0

I plan to implement the following network configuration :

Internet [(cable A)]

Router A (192.168.0.x)[(WAN:cable A)(LAN1:cable B)(LAN2:)(LAN3:)(LAN4:)]

Router B (192.168.1.x)[(WAN:)(LAN1:cable B)(LAN2:)(LAN3:)(LAN4:)]

The first LAN port of router A is connected into the first LAN port of router B, but both routers are in a different subnet.

Usually, when I setup two routers together, I do a double NAT configuraton (LAN to WAN) or a LAN to LAN in the same subnet.

I know the following facts: In a double NAT configuration such as this one,

Internet [(cable A)]

Router A (192.168.0.x)[(WAN:cable A)(LAN1:cable B)(LAN2:)(LAN3:)(LAN4:)]

Router B (192.168.1.x)[(WAN:cable B)(LAN1:)(LAN2:)(LAN3:)(LAN4:)]

Hosts from router B can communicate with hosts from router A. Hosts from router A can't communicate with hosts from router B.

In a LAN to LAN in the same subnet configuration, any hosts can communicate to any. It's the same subnet.

In the network configuration I plan to implement, LAN to LAN but in a different subnet, I noticed that hosts from both network can't be reached. Is this a secure way to isolate networks, at least better than double NAT ?

The connected router B gets an IP address in the router A subnet (192.168.0.x).

Also, I did not have to define any static routes to get internet access, I have difficulties to understand how this is possible since router A gateway does not ping.

mentallurg
  • 8,536
  • 4
  • 26
  • 41
pmbonneau
  • 161
  • 2
  • 2
  • 10
  • _"Hosts from router B can communicate with hosts from router A. Hosts from router A can't communicate with hosts from router B."_ not necessarily, have you tried adding a static route on an A host to the B subnet through B's WAN address? Also, it's unclear how the addressing works in your proposed scenario. – multithr3at3d Jun 25 '20 at 14:30
  • I haven't tried to add static routes to a LAN to WAN configuration, but in a default configuration, I noticed that communication between hosts is only possible from router B to A. – pmbonneau Jun 25 '20 at 14:41
  • sure, by default, but you can't rely on it for segregation I'd that is the case. – multithr3at3d Jun 25 '20 at 16:28
  • Does router B have multiple addresses? Are the multiple LAN ports part of a switch/bridge or are they separate interfaces? – multithr3at3d Jun 25 '20 at 16:45
  • No, router B has only one subnet (192.168.1.0/24) and all LAN ports are part of a switch. The setup is quite simple, two stock home routers but both are configured on a different subnet. Router A : 192.168.0.0/24 Router B : 192.168.1.0/24 One of the LAN ports of router A is connected to one of the LAN ports of router B. – pmbonneau Jun 25 '20 at 16:59
  • but you said _"The connected router B gets an IP address in the router A subnet (192.168.0.x)."_ so it must have multiple addresses on that interface – multithr3at3d Jun 25 '20 at 17:32
  • Yes, for example, I see a 192.168.0.4 device in the 192.168.1.x/24 subnet (router B device list). This 192.168.0.4 device is actually the address router B got from router A. – pmbonneau Jun 25 '20 at 21:44

2 Answers2

1

By "secure", I'll assume you mean secure as in devices on one network are not able to communicate with devices on the other network.

In your scenario, you are physically connecting two networks together, since router A's network is plugged into a switch port on router B. This means that they are both part of the same broadcast domain and link-local network.

So, using the above definition of "secure", this is not secure at all. While devices configured this way will not be able to talk to the other network, all it takes for them to do so would be to add a secondary IP address that is on the other network. Attacks such as ARP spoofing are viable across the networks.

The proper solution would be to physically separate the networks, and manage traffic between them using firewall rules.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
0

If you connect together two LAN ports from the routers A and B you are connecting just the switches, you are not using the routing capabilities between those boxes. If you want to segregate the networks, you should at least use a different network and media and introduce some security rule.

Trying to implement security by merely configuring routing rules between these devices may fall short. There should be some security rule to have a safe configuration. The NAT will hide the addresses in the internal side of the routers but there are no rules to block the packet flow between interfaces.

ram0nvaldez
  • 204
  • 1
  • 2
  • 9