PDA

View Full Version : Isolating a wireless subnet?



Janey
03-21-08, 03:13 AM
We're replacing an Apple "snow" AirPort (802.11b) with an AirPort Extreme
(802.11n) and would like to provide Internet access for clients in the
waiting room. Obviously we don't want them to have access to our computers or
servers.

By what mechanism can a wireless subnet be created such that the users have
Internet access yet cannot (easily) have access to the rest of the private
net that shares the DSL modem that supplies 'net access to the LAN as a
whole?

Is a router required at the junction of the DSL modem and the 2 AirPort WAPs
that controls access between the 2 branches?

Other means?

Thanks,
Janie

glen herrmannsfeldt
03-21-08, 04:43 AM
(comp.protocols.tcp-ip added)

Janey wrote:
(snip)

> By what mechanism can a wireless subnet be created such that the users have
> Internet access yet cannot (easily) have access to the rest of the private
> net that shares the DSL modem that supplies 'net access to the LAN as a
> whole?

I presume you now have one NAT router between you and the DSL
connection. To do what you ask requires three NAT routers
(and three distinct subnets).

In many cases wireless access points are combined with NAT routers
which would minimize the number of boxes. Does the Airport Extreme
include NAT? (I thought Airport Extreme was 802.11G not N.)

Unless your DSL supplies more than one IP address you want one NAT
router connected to the DSL modem to allow more than one IP address
to connect to the Internet. Next, you want a NAT router for your
use and a NAT router for other users each connected to the first
NAT router. The first one should not have wireless access
(or should have it turned off). The second and third could
be either NAT routers with wireless access or NAT routers
connected to wireless access points.

-- glen

DLR
03-21-08, 06:11 AM
Janey wrote:
> We're replacing an Apple "snow" AirPort (802.11b) with an AirPort Extreme
> (802.11n) and would like to provide Internet access for clients in the
> waiting room. Obviously we don't want them to have access to our computers or
> servers.
>
> By what mechanism can a wireless subnet be created such that the users have
> Internet access yet cannot (easily) have access to the rest of the private
> net that shares the DSL modem that supplies 'net access to the LAN as a
> whole?
>
> Is a router required at the junction of the DSL modem and the 2 AirPort WAPs
> that controls access between the 2 branches?

Since you're asking here I'll assume your knowledge is a bit limited.

As to the two branches I'll assume you mean the waiting room and office sections of your network.

First you can do it with 3 routers but also two if you do it right.

DSL
Modem ---- Router1 **** wireless to waiting room
|
+-----Router2 (off LAN port of router1)
+ *********** wireless to office
|
+------------ wired to office (off LAN port of router2)


With this setup your waiting room can see the Internet as a whole but can't drill down into your office as long as you don't have router2 set to forward anything from the outside to any particular LAN.

To keep things simple Apple somewhat limits your choices as to NAT addresses so I'd pick something like the 192.168.x.x range for the office and 10.0.0.x range for the waiting room. This is set in router2 and router1 respectively.

As to which router you use where, I guess I'd put the newer one as router 2 as it will have somewhat better security options. You should lock down the admin of both routers with very very good passwords. You should also lock down the wireless to the office with a very secure password and no post its allowed. Or turn it off. And keep access to the routers and any wired Ethernet ports restricted. Physically.

And you mentioned "waiting room" I'd find a local mac wiz (there should be a user group in the area) or network wiz who will not get indignant at the Apple routers and pay them $200 for an hour or so of time to make sure you do it right. Doing it wrong in a doctors office can be a very bad idea.

David

Gavrilo Prinzip
03-21-08, 06:31 AM
In article <d04f1$47e397ec$d1aa8d95$9118@PORTBRIDGE.COM>,
DLR <news23@raleighthings.com> wrote:

> And you mentioned "waiting room" I'd find a local mac wiz (there should be a
> user group in the area) or network wiz who will not get indignant at the
> Apple routers and pay them $200 for an hour or so of time to make sure you do
> it right. Doing it wrong in a doctors office can be a very bad idea.

I'd point out also that you don't absolutely need Apple products. We
have a setup something like this for our Inn using two non-Apple
routers; our only computers are Macs, and this setup works equally well
in connecting visiting Macs _and_ PCs.

I use Airport Extreme in the Mac Pro now and then to test the wireless
connections.
--
Gav P

DLR
03-21-08, 07:56 AM
Gavrilo Prinzip wrote:
> In article <d04f1$47e397ec$d1aa8d95$9118@PORTBRIDGE.COM>,
> DLR <news23@raleighthings.com> wrote:
>
>> And you mentioned "waiting room" I'd find a local mac wiz (there should be a
>> user group in the area) or network wiz who will not get indignant at the
>> Apple routers and pay them $200 for an hour or so of time to make sure you do
>> it right. Doing it wrong in a doctors office can be a very bad idea.
>
> I'd point out also that you don't absolutely need Apple products. We
> have a setup something like this for our Inn using two non-Apple
> routers; our only computers are Macs, and this setup works equally well
> in connecting visiting Macs _and_ PCs.

Agreed. But the OP implied they had already bought or planned to buy a 2nd Apple router. And if all you've ever seen is a Linksys configuration web page, well things are a bit different. My point was to not get "your brother's friend who's owned a mac for 2 months" to come do it.

David

stephen
03-21-08, 10:13 AM
"Janey" <not@yourlife.net> wrote in message
news:0001HW.C408BC34002B1AD3B01AD9AF@news.sf.sbcglobal.net...
> We're replacing an Apple "snow" AirPort (802.11b) with an AirPort Extreme
> (802.11n) and would like to provide Internet access for clients in the
> waiting room. Obviously we don't want them to have access to our computers
or
> servers.
>
> By what mechanism can a wireless subnet be created such that the users
have
> Internet access yet cannot (easily) have access to the rest of the private
> net that shares the DSL modem that supplies 'net access to the LAN as a
> whole?

