Connecting two subnets with router

2

I'm trying to share a couple printers on two subnets and I keep running into issues. I'm trying to figure out the best way to achieve this while maintaing a public and private subnet.

Please refer to this diagram.

On the router inbetween LANs I've disabled DHCP and given it a static IP from the Wireless Router. I've been trying to forward ports for the printers through this router but since it is not acting as a DHCP server nothing seems to be going through.

I am able to connect to the remote management port (8080) from the wireless subnet (192.168.1.0/24) but nothing else.

Please advise and let me know if there is more information I can provide.

I want both LANs to have internet access, but I do not want the Public LAN to be able to access anything on the Private LAN except for the printer.

The OpenBSD machine has two interfaces currently which are used, we may have extra hardware kicking around that could be utlized if necessary.

The Wireless Router is a Cisco DPC3825, and I can log into it.

The router I am attempting to use to connect the LANs is an old LinkSys WRT54G.

Hyshka

Posted 2015-11-08T23:21:42.913

Reputation: 23

It may be useful to provide a diagram and explanation of what you are trying to do. Can you confirm you want to have a LAN with Internet access, in addition to Wireless connection on a network which is publicly accessible but should not be able to access the private subnet? Also - how many interfaces are there on your OpenBSD machine, and what can you tell us about the Wireless router (ie make, model, can you log into it or is it ISP equipment ?) [ There are at least 2 solutions to this problem, assuming I understand it correctly ] – davidgo – 2015-11-09T01:07:58.287

Thanks for the reply, @davidgo. I've updated my question and added a network diagram. – Hyshka – 2015-11-09T04:05:06.243

Answers

1

The network you have seems to me to be unneccessarily complex and difficult to maintain. For the cost of an extra NIC in the OpenBSD server you can have a system which is much easier to control and maintain - and - I suspect - more secure as there is only 1 possible path onto the Internet for the Wireless router.

What I propose a solution along the following lines: (Excuse the very quick diagram)

enter image description here

The idea here is to have the OpenBSD box handling all the routing for everything.

Disable DHCP on the Wifi router (actually disable everything, turn it into an Access Point), and run DHCP on the OpenBSD server for both the Protected and Guest Interfaces.

Put each Interface on a seperate subnet (for example 192.168.100.0/24 and 192.168.101.0/24), so that in order for the unprotected stuff to communicate with the protected stuff (or the world) it needs to go through the OpenBSD server.

Do firewalling on the OpenBSD router to prevent unwanted communication.

You can do policy routing if, for example, you want the Wifi router to only use one of the 2 modems). Of-course, depending on your Link aggregation router you may have some work to do there - or indeed, you may want to get rid of it altogether and set your OpenBSD box to do the aggregation routing.

I note that I put the printer behind the Wifi Router = unprotected network. This makes the protected network more secure as it means that you don't need to allow connections from the unprotected network into the protected network. The flip side is it makes setting up printers on the protected network a bit harder as they won't be able to scan the subnet. The alternative would be to put the printers in the protected network and allow the unprotected network to access the printer through the firewall.

I note that I've done this using an additional Network card in the OpenBSD server. An alternative solution if your printer is VLAN cpabale would be to keep with 2 nic, and then use VLANS on the switch to designate each network. This makes management easier and requires less hardware - but does make the assumption that VLANS are secure - an assumption which is open to question. If you go this route, and have a fancy printer, you may be able to make the printer accessible through both VLANS so it is easy to install - but this will depend on the printer and may not be practical.

(I greatly prefer the VLAN solution, BTW - Also, while I have done pretty much all of this, I've never used OpenBSD seriously - my solutions are all Linux based)

davidgo

Posted 2015-11-08T23:21:42.913

Reputation: 49 152

Thanks for your answer, @davidgo. Very thorough and I think it's a good solution. I was hesitant to modify the network topology but since I think it's the best way to do this now, I will consult with my client. – Hyshka – 2015-11-09T15:26:24.217

Asked: 2015-11-08T23:21:42.913

Viewed: 228 times

Active: 2019-03-15T06:46:00.490