no replacement for proper security!

    -Sean

    1. Sean – he has a very strong password also (not quite 63 characters, but very long and with mixed letters/numbers/symbols, generated by 1Password on a Mac). This is what you might call the belt and suspenders approach.

      One thing I forgot to mention that I would like comments on. With the new router, he can limit access to machines with particular MAC addresses. However, he heard that MAC addresses are transmitted in the clear and therefore doing that actually makes the system LESS secure. I know NOTHING about Wi-Fi so can’t comment on that at all, but wondered if anyone else had heard that and could confirm or deny.

  3. A MAC address can be very easily spoofed. So easy that I’ve never felt it worth the time to filter by MAC. A solid password like that will take you 90% of the way.

    Does his provider give more than one IP address? My provider (COX) gives three. You could plug a regular switch straight into the modem, then plug each router into that. Each would pull a public IP and shouldn’t be unable to talk to each other.

    If he only gets one IP you could plug the Internet only router straight into the modem, then plug the normal router into that. That could have its own set of issues though. Double NAT can do some funky things.

    Eric’s method would work well too, but I feel things like pfSense and DD-WRT can get a little more complicated than most people feel comfortable with. When helping someone else in a situation like that I like to leave them with the easiest solution possible.

    -Sean

    1. Only one IP address from his provider. And, there were several reasons he didn’t want to put the Wi-Fi router first after the cable modem, including the double NAT issue (he uses VoIP, and double NAT can kill SIP).

      pfSense and DD-WRT are definitely out of my comfort zone. I can barely manage to maintain an IPtables firewall on one box using Webmin’s GUI! 😉

  4. I like what Eric and Sean say. I think the solution will work for the person you set this up for. I know the troubles of double nat but if the second router won’t be used for any VOIP issues, I don’t understand what the problem would be.

    If you (readers) don’t want to go the pfsense route, you could always get a router which works with dd-wrt and set your own vlans on separate ports. Everything would have the same public IP address but the internal network would be completely separated.

    Also, I don’t think just a strong password is key. A proactive measure would be periodic log checking, just like with VOIP, to make certain no one but your systems are accessing the data.

    1. I’m starting to think that this is a topic similar “Which is the best operating system?” or “What brand of computer is the best?” The real technically inclined people will carry on about VLANs and SSIDs and pfSense and PSK (whatever the heck THAT is) and the rest of us will just buy hardware routers off the shelf at Staples or Wal-Mart and configure them in a way that makes sense to us.

      The reason I posted this article is that it’s a technique that seems to work (though I do want anyone else trying to use it to first test it to see that it meets your requirements) AND it is simple enough that even someone who never took a course in computer networking can understand it. So far all you guys have done is throw out a lot of jargon that is totally and absolutely meaningless to most users. How the heck did VLANs get into this, for example? Nobody said ANYTHING about a VLAN and yet you all keep throwing that acronym around.

      Let’s see: College level networking course, probably a few hundred bucks by the time all costs are figured in, plus several hours of time. Second router, cost around $30 give or take a little and depending on whether it’s Black Friday or not, and maybe 10 minutes inside the store if that’s all you’re buying. Decisions, decisions… 😉

      I say this to all of you: Don’t even come back and leave any more comments until you can talk about this stuff as if you were explaining it to your mother. Because, you know what, there’s a real good chance I’m older than she is!

  5. You know there are much simpler ways sometimes…
    I presume both routers have a basic firewall configuration?
    All you need to do on the wifi is create a deny rule to the 192.168.0.x network. That is it!

    I know what you are thinking…This means it will block access to the primary router? The reason being that to get internet access you must ultimately traverse the primary router which is on the subnet we just denied access to?
    Well actually no because all internet IP’s (the destination) will have IP’s outside of the deny range so it will be allowed. You have to think how a firewall works exactly. All it does is look at the destination IP address and compare this to the rule. As the destination IP (internet ones) are not part of the subnet we denied access to in the rule it will be allowed.
    When the destination is the other LAN they will be denied.

    Simples! 😉

    1. D.A.R.Y.L. – appreciate the suggestion and it would probably work with most routers. In this case the second router is a Belkin (don’t know the model number offhand, but it’s a cheap one from an office supply store) and IIRC it has a firewall that you can enable or disable, BUT it doesn’t allow you to configure it in any way! He was in a hurry to get something so his wife could use the tablet, and I suspect it was on sale that week.

  6. Just though I’d add (if you don’t mind) a link to an article I wrote called how routing works. It explains why the above is possible and is quite in depth. It is relevent here and will be a benefit to everyone.

  7. @Mich – Very strange about the firewall aspect. I would look into that a bit more if I were you. I configure a lot of basic routers and they all have some form of basic fiewall which allows to block outgoing traffic to specific IP addresses.

    1. This is a case of trying to help someone else and once the mission is accomplished, you move on. My memory is getting worse the older I get, but it seems to me that I remember looking at the firewall section and making the comment that this was the first router I’d ever seen that would not let you set individual firewall rules (because I had actually thought of trying to use the firewall in a way similar to what you suggested).

      If it were my router I’d definitely take a second look, because even as I write this I agree with you that there should have been a basic configurable firewall available, but that’s exactly why I also recall being so surprised that there wasn’t.

  8. Did you test it when you were done? Because to be honest, I’m not convinced that what you did will really work. Let’s say you’re on the Wifi network with an IP address of 192.168.2.9 and trying to get access to 192.168.0.5… Here’s what I /think/ would happen (I don’t have this exact setup, so I can’t say for sure).