1 way to do it is to build 2 separate networks.

internet - wlan router (with external users) - wlan router (internal users).

main drawback is the external users could clog up your Internet feed.
>
> Is a router required at the junction of the DSL modem and the 2 AirPort
WAPs
> that controls access between the 2 branches?

or you find a wireless router that can handle multiple SSIDs and keep the
traffic flows in separate VLANs. You then use different SSIDs for users &
visitors, then priority, different networks and rate limiting to control who
goes where and access.

some of the Cisco stuff can do this, so something like an 1800 series router
with embedded WLAN would work.
www.cisco.com/go/1800 - exactly which model depends on DSL flavour, or cable
etc.

programming these things can be complicated, so you may want to get some
help.

but - not consumer gear, and not consumer prices. 1801s we use at work
(without wireless) list @ $1000.
>
> Other means?
>
> Thanks,
> Janie
>
--
Regards

stephen_hope@xyzworld.com - replace xyz with ntl

Jeff Liebermann
03-21-08, 06:32 PM
On Fri, 21 Mar 2008 08:13:24 GMT, Janey <not@yourlife.net> wrote:

>We're replacing an Apple "snow" AirPort (802.11b) with an AirPort Extreme
>(802.11n) and would like to provide Internet access for clients in the
>waiting room. Obviously we don't want them to have access to our computers or
>servers.

The easiest way to do this is to check if your ISP offers a 2nd IP
address. If so, connect *TWO* routers to your cable or DSL modem
through a cheapo ethernet switch. Each IP address will have its own
routeable IP address, its own router, and no way are any packets going
to cross over from one router to the other.

Another way is to buy a router that offers dual SSID, dual WPA keys,
or security "zones". Seach Google for "dual SSID". Most (not all) of
these have independent routing for each SSID. Most routers that are
designed to run a public hot spot (i.e. DD-WRT FON router) have this
feature.
<http://www.dd-wrt.com/wiki/index.php/FON_Hotspot#Wireless_.3E_Wireless_Security>

I only know one router that has two WPA keys. MyEssentials ME-1004R.
<http://www.myessentialssupport.com/product/?pid=ME1004-R>
This is a cheap ($40) router owned by Belkin that has this useful
feature. If the client uses one settable WPA key, they get the
internet and the local LAN. If they use the settable "guest" key,
they get only the internet. The catch is that the clients MUST use a
WPA key, which is generally a good idea anyway.

Incidentally, make sure your wireless router has "client isolation" or
"AP isolation" as Linksys misnamed it. It prevents the clients from
seeing and attacking each other.

Sonicwall uses security zones:
<http://www.sonicwall.com/downloads/SOS2e_Enhanced_Security_Zones_Explained.pdf>
for isolation.

Another way is to use two routers in series. The network connected to
the LAN side of the 2nd router is the "inside" protected network. The
2nd router keeps anyone from the LAN side of the 1st router (or
"public" side) out of the "inside network. The IP layout is something
like this:
Router 1 Router 2
WAN= ISP assigned WAN= 192.168.1.2
WAN Netmask= ISP assigned WAN Netmask= 255.255.255.252
Gateway= ISP assigned Gateway= 192.168.1.1
LAN IP= 192.168.1.1 LAN IP= 192.168.2.1
LAN Netmask= 255.255.255.0 LAN Netmask= 255.255.255.0

Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)

This works but causes problems due to the double NAT. Details on
request.



>
>By what mechanism can a wireless subnet be created such that the users have
>Internet access yet cannot (easily) have access to the rest of the private
>net that shares the DSL modem that supplies 'net access to the LAN as a
>whole?
>
>Is a router required at the junction of the DSL modem and the 2 AirPort WAPs
>that controls access between the 2 branches?
>
>Other means?
>
>Thanks,
>Janie
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

News Reader
03-28-08, 08:51 PM
There is a mask error in the example you provided.

You've specified a mask of 255.255.255.0 for the LAN interface of Router
1, and a mask of 255.255.255.252 for the WAN interface of Router 2.

Since you are connecting these interfaces together, they must use the
same mask.

Use 255.255.255.0 for both.

Best Regards,
News Reader

Jeff Liebermann wrote:
> On Fri, 21 Mar 2008 08:13:24 GMT, Janey <not@yourlife.net> wrote:
>
>> We're replacing an Apple "snow" AirPort (802.11b) with an AirPort Extreme
>> (802.11n) and would like to provide Internet access for clients in the
>> waiting room. Obviously we don't want them to have access to our computers or
>> servers.
>
> The easiest way to do this is to check if your ISP offers a 2nd IP
> address. If so, connect *TWO* routers to your cable or DSL modem
> through a cheapo ethernet switch. Each IP address will have its own
> routeable IP address, its own router, and no way are any packets going
> to cross over from one router to the other.
>
> Another way is to buy a router that offers dual SSID, dual WPA keys,
> or security "zones". Seach Google for "dual SSID". Most (not all) of
> these have independent routing for each SSID. Most routers that are
> designed to run a public hot spot (i.e. DD-WRT FON router) have this
> feature.
> <http://www.dd-wrt.com/wiki/index.php/FON_Hotspot#Wireless_.3E_Wireless_Security>
>
> I only know one router that has two WPA keys. MyEssentials ME-1004R.
> <http://www.myessentialssupport.com/product/?pid=ME1004-R>
> This is a cheap ($40) router owned by Belkin that has this useful
> feature. If the client uses one settable WPA key, they get the
> internet and the local LAN. If they use the settable "guest" key,
> they get only the internet. The catch is that the clients MUST use a
> WPA key, which is generally a good idea anyway.
>
> Incidentally, make sure your wireless router has "client isolation" or
> "AP isolation" as Linksys misnamed it. It prevents the clients from
> seeing and attacking each other.
>
> Sonicwall uses security zones:
> <http://www.sonicwall.com/downloads/SOS2e_Enhanced_Security_Zones_Explained.pdf>
> for isolation.
>
> Another way is to use two routers in series. The network connected to
> the LAN side of the 2nd router is the "inside" protected network. The
> 2nd router keeps anyone from the LAN side of the 1st router (or
> "public" side) out of the "inside network. The IP layout is something
> like this:
> Router 1 Router 2
> WAN= ISP assigned WAN= 192.168.1.2
> WAN Netmask= ISP assigned WAN Netmask= 255.255.255.252
> Gateway= ISP assigned Gateway= 192.168.1.1
> LAN IP= 192.168.1.1 LAN IP= 192.168.2.1
> LAN Netmask= 255.255.255.0 LAN Netmask= 255.255.255.0
>
> Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
> Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)
>
> This works but causes problems due to the double NAT. Details on
> request.
>
>
>
>> By what mechanism can a wireless subnet be created such that the users have
>> Internet access yet cannot (easily) have access to the rest of the private
>> net that shares the DSL modem that supplies 'net access to the LAN as a
>> whole?
>>
>> Is a router required at the junction of the DSL modem and the 2 AirPort WAPs
>> that controls access between the 2 branches?
>>
>> Other means?
>>
>> Thanks,
>> Janie

