Network within a network

I will start with giving you a Noob Alert, Sorry we have to learn somewhere.

I just wanted to run an idea past you.

I have setup a home server, this is to host a couple of games for my friends. To get a dedicated IP I have connected my server to a Static IP VPN provider, everything is connecting great and the server is running most of the time only when I break something not relevant to this post.

I am thinking of creating an extra layer of protection for my network, is it possible to create a network within a network, I heard of something called a VLAN but I dont have the hardware to do this.

What I am thinking is using an old netgear router, connect it to my network via the WAN port and set it so it runs on a different IP range.

Would this work and is there anything else I would need to thing about?

larkum

Posted 2019-09-25T05:04:19.197

Reputation: 3

3What do you really want to achieve? How do you plan to gain additional security? Which real security threats you hope to remedy with some technical solution? – Nikita Kipriyanov – 2019-09-25T05:39:00.903

My consern is if someone braks through into my server via one of the many open ports and then have access to the rest of my network, my thinking is if my server is within its own network then if my server is comparmised then they have no where to go. – larkum – 2019-09-25T06:20:29.967

Consider running an encrypted VPN between you and your friends with keys only your friends have access to. That adds an additional layer of security. You can run the additional VPN on top of the VPN of your provider. Your friends can then connect to this additional VPN. There's a number of open source VPN implementations you can use for this. – dirkt – 2019-09-25T08:07:50.840

As @dirkt has suggested using a private encrypted VPN service would be best without exposing ports externally. Depending on the number of users a service like "Hamachi" could work for you, it is free for up to 5 computers to connect and is fairly priced if you want to use more - https://www.vpn.net/

– CraftyB – 2019-09-25T10:17:34.580

Unless the Netgear router is supported by an opensource OS (OpenWrt, DD-WRT, etc.), you'll likely be inducing insecurity, rather than security, due to the lack of security patches that router will have. Routers, even new ones, are End-Of-Life after one year, two at most, by the manufacturer, so unless it's supported by OpenWrt, DD-WRT, etc., I wouldn't recommend running it on any network. OpenWrt also has a wealth of HowTo Wikis to guide you setting up vLANs that are firewalled.

– JW0914 – 2019-09-25T11:18:06.793

Answers

The concept of a network within a network within a network doesn't really exist. What you do have is interconnected networks with restrictions between them, and networks subdivided into segments.

VLANS are a mechanism for separating a single physical network into multiple networks in the same switching infrastructure - where traffic between the different networks are for the most part kept separate or forced through a switch.

Daisy chaining routers as you propose will give a higher degree of isolation to the devices behind the innermost network, at the cost of potential "double nat" issues - ie translating "non routed" (properly known as RFC1918 addresses) addresses into a second non routed address. This can create problems with some complex protocols, can be difficult to debug but often works in practice. You need to make sure that the IP ranges of the LAN ports of each router are different, eg change the inner router to use IP addresses is the 10.0.0 range if the outer one is using the more common 192.168 range.

davidgo

Posted 2019-09-25T05:04:19.197

Reputation: 49 152

2The 2nd router doesn't have to use NAT though. It can still be a separate firewalled network with just direct routing. – user1686 – 2019-09-25T13:15:42.813

@grawity Does it still add a bit of security though (albeit at perhaps quite a cost)? As there will not be "return route" needed in the "outer" router, hence the server will have no way to reach the "inner" network. – Tom Yan – 2019-09-25T14:24:10.053

@Tom: If you have admin access on this server, and you're exactly one subnet away from the "inner" network, then you can just add the same route on the server itself. It's not the NAT that protects the inner network – it's the firewall that does (which is configured to deny inbound connections by default on a home router). So you'd have the same amount of protection either way. – user1686 – 2019-09-25T14:53:45.530

@grawity huh? Can you revisit your above statement - it makes no sense to me - and I know you know your stuff, and I know that NAT "security" is a weak byproduct of its unility, but I cant see how you are correct on either count. Maybe we are interpreting the setup every differently? – davidgo – 2019-09-25T18:49:22.027

@davidgo: I'm not sure which parts you mean? – user1686 – 2019-09-26T04:34:32.690

@grawity I am aware of that. What I mean is, if the outer router doesn't have the route, when it is compromised the inner network is less likely to be known to exist because of that, no? Also one will have to figure out what the route should be then. – Tom Yan – 2019-09-27T03:30:05.687

Well yes, it's less likely to be known to exist in the first place, but I wouldn't count on that as the primary layer of protection. – user1686 – 2019-09-27T05:37:52.430

I will answer the base question about security rather than the network question which will not improve security. The reason is that if your server is visible on the Internet then it is attackable, no matter how many routers or networks this connection traverses.

