12
4
I need to configure my wireless router so all wireless devices are on a different subnet (192.168.2.1).
The wireless devices should be able to access the internet, but ideally not the workstations on the LAN.
Here is my network:
All suggestions welcome!
Austin ''Danger'' Powers
Posted 2013-03-22T01:40:02.060
Reputation: 5 992
9
The way to accomplish this using consumer grade equipment is using a 3 router Y configuration
By setting the two routers up using the same subnet but on different "LAN"s it is impossible for one network to talk to the other network.
Think of it this way: you have a computer on LAN A with a IP of 192.168.1.2 and a one of the wireless clients on LAN B with a IP of 192.168.1.3. If on LAN B you request 192.168.1.2 (one of the wireless clients trying to connect to a wired client) it goes to LAN B's router, sees that it is a request for the 192.168.1.x subnet and does not forward the packet any further up the chain (it could but it would not matter, see the lower section of this answer). It also sees that it does not know of any computer at 192.168.1.2 (The only computer it knows about is 192.168.1.3) and reports back to the original computer "destination host unknown". If we request any other IP other than 192.168.1.x it will use the gateway and continue on to the internet to try and resolve your IP connection.
This gives you complete security on your network giving you two LANs that are physically impossible to talk to each other while still letting both connect to the internet.
Depending on how your wireless router's firmware works you may be able to do it with two routers by just moving the connection of the wireless from it's LAN port to its WAN port. However you can only do this if the wireless router does NOT forward requests it can't resolve to the gateway for it's own subnet (so in my previous example the wireless router must NOT check the WAN port for 192.168.1.2 for the two router configuration). The upside to this if your router does behave the way you want you don't need to buy any additional hardware.
In the 3 router Y configuration it does not matter if the router forwards requests or not because on the Y LAN there are no 192.168.1.x computers, only the two routers WAN interfaces which are both 192.168.0.x.
Here is a new diagram that is closer to your original diagram to help explain it.
Scott Chamberlain
Posted 2013-03-22T01:40:02.060
Reputation: 28 923
@ScottChamberlain Sorry to bring up such an old question. I was thinking of setting up a similar system but was wondering if a guest laptop on the wifi could still send a request to devices (eg. the LAN router) since the wifi router knows that it will resolve any IP of 192.168.0.x/24 through the WAN port. Could you please advise? – toffee.beanns – 2018-08-22T15:45:34.360
1@toffee.beanns No, it can not. The entire point of this configuration is to prevent guest laptops on the wifi to access anything not on the wifi. – Scott Chamberlain – 2018-08-22T19:19:32.297
So just to check- there would be no physical connection between the 2 routers at the bottom of the diagram? And those 2 routers (192.168.1.101 & 192.168.1.102) are connected to the gateway router by their WAN ports? – Austin ''Danger'' Powers – 2013-03-22T17:00:37.640
@Dan Correct, in the above diagram the light blue is the WAN ports and the orange is the LAN ports. However, one correction about what you said, you had the IP of the WAN ports wrong. All of the computers past the 2nd set of routers (on both networks) have IP's in the 192.168.1.x range, but all of the machines on the Y network (and in this configuration it should only be the internet router's LAN side and the two sub routers WAN side) will have IP's in the 192.168.0.x range. – Scott Chamberlain – 2013-03-22T17:55:09.937
@Dan Added a new diagram to be closer to your original one to help explain. – Scott Chamberlain – 2013-03-22T18:14:09.213
Thanks for the detailed answer- the diagrams really helped. Incidentally- the reason I wanted to do this was to stop my Spiceworks network scans of the LAN picking up personal devices (iPhones and Android devices were rapidly cluttering up my inventory of their site with "generic" devices- it seems the same ones multiple times due to DHCP). Today I assigned all 20 workstations a static IP, and set Spiceworks to just scan that specific range. Security wasn't the main issue for me at this site, more just getting a nice clean inventory which only ever shows the 20 workstations. Works now though! – Austin ''Danger'' Powers – 2013-03-23T01:17:16.150
My boss a couple of years ago (a former network admin) told me "it is possible to put the wireless network on a different subnet, without the use of additional routers" (e.g. gateway router 192.168.1.1; wireless router: 192.168.0.1). According to him, this would secure the internal network against attacks from wireless clients. I tried it, but wireless clients could not obtain IP addresses from the DHCP server on the LAN. No connectivity at all. I tried connecting both LAN and WAN ports but neither worked. Was he wrong about being about to achieve that without additional routers? – Austin ''Danger'' Powers – 2013-11-23T10:03:55.553
If you have a higher end router (commercial grade instead of consumer grade) you can create the Y configuration entirely in software. See Ultrasawblade's answer, he is describing that kind of router. – Scott Chamberlain – 2013-11-23T14:34:37.093
Thanks. I guess he was wrong, given that he knew the routers were only cheap, consumer-grade ones. – Austin ''Danger'' Powers – 2013-11-23T17:59:27.273
1You can do it in consumer-grade routers too if you are using a more powerful custom firmware (dd-wrt, tomato, ect.) that let you write directly to the underlying Linux system's iptables command. – Scott Chamberlain – 2013-12-30T20:11:44.607
3
I'm assuming your wireless router is a sub-$100 one you'd buy at a department store.
You really need a router with 3 interfaces. A PC running Linux with 3 network cards does this nicely - one NIC is the WAN, the other NIC is connected to your LAN hosts, and the third your wireless router is plugged into. You can then run a DHCP on the Linux box listening and giving out IPs on the LAN and WLAN interface.
You're in for a bit of iptables configuration in order to make sure the WLAN hosts can't talk to the LAN hosts (relatively simple since they are on separate subnets).
You could also put the LAN hosts behind their own router, and configure any SPI firewall settings on the wireless and wired router to drop traffic from the other subnet. Note that in this situation you'll need a separate DHCP server running on each subnet since broadcast traffic isn't forwarded by routers.
You could also, if the wireless router supports it, tell it to block all outgoing traffic originating from behind it to the subnet that your wired LAN is on.
LawrenceC
Posted 2013-03-22T01:40:02.060
Reputation: 63 487
What are the make/models of the default gateway router and the core switch? This can be straightforward provided they both support VLANs. – Paul – 2013-03-22T02:03:47.627
A little more information on what you're currently running is needed. Is this a home network (I assume not) or a business/work network? What model of wireless controller/router do you have? etc.. – Josh – 2013-03-22T02:49:55.607
It's actually a non-profit organization. I don't have the models of the routers with me right now- but it's all residential-grade equipment. I don't think VLANs are an option this time. – Austin ''Danger'' Powers – 2013-03-22T03:09:08.813