glen herrmannsfeldt
03-28-08, 10:26 PM
(someone wrote)

> The easiest way to do this is to check if your ISP offers a 2nd IP
> address. If so, connect *TWO* routers to your cable or DSL modem
> through a cheapo ethernet switch. Each IP address will have its own
> routeable IP address, its own router, and no way are any packets going
> to cross over from one router to the other.

That is a good way, but when they do they usually charge
extra for it. If you don't need the extra IP, and/or static IP,
then double NAT works well.

(snip)

> Another way is to use two routers in series. The network connected to
> the LAN side of the 2nd router is the "inside" protected network. The
> 2nd router keeps anyone from the LAN side of the 1st router (or
> "public" side) out of the "inside network. The IP layout is something
> like this:
> Router 1 Router 2
> WAN= ISP assigned WAN= 192.168.1.2
> WAN Netmask= ISP assigned WAN Netmask= 255.255.255.252
> Gateway= ISP assigned Gateway= 192.168.1.1
> LAN IP= 192.168.1.1 LAN IP= 192.168.2.1
> LAN Netmask= 255.255.255.0 LAN Netmask= 255.255.255.0

As someone else mentioned, the Router2 WAN Netmask is wrong.

> Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
> Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)

This keeps the public net from accessing the inside LAN, but doesn't
keep them from watching the data going by. At least they can
see broadcast packets, and any other that are flooded by the
switch.

> This works but causes problems due to the double NAT.
> Details on request.

What problems due to double NAT? As I said, I would do
double NAT for both nets for full isolation. If it is
worth worrying about isolation it is worth the price of
another NAT router.

-- glen

Jeff Liebermann
03-29-08, 11:56 AM
On Fri, 28 Mar 2008 21:51:53 -0400, News Reader <user@domain.null>
wrote:

>There is a mask error in the example you provided.

Eye nver maek mistrakes.

>You've specified a mask of 255.255.255.0 for the LAN interface of Router
>1, and a mask of 255.255.255.252 for the WAN interface of Router 2.
>
>Since you are connecting these interfaces together, they must use the
>same mask.
>
>Use 255.255.255.0 for both.
>
>Best Regards,
>News Reader

>Jeff Liebermann wrote:
>> Another way is to use two routers in series. The network connected to
>> the LAN side of the 2nd router is the "inside" protected network. The
>> 2nd router keeps anyone from the LAN side of the 1st router (or
>> "public" side) out of the "inside network. The IP layout is something
>> like this:
>> Router 1 Router 2
>> WAN= ISP assigned WAN= 192.168.1.2
>> WAN Netmask= ISP assigned WAN Netmask= 255.255.255.252
>> Gateway= ISP assigned Gateway= 192.168.1.1
>> LAN IP= 192.168.1.1 LAN IP= 192.168.2.1
>> LAN Netmask= 255.255.255.0 LAN Netmask= 255.255.255.0
>>
>> Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
>> Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)

1. Please don't "top post".

2. Your comments are absolutely true if Router 2 needs to see all the
devices on the LAN side of Router 1. For that, I would use
255.255.255.0. However, I do NOT want them to see all those users and
devices. Router 2 only needs to see the LAN side IP address of Router
1 (plus the broadcast address) for a total of 2 IP addresses.

With 255.255.255.252, it looks like this:
<http://www.aboutmyip.com/AboutMyXApp/SubnetCalculator.jsp?ipAddress=192.168.1.1&cidr=30>
Address: 192.168.1.1
Netmask: 255.255.255.252
Network Address: 192.168.1.0 / 30
Broadcast Address: 192.168.1.3
First host: 192.168.1.1
Last host: 192.168.1.2
Total host count: 2

It can also be done with CIDR /31 or 255.255.255.254, but I like to
save the 2nd IP address for tinkering, testing, sniffing, etc.

The security of such an arrangement is marginal at best. Users on the
LAN side of Router 1 cannot see machines on the LAN side of Router 2,
but can sniff their traffic. Users on the LAN side of Router 2 cannot
see users on the LAN side of Router 1, but only because of the router
netmask.

This arrangement is far from ideal and the netmask is somewhat of a
kludge. It's the best I can do with one WAN IP, and not going to a
VPN tunnel. IMHO, the best way are two routers, two WAN IP's, two
LAN's, and never the two shall meet. However, many ISP's will not
provide more than one routeable IP, requiring abominiations like this.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann
03-29-08, 12:30 PM
On Fri, 28 Mar 2008 19:26:51 -0800, glen herrmannsfeldt
<gah@ugcs.caltech.edu> wrote:

>As someone else mentioned, the Router2 WAN Netmask is wrong.

See my reply to someone else. For the specific case of where Router 2
only needs to see the LAN side IP address of Router 1, using the
netmask to prevent Router 2 from "seeing" other devices on the LAN
side of Router 1 works.

>> Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
>> Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)

>This keeps the public net from accessing the inside LAN, but doesn't
>keep them from watching the data going by. At least they can
>see broadcast packets, and any other that are flooded by the
>switch.

