1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Isolating two networks

Discussion in 'Networking Issues' started by wes_123, Aug 11, 2008.

  1. wes_123

    wes_123 Addicted to LI Member

    I am trying to build a cheap hotspot for a friend of mine who owns a restaurant with the equipment I have.

    He has an existing D-LINK router which has a private IP of 192.168.0.1, a computer using 192.168.0.2 and a Camera system using 192.168.0.3.

    I decided to pick up a Linksys WRT54G V6 and double NAT it on purpose. I set an IP of 10.0.0.1 on the LINKSYS, enabled DHCP and turned on the unsecured wireless. I plugged the WAN port of the Linksys in to the one of the LAN ports of the D-Link and it works great. His customers can pick up the wireless and use the Internet and as of yet I have no heard any complaints even though it’s a double nat.

    The reason I did it on a double nat was obviously to keep the people on the wireless separated from the owner’s computer and the camera system. BUT it appears that even though you get a 10.0.0.x IP, with a 10.0.0.1 gateway from the DHCP server of the LINKSYS, you can access 192.168.0.x network like you are on it.

    An example is, if you connect to the wirelessly you get an ip such as 10.0.0.100. You can go to your run box and type \\192.168.0.2 and with a password you gain access to the owner’s computer.

    In an attempt to see where the problem lies I have changed the stock firmware of the Linksys to DD-WRT v24. I have also changed out the D-Link for another Linksys running DD-WRT but still have the same problem. All settings are pretty much defaults, I have tried turning on AP isolation but I believe that is only for wireless to wireless communication

    Any ideas other than going out and buying a different piece of equipment?
     
  2. jza80

    jza80 Network Guru Member

    Switch the D-Link and Linksys around. In other words: modem --> Linksys --> D-Link.

    This way any traffic from the Linksys to D-Link will be blocked by the firewall on the D-Link.
     
  3. ifican

    ifican Network Guru Member

    The only way to secure it is to get another router. The reason your open users can get to hosts on the 192.168.x.x network is because the internal hosts on that router 10.x get nat'd to the external ip of 192.168.x.x that is the outside interface of that open wireless router.
     
  4. HennieM

    HennieM Network Guru Member

    To be clear: NAT protects the clients on the WRT's "private side", which is the wireless/LAN of the WRT, so computers on the owner network cannot get to computers on the open wireless. You have created the opposite of what you intended.

    One way to secure the owner net (192.168.0.0/24) is to add this iptables rule to your existing setup on the WRT:
    Code:
    iptables -I FORWARD -s 10.0.0.0/24 -d 192.168.0.0/24 -j DROP
    If you now find that the open wireless clients cannot get to the internet, add this (in addition to the above rule):
    Code:
    iptables -I FORWARD -s 10.0.0.0/24 -d 192.168.0.1 -j ACCEPT
     
  5. ifican

    ifican Network Guru Member

    I dont know iptables very well yet, but standard access control parses line by line until a match. Would'nt that second statement need to go first?
     
  6. wes_123

    wes_123 Addicted to LI Member

    Thx Hennie I am going to give that a try and post back here with the result.
     
  7. wes_123

    wes_123 Addicted to LI Member

    Thanks Hennie

    I added that to the Administration-->Commands-->Save Firewall and it appears to work

    Thanks Again,

    Wes
     
  8. HennieM

    HennieM Network Guru Member

    @ifican: Those are -I[nsert] rules - whatever is inserted last, goes first in the chain. FYI, you are correct about the order of execution of rules - first rule 1, then rule 2, etc., until some rule makes the chain jump away - like a "-j ACCEPT" or "-j DROP". That's why, when say you want to log something, you put the log rule, "-j LOG", before the "-j ACCEPT" so "-j LOG" gets done first, but does not jump away, while the others do.

    @Wes: Glad to hear it. Did you have to do both rules, or did the first rule alone do the trick?

    Further, you don't have to do the double NAT, i.e. set the WRT as "gateway". You can set the WRT as "router", but do keep the iptables rule(s). As "router" you could track, on the DLink, which IP (10.x.x.x) a request is coming from if you so wish, and you should also get a tad more speed.

    [With the double NAT, ALL requests seen on the DLink will be from 192.168.0.whatever-the-address-of-the-WRT-WAN-port]
     
  9. wes_123

    wes_123 Addicted to LI Member

    I just used the first command.
     
  10. HennieM

    HennieM Network Guru Member

    Thanks
     

Share This Page