You will get much better protection by running your server in a virtual machine. This way, a successful attacker will at most corrupt the guest VM, but not the host computer. If you keep a copy of the VM, it can in case of infection be deleted and replaced by the healthy copy.

The VM can be visible on the local network, indistinguishable from a physical machine, and you can port-forward to it the game ports just the same as you now do to the host.

harrymc

Posted 2019-09-25T05:04:19.197

Reputation: 306 093

You want to put your server inside a DMZ zone.

In computer networks, a DMZ (demilitarized zone), also sometimes known as a perimeter network or a screened subnetwork, is a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks, usually the internet. External-facing servers, resources and services are located in the DMZ. So, they are accessible from the internet, but the rest of the internal LAN remains unreachable.

How to do it:

There are various ways to design a network with a DMZ. The two basic methods are to use either one or two firewalls. A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed by connecting the public internet -- via internet service provider (ISP) connection -- to the firewall on the first network interface, the internal network is formed from the second network interface and the DMZ network itself is connected to the third network interface.

You utilize firewall rules to isolate DMZ network. Exact configuration my vary but in your case, you just need to block all traffic coming from DMZ interface(network) towards your Internal network(network interface). So having a device with firewall capabilities is a must, although if you have a Managed switch laying around you could do it with ACLs too.

What I am thinking is using an old netgear router, connect it to my network via the WAN port and set it so it runs on a different IP range.

This idea of yours could do the trick, but only if you put your internal network behind that Netgear router and by doing so "hide" it behind the "IP masquerade" or NAT

IP masquerading is a technique that hides an entire IP address space, usually consisting of private IP addresses, behind a single IP address in another, usually public address space. The hidden addresses are changed into a single (public) IP address as the source address of the outgoing IP packets so they appear as originating not from the hidden host but from the routing device itself. Because of the popularity of this technique to conserve IPv4 address space, the term NAT has become virtually synonymous with IP masquerading.

Network Address Translation (NAT) is a process in which one or more local IP address is translated into one or more Global IP address and vice versa in order to provide Internet access to the local hosts. Also, it does the translation of port numbers i.e. masks the port number of the host with another port number, in the packet that will be routed to the destination. It then makes the corresponding entries of IP address and port number in the NAT table. NAT generally operates on router or firewall.

Leshy

Posted 2019-09-25T05:04:19.197

Reputation: 124

Honestly, I hardly see how putting the server in DMZ could be safer than only port forward what he needs, as it makes it easier to compromise the server. DMZ doesn't prevent the server from accessing the LAN, does it? – Tom Yan – 2019-09-25T13:27:22.607

@TomYan Well - if He "just port forward what He needs" and doesn't isolate his Server from the rest of his network, when that server get's compromised the rest of his network is wide open. – Leshy – 2019-09-25T13:37:29.450

That's exactly what I meant, does DMZ do the latter? More precisely, do most consumer-grade routers' DMZ feature do that? – Tom Yan – 2019-09-25T13:41:28.813

Btw you quoted a lot that tells how NAT/masquerading works, but didn't really explain whether it helps in his case. – Tom Yan – 2019-09-25T13:50:00.433

@TomYan It does, if you follow the links I've gaved in my response You will realise that DMZ is a setup, not a feature. I'll quote myself: "You utilize firewall rules to isolate DMZ network. Exact configuration my vary but in your case, you just need to block all traffic coming from DMZ interface(network) towards your Internal network(network interface). So having a device with firewall capabilities is a must, although if you have a Managed switch laying around you could do it with ACLs too." – Leshy – 2019-09-25T13:53:19.643

@TomYan To Answer your second question, I will quote myself again: "This idea of yours could do the trick, but only if you put your internal network behind that Netgear router and by doing so "hide" it behind the "IP masquerade" or NAT". I have provided reference links inside my proposed answer. – Leshy – 2019-09-25T13:56:54.487

That's where the confusing part gets in. I use the word "feature" for a reason. Consumer-grade router usually provides a simple "switch" for you to enable DMZ for a host. What I mean is, I don't see a very concrete definition/specification of DMZ here. For example, I can't tell if my router includes any firewall rules to isolate its DMZ setup when enabled, unless I test it myself. In fact, many routers may not even allow you to add firewall rules. That's why I find "put your server in DMZ" as an answer a bit reckless/careless. – Tom Yan – 2019-09-25T14:13:26.400