Correct. It does nothing to prevent sniffing. Please note the
question was about wireless networking. You could have the ideal case
of two WAN IP's, two wireless routers, two isolated LAN's, and the
wireless traffic of BOTH wireless LAN's are exposed to sniffing.

In my customers coffee shop wireless installations, the problem was
keeping the wireless customers out of the wired ethernet devices that
were also on the premisis. That works, but as you note, not very
well. I used double NAT for this purpose and was generally
successful. However, the local ISP's are very cooperative and I
switched to dual IP addresses with two routers and have lived happily
ever after.

>> This works but causes problems due to the double NAT.
> > Details on request.
>
>What problems due to double NAT? As I said, I would do
>double NAT for both nets for full isolation. If it is
>worth worrying about isolation it is worth the price of
>another NAT router.

I guess that's a request for details. Note that double NAT is not the
classic double firewall, with a DMZ in between, stuffed with public
servers.

I had some problems with:
1. Remote admin. Every time I needed to administer a machine on the
LAN side of Router 2, I had to punch a hole in BOTH firewalls. This
made port forwarding a mess.
2. Port triggering and port forwarding setups required tweaking both
routers.
3. A few applications just didn't work. I don't want to itemize
these or I'll never get back to doing my taxes.
4. The credit card machine was on the LAN side of Router 2. The
service company wanted access from the internet and went ballistic
when they found they were going through two routers. They claimed it
was "unsupportable" even though it worked.
5. Applications that require UPnP (MSN Mess, AOL with Port Magic)
would complain that the router is misconfigured. It would work on the
LAN side of Router 1, but complain on the LAN side of Router 2. Most
of these applications have been fixed to run on such double NAT
systems long ago, but that provided additional inspiration to avoid
double NAT.
6. It would screw up some file sharing software. This was actually
an advantage except that the P2P junk would work on the public LAN
(LAN side of Router 1), but not on the inside LAN (LAN side of Router
2). This falls under "I don't care".
7. Some reports that VoIP (SIP phone) services had some weird
problems that I wasn't interested in debugging.

Some more comments on double NAT by others:
<http://www.dslreports.com/forum/remark,17422024>


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

News Reader
03-29-08, 01:07 PM
Your comment - "if Router 2 needs to see all the devices on the LAN side
of Router 1.", is off base.

It has nothing to do with "seeing".

A mask determines whether a destination device is reachable directly, or
whether the services of another router are required.

If Router 2 had traffic to forward to a LAN host on the WAN side, and
the host was determined to be on another network due to the difference
in masks, it would forward the packet to Router 1, and Router 1 would
forward it to the host that shares the same mask.

If Router 1 had a return route, and the WAN port of Router 2 permitted
return traffic, a connection would be established.

If Router 1 did not have a route to the LAN side of Router 2,
connections would not be established.

Best Regards,
News Reader


Jeff Liebermann wrote:
> On Fri, 28 Mar 2008 21:51:53 -0400, News Reader <user@domain.null>
> wrote:
>
>> There is a mask error in the example you provided.
>
> Eye nver maek mistrakes.
>
>> You've specified a mask of 255.255.255.0 for the LAN interface of Router
>> 1, and a mask of 255.255.255.252 for the WAN interface of Router 2.
>>
>> Since you are connecting these interfaces together, they must use the
>> same mask.
>>
>> Use 255.255.255.0 for both.
>>
>> Best Regards,
>> News Reader
>
>> Jeff Liebermann wrote:
>>> Another way is to use two routers in series. The network connected to
>>> the LAN side of the 2nd router is the "inside" protected network. The
>>> 2nd router keeps anyone from the LAN side of the 1st router (or
>>> "public" side) out of the "inside network. The IP layout is something
>>> like this:
>>> Router 1 Router 2
>>> WAN= ISP assigned WAN= 192.168.1.2
>>> WAN Netmask= ISP assigned WAN Netmask= 255.255.255.252
>>> Gateway= ISP assigned Gateway= 192.168.1.1
>>> LAN IP= 192.168.1.1 LAN IP= 192.168.2.1
>>> LAN Netmask= 255.255.255.0 LAN Netmask= 255.255.255.0
>>>
>>> Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
>>> Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)
>
> 1. Please don't "top post".
>
> 2. Your comments are absolutely true if Router 2 needs to see all the
> devices on the LAN side of Router 1. For that, I would use
> 255.255.255.0. However, I do NOT want them to see all those users and
> devices. Router 2 only needs to see the LAN side IP address of Router
> 1 (plus the broadcast address) for a total of 2 IP addresses.
>
> With 255.255.255.252, it looks like this:
> <http://www.aboutmyip.com/AboutMyXApp/SubnetCalculator.jsp?ipAddress=192.168.1.1&cidr=30>
> Address: 192.168.1.1
> Netmask: 255.255.255.252
> Network Address: 192.168.1.0 / 30
> Broadcast Address: 192.168.1.3
> First host: 192.168.1.1
> Last host: 192.168.1.2
> Total host count: 2
>
> It can also be done with CIDR /31 or 255.255.255.254, but I like to
> save the 2nd IP address for tinkering, testing, sniffing, etc.
>
> The security of such an arrangement is marginal at best. Users on the
> LAN side of Router 1 cannot see machines on the LAN side of Router 2,
> but can sniff their traffic. Users on the LAN side of Router 2 cannot
> see users on the LAN side of Router 1, but only because of the router
> netmask.
>
> This arrangement is far from ideal and the netmask is somewhat of a
> kludge. It's the best I can do with one WAN IP, and not going to a
> VPN tunnel. IMHO, the best way are two routers, two WAN IP's, two
> LAN's, and never the two shall meet. However, many ISP's will not
> provide more than one routeable IP, requiring abominiations like this.
>

Jeff Liebermann
03-29-08, 02:53 PM
On Sat, 29 Mar 2008 14:07:26 -0400, News Reader <user@domain.null>
wrote:

>Your comment - "if Router 2 needs to see all the devices on the LAN side
>of Router 1.", is off base.
>
>It has nothing to do with "seeing".
>
>A mask determines whether a destination device is reachable directly, or
>whether the services of another router are required.