    1. You’re computer at 192.168.2.9 will look at the destination of 192.168.0.5 and notice that it’s in a different subnet and so send the traffic to it’s default route of 192.168.2.1.

    2. The Wifi router (192.168.2.1) will get the request and notice that it’s on a different subnet than its WAN interface (192.168.0.2) so it’ll send the traffic to its default route of 192.168.0.1.

    3. The primary router (192.168.0.1) will get the traffic and notice that it’s on the same subnet as its LAN interface and pass the traffic to 192.168.0.5.

    It’s possible that in step 3 the router will ignore it thinking that 192.168.0.5 will respond by itself. It’s also possible that when the traffic goes to make its return trip it’ll get confused by the subnet mis-match. The only way to know any of this is to test it. And the only way to be 100% sure is to test it while using a packet sniffer… remember, that many DOS and buffer overflow attacks don’t require getting a response, only having the traffic delivered. Granted, that all requires a successful connection to the Wifi network, but you did saw that this guy is paranoid and wants to be 100% secure.

    My first thought was simply reversing it and connecting the Wifi network directly to the Internet and connecting the WAN side of the current primary router to the Wifi router. That greatly simplifies the setup and also all but guarantees the security because the current primary router would treat the Wifi network as if it were the public Internet.

    The second simple solution, as already mentioned, is two Internet legal IP addresses. Then both routers would treat each-other as strangers, also ensuring security.

    Unfortunately, with both of those options out, you’re really looking at something with VLANs and probably DD-WRT (some consumer level wifi routers support VLANs, but not all of them). Yes, I know, you don’t like the sound of that… it sounds too complicated… and truth be told, I avoid VLANs if at all possible. But sometimes, in order to really be secure, it’s not possible.

    Just because something “sounds right” or “seems to work” doesn’t mean that it is right or will continue to work. There is a reason why companies pay people to maintain their networks and keep them secure… it’s not just because they have extra money to spend. And even then, sometimes the experts/professionals fail.

    1. Jake – yes, we tested it, and from the tablet he could NOT connect to other computers in the 192.168.0.x range. Do I know why that is the case? No, I don’t. Do I really care? No, I don’t. It solves the immediate problem. Perhaps, someday, if he ever gets a new router (in the basement) that handles things differently, it might allow the traffic to pass. All I know is that with the current setup, the traffic won’t pass between the two networks.

      Of course we tested it. And of course, I would advise anyone else trying this to do the same. I approved your comment only as a cautionary note – just because something worked for a particular person in one particular situation doesn’t mean it will work for everyone. Any information you happen to find in this blog should be used at your own risk, and tested to make sure it works as you expect.

      Sometimes I think networking experts are like the scientists who say the bumblebee shouldn’t be able to fly, but then it confounds them by doing it anyway. Well, maybe in theory certain things should or should not work when it comes to networking, but in my experience that doesn’t always mean that they will/won’t. And I’m sure there are logical reasons for that, that can be found if you know what you’re doing and dig deep enough. In this case it’s working exactly the way he wanted it to, so I’m not looking this particular gift horse in the mouth.

  9. In THEORY Jake is correct in that it SHOULD work. I also thought of this whilst reading the post. But as you didn’t want to discuss why or why not it should work but rather talk about alternatives to achieve isolation between the two subnets I didn’t bring it up.

    I like your analagy about the scientists and bees when flying lol. I know exactly what you mean. I am not someone who takes that approach but I work with a lot of people that do and it frustrates the hell out of me! I mean I may know a lot about a certain piece of technology and I know how it should work, but sometimes the results you see on screen don’t match HOW it should work. At this point I accept my interpretation must not be ENTIRELY correct. I will then go away and find a theory which FITS THE FACTS I see in front of me. You would be amazed though at how many people in IT will stare at the facts in their face and say it can’t possibly work that way…Well here’s news for you, it is!

  10. Just an additional note for those that may have wondered (and particularly D.A.R.Y.L.). I found out that the router is a Belkin N300. I downloaded the user manual from the Belkin product page, and discovered that this document says next to nothing about configuration, and virtually nothing at all about the firewall. However the person I was helping says he remembers the same thing I do, that when we set it up, there was no way that we could see to create specific firewall rules.

    I wish the manual were more explicit about the various available settings.

  11. What you essentially have is an intentional routing misconfiguration (your real subnet mask on the first router is 255.255.255.0 but you told the second router that it’s 255.255.255.252). As you’ve said, this appears to be working. However, you can’t guarantee in this scenario that traffic destined for 192.168.0.5 which originated with 192.168.2.9 is not being received by 192.168.0.5… you only know for sure that it’s making the full round trip (192.168.2.9 is not getting acknowledgment/data back). The only way to know this for sure would be with a packet sniffer…. and even then, it might be difficult to know. This probably only matters for DOS attacks and buffer overflow type security holes (neither one of which requires round trip data to be successful).

    Having said all that… it probably doesn’t matter. These attacks could only originate from his Wifi network… which means they could only be done while the second router was powered up (you said he intends for his wife to unplug it when not in use) and only if they break the security on it… which, if you still used WPA and a decent password is unlikely. And, of course, they have to be within range of his Wifi. Also it /should/ prevent a Wifi guest from accessing his file server and snooping around his bank records (or whatever else he has on his internal network that he wants to protect).

  12. Pingback: Your Questions About Business Internet Connection Solutions | T1Wizard Blog
  13. NOTICE: All comments above this one were imported from the original Michigan Telephone Blog and may or may not be relevant to the edited article above.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.