Home network with two isolated separate subnets, running on cablemodem/router and WRT-router

I have a new connection with a nice new router/cable-modem. I'd like to setup it up optimally and needs some pointers. I am a complete n00b when it comes to routing.

I want to end up with two separate subnets, 10.1.2.0/24 and 192.168.1.0/24 each available on their own wireless channel/SSID. Both firewalled. I want my wired computers on the gigabit switch, optimally with public ips. I want to be able to reach 192.168.1.0/24 from 10.1.2.0/24, but not vice versa. Everyone should have internet access.

Hardware and capabilities:

Netgear CG3100. Handles cable connection. Gigabit switch. 802.11n. Can do DHCP, firewall, NAT etc. Can choose subnet. Can turn of NAT and if so hand out up to 4 public ips. Somewhat challenged when it comes to configuration.

WRT-router. Runs DD/Open-WRT very stable. 100 Mbit switch. 802.11.g Can do DHCP, firewall, NAT etc. Can choose subnet. Highly configurable.

I hope to be able to keep 10.1.2.0/24 on the CG3100, for speed reasons and 192.168.0.0/24 on the WRT-router for quota and user control reasons. On my 10.1.2.0/24 network I plan on running servers for various services.

Should I turn of NAT on the WRT-router? Or on the cable modem? Activate what in that case? Is double NAT always f-ed up?

Johan Allgoth

Posted 2010-05-25T13:06:29.467

Reputation: 231

this is a bit old. do you still want to achieve this? i know a way. – Mucker – 2011-06-28T13:23:09.910

@Mucker you and others that can should answer it anyway because it's for the database – barlop – 2011-09-11T19:56:15.897

Answers

setup CG3100 with NAT for 10.1.2.0/24 to internet and WRT with NAT for 192.168.0.0/24 to one address from 10.1.2.0/24 only if the destination is not in 10.1.2.0/24 space or else block all packets from 192.168.0.0 to 10.1.2.0 with state new
setup route for 192.168.0.0/24 via WRT IP on CG3100 or static route on every host from 10.1.2.0/24 (via DHCP if possible)

migabi

Posted 2010-05-25T13:06:29.467

Reputation: 36

OK, Ill answer it then. The easiest and quickest solution is to use the CG3100 as the main router but change the subnet to the 192 one. Keep NAT enabled on it. Now configure the second router using the 10 range also using NAT. It is that simple. Why have I done it this way?

You want the 192 accessible from the 10 range. By putting the 10 range behind the second NAT OUTBOUND connections are allowed. When a 10. IP tries to access 192 it is NATed through the WRT router and can access all 192 PC's and resources without any additional routing config or firewall config. As far as the WRT is concerned 192 IPs are external and most routers with NAT enabled allow all outbound access but block ALL incoming access by default. Which brings me onto point 2.
You want the 10 range to be NON accessible from the 192 range. The default config for NAT is to block incoming connections so 192 can't get through the WRT to the 10 range as it will be blocked.

On my 10.1.2.0/24 network I plan on running servers for various services.

This is also easily acheiveble. If you haven't noticed yet, in my solution your subnets are swapped so these servers will now be on the 192 range and since they are behind the first NAT device you eliminate any double NAT problems you may have came across.

I'm here all day! ;-)

Mucker

Posted 2010-05-25T13:06:29.467

Reputation: 787

I don't think it makes sense to say "X can reach Y, but not vice-versa". What would the point be of being able to reach a machine that couldn't reach you? How would you even know you had succeeded?

David Schwartz

Posted 2010-05-25T13:06:29.467

Reputation: 58 310