OK. Please replace my use of the word "see" with "reach". The WAN
port on Router 2 only needs to see, reach, connect to, handshake, pass
traffic with, etc, exactly one device. That's the LAN IP address of
Router #1. It has no need to see, reach, connect to, handshake to,
pass traffic with any other device on the LAN side of Router 1 other
than the sole router IP address and it's broadcast address. The whole
idea is to *NOT* let Router 2 see, reach, connect to, handshake , pass
traffic with, etc, to anything on the LAN side of Router 1 (other than
the router itself).

>If Router 2 had traffic to forward to a LAN host on the WAN side, and
>the host was determined to be on another network due to the difference
>in masks, it would forward the packet to Router 1, and Router 1 would
>forward it to the host that shares the same mask.

If the traffic from the LAN side of Router 2 needs to go to a host on
an "another" (what other?) network, it would all go through the
default gateway, that points to Router 1, which would forward the
packets to its favorite default gateway at the ISP. You can stack up
default gateways this way forever.

However, passing through a default gateway does NOT magically inherit
the netmask of the originating client or router. The netmask is
strictly a filter and is only used on the device to which it is
configured. There's no field in the IP or TCP headers for netmask.

>If Router 1 had a return route, and the WAN port of Router 2 permitted
>return traffic, a connection would be established.
>
>If Router 1 did not have a route to the LAN side of Router 2,
>connections would not be established.

Coming from the LAN side of Router 2, the return path is via two
default routes, both of which are within the netmask. This is not a
problem.

Would it help any if I setup such a double NAT setup and posted the
resultant router tables? I think I can throw something together
running DD-WRT in the next day or three. (But first I gotta work on
my taxes). I know it works because I've done it this way in the past,
but it's been a while and I may be having a memory fault.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

News Reader
03-29-08, 03:46 PM
Jeff Liebermann wrote:
> On Sat, 29 Mar 2008 14:07:26 -0400, News Reader <user@domain.null>
> wrote:
>
>> Your comment - "if Router 2 needs to see all the devices on the LAN side
>> of Router 1.", is off base.
>>
>> It has nothing to do with "seeing".
>>
>> A mask determines whether a destination device is reachable directly, or
>> whether the services of another router are required.
>
> OK. Please replace my use of the word "see" with "reach". The WAN
> port on Router 2 only needs to see, reach, connect to, handshake, pass
> traffic with, etc, exactly one device. That's the LAN IP address of
> Router #1. It has no need to see, reach, connect to, handshake to,
> pass traffic with any other device on the LAN side of Router 1 other
> than the sole router IP address and it's broadcast address. The whole
> idea is to *NOT* let Router 2 see, reach, connect to, handshake , pass
> traffic with, etc, to anything on the LAN side of Router 1 (other than
> the router itself).

You mis-understood my point.

I understand that you don't want LAN hosts on the LAN side of Router 2
to communicate with LAN hosts on the WAN side of Router 2 (i.e. LAN
hosts of Router 1, if you prefer).

My point is that you have suggested that your 255.255.255.252 mask on
the WAN port of Router 2 would "prevent" the undesirable communication.
That is not true.

>
>> If Router 2 had traffic to forward to a LAN host on the WAN side, and
>> the host was determined to be on another network due to the difference
>> in masks, it would forward the packet to Router 1, and Router 1 would
>> forward it to the host that shares the same mask.
>
> If the traffic from the LAN side of Router 2 needs to go to a host on
> an "another" (what other?) network, it would all go through the

The WAN interface of Router 2 (192.168.1.2, 255.255.255.252) sees its
network as being Subnet 192.168.1.0, with assignable host addresses in
the range of 192.168.1.1 - 192.168.1.2, and a broadcast address of
192.168.1.3.

A host connected to the LAN interface of Router 1, with an IP address of
lets say 192.168.1.8, is seen by Router 2, as NOT being on the same
network. It is not one of the assignable host addresses (192.168.1.1 -
192.168.1.2), and not the broadcast address.

> default gateway, that points to Router 1, which would forward the

Packets are forwarded to a default gateway when a better route is NOT known.

> packets to its favorite default gateway at the ISP. You can stack up
> default gateways this way forever.
>
> However, passing through a default gateway does NOT magically inherit
> the netmask of the originating client or router. The netmask is

Who said anything about inheritance?

The LAN interface on Router 1 (192.168.1.1, 255.255.255.255) sees its
network as being Subnet 192.168.1.0, with assignable host addresses in
the range of 192.168.1.1 - 192.168.1.254, and a broadcast address of
192.168.1.255.

If Router 1 receives a packet forwarded from Router 2, that is destined
to host e.g.: 192.168.1.8, Router 1 says "that is on a network that I am
attached to, I can reach it directly". It would therefore deliver that
packet to the LAN host contrary to your claims.

> strictly a filter and is only used on the device to which it is
> configured. There's no field in the IP or TCP headers for netmask.
>
>> If Router 1 had a return route, and the WAN port of Router 2 permitted
>> return traffic, a connection would be established.
>>
>> If Router 1 did not have a route to the LAN side of Router 2,
>> connections would not be established.
>
> Coming from the LAN side of Router 2, the return path is via two
> default routes, both of which are within the netmask. This is not a
> problem.

A default route is used when a better route is not known. If the
destination of a packet is on a network connected to the router, "and"
the the destination host's IP address is within the range of the network
"as defined by" the mask, the router will deliver the packet directly,
and not blindly follow a default route.

A network is defined by a mask. It is not defined by physical interfaces.

>
> Would it help any if I setup such a double NAT setup and posted the
> resultant router tables? I think I can throw something together
> running DD-WRT in the next day or three. (But first I gotta work on
> my taxes). I know it works because I've done it this way in the past,

I am not saying your topology won't work. I am saying that your use of
the 255.255.255.252 mask, does not in itself prevent the communications
that you want curbed.

> but it's been a while and I may be having a memory fault.
>


--
Best Regards,
News Reader

News Reader
03-29-08, 04:31 PM
News Reader wrote:
> Jeff Liebermann wrote:
>> On Sat, 29 Mar 2008 14:07:26 -0400, News Reader <user@domain.null>
>> wrote:
>>
>>> Your comment - "if Router 2 needs to see all the devices on the LAN
>>> side of Router 1.", is off base.
>>>
>>> It has nothing to do with "seeing".
>>>
>>> A mask determines whether a destination device is reachable directly,
>>> or whether the services of another router are required.
>>
>> OK. Please replace my use of the word "see" with "reach". The WAN
>> port on Router 2 only needs to see, reach, connect to, handshake, pass
>> traffic with, etc, exactly one device. That's the LAN IP address of
>> Router #1. It has no need to see, reach, connect to, handshake to,
>> pass traffic with any other device on the LAN side of Router 1 other
>> than the sole router IP address and it's broadcast address. The whole
>> idea is to *NOT* let Router 2 see, reach, connect to, handshake , pass
>> traffic with, etc, to anything on the LAN side of Router 1 (other than
>> the router itself).
>
> You mis-understood my point.
>
> I understand that you don't want LAN hosts on the LAN side of Router 2
> to communicate with LAN hosts on the WAN side of Router 2 (i.e. LAN
> hosts of Router 1, if you prefer).
>
> My point is that you have suggested that your 255.255.255.252 mask on
> the WAN port of Router 2 would "prevent" the undesirable communication.
> That is not true.
>
>>
>>> If Router 2 had traffic to forward to a LAN host on the WAN side, and
>>> the host was determined to be on another network due to the
>>> difference in masks, it would forward the packet to Router 1, and
>>> Router 1 would forward it to the host that shares the same mask.
>>
>> If the traffic from the LAN side of Router 2 needs to go to a host on
>> an "another" (what other?) network, it would all go through the
>
> The WAN interface of Router 2 (192.168.1.2, 255.255.255.252) sees its
> network as being Subnet 192.168.1.0, with assignable host addresses in
> the range of 192.168.1.1 - 192.168.1.2, and a broadcast address of
> 192.168.1.3.
>
> A host connected to the LAN interface of Router 1, with an IP address of
> lets say 192.168.1.8, is seen by Router 2, as NOT being on the same
> network. It is not one of the assignable host addresses (192.168.1.1 -
> 192.168.1.2), and not the broadcast address.
>
>> default gateway, that points to Router 1, which would forward the
>
> Packets are forwarded to a default gateway when a better route is NOT
> known.
>
>> packets to its favorite default gateway at the ISP. You can stack up
>> default gateways this way forever.
>> However, passing through a default gateway does NOT magically inherit
>> the netmask of the originating client or router. The netmask is
>
> Who said anything about inheritance?
>
> The LAN interface on Router 1 (192.168.1.1, 255.255.255.255) sees its
> network as being Subnet 192.168.1.0, with assignable host addresses in
> the range of 192.168.1.1 - 192.168.1.254, and a broadcast address of
> 192.168.1.255.
>
> If Router 1 receives a packet forwarded from Router 2, that is destined
> to host e.g.: 192.168.1.8, Router 1 says "that is on a network that I am
> attached to, I can reach it directly". It would therefore deliver that
> packet to the LAN host contrary to your claims.
>
>> strictly a filter and is only used on the device to which it is
>> configured. There's no field in the IP or TCP headers for netmask.
>>
>>> If Router 1 had a return route, and the WAN port of Router 2
>>> permitted return traffic, a connection would be established.
>>>
>>> If Router 1 did not have a route to the LAN side of Router 2,
>>> connections would not be established.
>>
>> Coming from the LAN side of Router 2, the return path is via two
>> default routes, both of which are within the netmask. This is not a
>> problem.
>
> A default route is used when a better route is not known. If the
> destination of a packet is on a network connected to the router, "and"
> the the destination host's IP address is within the range of the network
> "as defined by" the mask, the router will deliver the packet directly,
> and not blindly follow a default route.
>
> A network is defined by a mask. It is not defined by physical interfaces.
>
>>
>> Would it help any if I setup such a double NAT setup and posted the
>> resultant router tables? I think I can throw something together
>> running DD-WRT in the next day or three. (But first I gotta work on
>> my taxes). I know it works because I've done it this way in the past,
>
> I am not saying your topology won't work. I am saying that your use of
> the 255.255.255.252 mask, does not in itself prevent the communications
> that you want curbed.
>
>> but it's been a while and I may be having a memory fault.
>
>

I'll provide a bit more of a summary here regarding the undesired
communications, and why the use of a 255.255.255.252 mask on the Router
2 interface, would not prevent it.

Lets say we have a LAN host (Host 2) connected to the LAN interface of
Router 2, and a LAN host (Host 1) connected to the LAN interface of Router 1

Lets say Host 2 tries to communicate with Host 1.

Router 2 receives the packet on its LAN interface, looks in its routing
table for a route to Host 1.

Because of the limited mask, Router 2 concludes that Host 1 is NOT on
the same network as it's WAN interface, and because it doesn't have a
route to Host 1, it defaults to it's default route, and forwards the
packet to Router 1.

Router 1 receives the packet, looks into its routing table, and
determines that it has a route to Host 1 (a connected route), because
Host 1's IP address is on the same network (192.168.1.0 , 255.255.255.0)
as Router 1's LAN interface.

Router 1 forwards the packet to Host 1 via its LAN interface. It does
not send the packet upstream the the ISPs router.

On the return path:

Typically, Host 1 will not have a route to Host 2 in its local routing
table. Therefore, it will forward the packet to its default gateway
(Router 1).

If Router 1 has a return route to Host 2, and the WAN port of Router 2
permits return traffic, a connection will be established.

If Router 1 does not have a route to Host 2, connections will not be
established.


Best Regards,
News Reader

News Reader
03-29-08, 11:55 PM
News Reader wrote:
> News Reader wrote:
>> Jeff Liebermann wrote:
>>> On Sat, 29 Mar 2008 14:07:26 -0400, News Reader <user@domain.null>
>>> wrote:
>>>
>>>> Your comment - "if Router 2 needs to see all the devices on the LAN
>>>> side of Router 1.", is off base.
>>>>
>>>> It has nothing to do with "seeing".
>>>>
>>>> A mask determines whether a destination device is reachable
>>>> directly, or whether the services of another router are required.
>>>
>>> OK. Please replace my use of the word "see" with "reach". The WAN
>>> port on Router 2 only needs to see, reach, connect to, handshake, pass
>>> traffic with, etc, exactly one device. That's the LAN IP address of
>>> Router #1. It has no need to see, reach, connect to, handshake to,
>>> pass traffic with any other device on the LAN side of Router 1 other
>>> than the sole router IP address and it's broadcast address. The whole
>>> idea is to *NOT* let Router 2 see, reach, connect to, handshake , pass
>>> traffic with, etc, to anything on the LAN side of Router 1 (other than
>>> the router itself).
>>
>> You mis-understood my point.
>>
>> I understand that you don't want LAN hosts on the LAN side of Router 2
>> to communicate with LAN hosts on the WAN side of Router 2 (i.e. LAN
>> hosts of Router 1, if you prefer).
>>
>> My point is that you have suggested that your 255.255.255.252 mask on
>> the WAN port of Router 2 would "prevent" the undesirable
>> communication. That is not true.
>>
>>>
>>>> If Router 2 had traffic to forward to a LAN host on the WAN side,
>>>> and the host was determined to be on another network due to the
>>>> difference in masks, it would forward the packet to Router 1, and
>>>> Router 1 would forward it to the host that shares the same mask.
>>>
>>> If the traffic from the LAN side of Router 2 needs to go to a host on
>>> an "another" (what other?) network, it would all go through the
>>
>> The WAN interface of Router 2 (192.168.1.2, 255.255.255.252) sees its
>> network as being Subnet 192.168.1.0, with assignable host addresses in
>> the range of 192.168.1.1 - 192.168.1.2, and a broadcast address of
>> 192.168.1.3.
>>
>> A host connected to the LAN interface of Router 1, with an IP address
>> of lets say 192.168.1.8, is seen by Router 2, as NOT being on the same
>> network. It is not one of the assignable host addresses (192.168.1.1 -
>> 192.168.1.2), and not the broadcast address.
>>
>>> default gateway, that points to Router 1, which would forward the
>>
>> Packets are forwarded to a default gateway when a better route is NOT
>> known.
>>
>>> packets to its favorite default gateway at the ISP. You can stack up
>>> default gateways this way forever. However, passing through a default
>>> gateway does NOT magically inherit
>>> the netmask of the originating client or router. The netmask is
>>
>> Who said anything about inheritance?
>>
>> The LAN interface on Router 1 (192.168.1.1, 255.255.255.255) sees its
>> network as being Subnet 192.168.1.0, with assignable host addresses in
>> the range of 192.168.1.1 - 192.168.1.254, and a broadcast address of
>> 192.168.1.255.
>>
>> If Router 1 receives a packet forwarded from Router 2, that is
>> destined to host e.g.: 192.168.1.8, Router 1 says "that is on a
>> network that I am attached to, I can reach it directly". It would
>> therefore deliver that packet to the LAN host contrary to your claims.
>>
>>> strictly a filter and is only used on the device to which it is
>>> configured. There's no field in the IP or TCP headers for netmask.
>>>
>>>> If Router 1 had a return route, and the WAN port of Router 2
>>>> permitted return traffic, a connection would be established.
>>>>
>>>> If Router 1 did not have a route to the LAN side of Router 2,
>>>> connections would not be established.
>>>
>>> Coming from the LAN side of Router 2, the return path is via two
>>> default routes, both of which are within the netmask. This is not a
>>> problem.
>>
>> A default route is used when a better route is not known. If the
>> destination of a packet is on a network connected to the router, "and"
>> the the destination host's IP address is within the range of the
>> network "as defined by" the mask, the router will deliver the packet
>> directly, and not blindly follow a default route.
>>
>> A network is defined by a mask. It is not defined by physical interfaces.
>>
>>>
>>> Would it help any if I setup such a double NAT setup and posted the
>>> resultant router tables? I think I can throw something together
>>> running DD-WRT in the next day or three. (But first I gotta work on
>>> my taxes). I know it works because I've done it this way in the past,
>>
>> I am not saying your topology won't work. I am saying that your use of
>> the 255.255.255.252 mask, does not in itself prevent the
>> communications that you want curbed.
>>
>>> but it's been a while and I may be having a memory fault.
>>
>>
>
> I'll provide a bit more of a summary here regarding the undesired
> communications, and why the use of a 255.255.255.252 mask on the Router
> 2 interface, would not prevent it.
>
> Lets say we have a LAN host (Host 2) connected to the LAN interface of
> Router 2, and a LAN host (Host 1) connected to the LAN interface of
> Router 1
>
> Lets say Host 2 tries to communicate with Host 1.
>
> Router 2 receives the packet on its LAN interface, looks in its routing
> table for a route to Host 1.
>
> Because of the limited mask, Router 2 concludes that Host 1 is NOT on
> the same network as it's WAN interface, and because it doesn't have a
> route to Host 1, it defaults to it's default route, and forwards the
> packet to Router 1.
>
> Router 1 receives the packet, looks into its routing table, and
> determines that it has a route to Host 1 (a connected route), because
> Host 1's IP address is on the same network (192.168.1.0 , 255.255.255.0)
> as Router 1's LAN interface.
>
> Router 1 forwards the packet to Host 1 via its LAN interface. It does
> not send the packet upstream the the ISPs router.
>
> On the return path:
>
> Typically, Host 1 will not have a route to Host 2 in its local routing
> table. Therefore, it will forward the packet to its default gateway
> (Router 1).
>
Amend as follows:

Since the packet from Host 2 was NAT'd to Router 2's WAN IP address,
Host 1 will respond directly to Router 2, rather than sending to its
default gateway Router 1.

> If Router 1 has a return route to Host 2, and the WAN port of Router 2
> permits return traffic, a connection will be established.
>
Amend as follows:

Router 2 will forward the packet to Host 2 because it is a response to a
permitted connection request from Host 2.

> If Router 1 does not have a route to Host 2, connections will not be
> established.
>
Amend as follows:

No longer relevant, as Host 1 can respond to the connection request via
Router 2. The reason being Host 2 is represented by Router 2's WAN
address, and according to Host 1's mask, that address (192.168.1.2) is
on the same network, and directly reachable without the services of
Router 1.

>
> Best Regards,
> News Reader

I have confirmed this behavior this evening with a network sniffer. I
was able to access an FTP server on Host 1, from Host 2.

I recognize that your concern was that you wanted to ensure that Host 1
could not access Host 2, and that you will likely agree that Router 2
will prevent connection attempts from Host 1 to Host 2 due to NAT.

Furthermore, I recognize that you suggested a better solution than the
one being discussed.

Please remember, my response is only intended to demonstrate that your
beliefs about the use of a 255.255.255.252 mask on Router 2's WAN
interface are incorrect. The mask does not prevent communication between
these two systems.

Best Regards,
News Reader

Jeff Liebermann
03-30-08, 12:47 AM
On Sun, 30 Mar 2008 00:55:39 -0400, News Reader <user@domain.null>
wrote:

(...)
>Please remember, my response is only intended to demonstrate that your
>beliefs about the use of a 255.255.255.252 mask on Router 2's WAN
>interface are incorrect. The mask does not prevent communication between
>these two systems.

Argh. You're correct. Despite my being sure the WAN netmask trick
would work, it just failed. I setup a test system using two routers
running DD-WRT that look like my example:

Router 1 Router 2
WAN= ISP assigned WAN= 192.168.1.2
WAN Netmask= ISP assigned WAN Netmask= 255.255.255.252
Gateway= ISP assigned Gateway= 192.168.1.1
LAN IP= 192.168.1.1 LAN IP= 192.168.2.1
LAN 1 = 192.168.1.xxx LAN 2 = 192.168.2.xxx
LAN Netmask= 255.255.255.0 LAN Netmask= 255.255.255.0

Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)

I also setup Host 1 on LAN 1 at 192.168.1.11 and Host 2 on LAN 2 at
192.168.2.100.

According my explanation, I should NOT be able to ping Host 1 from
Host 2 thanks to the netmask. Well, that didn't work. It was
possible to ping Host 1 from Host 2, which means that the netmask
trick does NOT work.

As it stands, it's still a way of preventing users on LAN 1 from
seeing LAN 2, which is blocked by NAT. However, all the machines on
LAN 1 can be seen by LAN 2.

Incidentally, I tried a few random programs from LAN 2 (via double
NAT) to see if any of them break. So far, everything I've tried
works. Of course, anything that requires incoming ports (Echolink,
VNC, Remote Desktop, etc) won't work without router reconfiguration.

I'll swear I had this working at one time and will play with it some
more tonite to see if I missed something. Thanks much for your
patience and explanations. I'm not sure where I screwed up, but I'll
read your comments more carefully after I work on my taxes some more.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

News Reader
03-30-08, 09:41 AM
Jeff Liebermann wrote:
> On Sun, 30 Mar 2008 00:55:39 -0400, News Reader <user@domain.null>
> wrote:
>
> (...)
>> Please remember, my response is only intended to demonstrate that your
>> beliefs about the use of a 255.255.255.252 mask on Router 2's WAN
>> interface are incorrect. The mask does not prevent communication between
>> these two systems.
>
> Argh. You're correct. Despite my being sure the WAN netmask trick
> would work, it just failed. I setup a test system using two routers
> running DD-WRT that look like my example:
>
> Router 1 Router 2
> WAN= ISP assigned WAN= 192.168.1.2
> WAN Netmask= ISP assigned WAN Netmask= 255.255.255.252
> Gateway= ISP assigned Gateway= 192.168.1.1
> LAN IP= 192.168.1.1 LAN IP= 192.168.2.1
> LAN 1 = 192.168.1.xxx LAN 2 = 192.168.2.xxx
> LAN Netmask= 255.255.255.0 LAN Netmask= 255.255.255.0
>
> Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
> Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)
>
> I also setup Host 1 on LAN 1 at 192.168.1.11 and Host 2 on LAN 2 at
> 192.168.2.100.
>
> According my explanation, I should NOT be able to ping Host 1 from
> Host 2 thanks to the netmask. Well, that didn't work. It was
> possible to ping Host 1 from Host 2, which means that the netmask
> trick does NOT work.
>
> As it stands, it's still a way of preventing users on LAN 1 from
> seeing LAN 2, which is blocked by NAT. However, all the machines on
> LAN 1 can be seen by LAN 2.
>
> Incidentally, I tried a few random programs from LAN 2 (via double
> NAT) to see if any of them break. So far, everything I've tried
> works. Of course, anything that requires incoming ports (Echolink,
> VNC, Remote Desktop, etc) won't work without router reconfiguration.
>
> I'll swear I had this working at one time and will play with it some
> more tonite to see if I missed something. Thanks much for your
> patience and explanations. I'm not sure where I screwed up, but I'll
> read your comments more carefully after I work on my taxes some more.
>
>

The mask impacts "how" the packet is delivered and not "whether" the
packet is delivered.

Key points:

Router 2 determines that Host 1 is not directly reachable due to the
mask, and therefore forwards to Router 1.

Router 1 determines that Host 1 is directly reachable via a connected
route, and delivers packets to it.

Good luck with your taxes.

Best Regards,
News Reader