Isolated LANS routing to the Internet

Discussion in 'Networking Issues' started by hstaniloff, Apr 12, 2007.

  1. hstaniloff

    hstaniloff LI Guru Member

    I am a pilot and my airpark has asked me to create isolated LANs in each person's hangar. Then they want each person's LAN to be able to get to the Internet but not to be able to exchange data with any other LAN device - only their own.

    The Internet connection is cable and there is one LinkSys router in the main office supplying Internet access to the whole backbone. This backbone is a single piece of CAT5E that is run in to each hangar where a Netgear 10/100 5-port switch is located. Each hangar has their own switch. So in a sense, it's one big ethernet run on one big subnet.

    I want to place a wireless router in each hangar and keep each hangar on it's own subnet. Each subnet in each hangar must NOT be able to exchange data with any other LAN, but will need to be able to get to the Internet via the router in the main office.

    Will I have to use static routes to make this work? Suggestions on implementation?
  2. ifican

    ifican Network Guru Member

    If you leave the router in the main office intact, and change out the switch in each hanger for a wireless router it should work how you want as long as you administer the routers. Make sure you have a different ip range on the wireless devices from that which it is getting from the linksys router and make sure the firewall on each new router in turned on and all should work. Keep in mind if you are going to be using wireless devices that you set up wpa and use a different key on each device.

    Actually something i had not thought of initially is, if you use a wireless router you can use 3rd party software on, you can created vlan and use firewall scripting to keep them from talking between one another as well.
  3. hstaniloff

    hstaniloff LI Guru Member

    Thanks for the information. I will be administering the routers.

    My initial thought, from the hip, is to let the main office router DHCP the WAN port on each router and then put the LAN interface on to it's own different subnet in each hangar. Since there will be no routing protocol like RIP enabled, the only route that should be viable from each LAN segment would be the Internet connection serviced by the office router. Am I correct?
    The goal here is to have this environment work with off-the-shelf equipement and with as little specialized configurations possible.
    Will I need to define any static routes any where?
    Thanks for your help!
  4. ifican

    ifican Network Guru Member

    If you want off the shelf then just as i had stated will do it. The main office router will do dhcp for all the other routers. You will not have to do anything specific except make sure the lan ip range on the wireless routers is different then from what it is getting from the main office router. All the wireless routers can have the same lan ip range that wont matter it just has to be different from the main office router. And yes to your question, the only route that any of the wireless routers will know is the subnet they are all on and the internet. By default all of the wireless routers will know how to talk to one another but if you leave the firewall set to "on/enabled" then even though they can talk, they wont exchange any information.

    No static routes will be needed, once you make sure ip range is different it will be all plug and play. Well except for the setup of the wireless, you can do what you want with it.
  5. hstaniloff

    hstaniloff LI Guru Member

    Excellent. That's what I need to know.

    So just for clarification: All of the hangars have one big LAN segment joined together by 5-port switches. I would just hang the local routers off each switch. I will "nail" each WAN interface on each router manually to keep it managed correctly. The local LAN for each hangar will be on it's own different network. The wireless firewall must be in place - that's easy. Got it all.

    So one more question please:
    If a local node makes a request, the network packet hits the local router. Which knows, by default, about it's local subnet - all other traffic passed on to the office router on the WAN interface. The office router knows about it's local subnet and the it's Internet connection on its WAN router. What if the local node is trying to "hit" a node on the office router's LAN. How won't that happen if the office router knows about it's local LAN? Do I not understand all this in detail? Please clarify. (And this will be it.)
  6. ifican

    ifican Network Guru Member

    You can remove the switch all together and use it behind the new router if there is a need, or you can leave it in place its up to you. My impression was the only devices on the main office lan are going to be the other routers and the point of keeping the firewall enabled. By default the firewall will not respond to anything that was not first previously requested from the local lan. For instance, hanger A knows the router interface for hanger B is, hanger A can attempt to get to that ip but that IP will block by default any requests incomming that were not first requested by hanger B. And since all lan devices in hanger B are nat'd the hanger B router looks at the packet and has no idea where to send it so it drops it. (Same goes for all other routers) Now you did not state that there were other devices on the main office lan that you wanted users to be kept out of so i did not take that into consideration when thinking about this. No worries about more questions, please ask if you have any.
  7. hstaniloff

    hstaniloff LI Guru Member

    Not sure that I follow your explanation. But what I gather from your explanation is that I will be alright in this scenario. Can you explain it again differently? If not, no biggy.

    I think that I should add another router to service the office on it's own subnet - just like the hangars. Then hang one more router for the internet connection off the main office router's LAN. The "hangar" router will service all the WAN ports on the other routers. Therefore, all the routers WAN interfaces will be on one subnet and the local lan will be isolated.

    Will this work? Am I getting nutty? I do need to isolate the local office LAN since they have some adminitrative machine's they want to protect. Same scenario as the hangars - I need to defeat access to the local subnets.

    Does this sound right? Please advise!
  8. ifican

    ifican Network Guru Member

    Nutty? Nutty is what makes all this fun, if you had any idea what my current network looked like, you'd think i was down right crazy/confused/psycho that liked to make my life as difficult as i can. :)

    Yes as you have stated that will work just fine, you could simple make sure that all main office machines have software firewalls and (assuming you have windows machines) permission set to not allow anyone else in and that would work too, without having to add another router. But the main office router to segment the main office admin machines is a safer bet.

    Now to not complicate this much more for you but to give you something to think about, for the price you would spend on several routers you could pick up 1 that would do all that for you and could be put in place where the current linksys router is now. The only caveat to that scenario is the configuration can get a little tricky but easily doable though I am not sure what your wireless intentions are or the distance your wireless would have to cover.

    I think you have a good understanding of how it works, just got a little confused with how i explained it in the last post. Basically its like this: If a host on any lan makes a request, the request passes through the router and the router makes an internal notation to look for that request on the way back in, when it sees it, it passes it to host that initially sent it out. Now if a request hits the wan port of the router and the router has no notation of that request ever being passed it just discards it and does nothing with it, hence how you will keep all hangers out of each others lans. Hope that makes better sense.
  9. hstaniloff

    hstaniloff LI Guru Member

    Now it all makes sense. NAT is the key here. Right? Got it.

    You are correct: We could just run local firewall software on the office PCs and not add another router and be done. But that requires software configuration on those PCs and I don't want to get in the middle of that. Also, all the other devices on the LAN would all be able to talk to each other and we don't want that either.

    The only downside to this architecture is that since this is a daisey-chained ethernet backbone, failure of any one box will cause all upstream traffic to cease. Also, as you move further up the chain, the hops to the Internet router in the main office increases. This seems unavoidable since there is only one point out to the Internet in the airpark. And they can't/don't want to run another connection to the net. Too costly.

    I'm not too worried about the HW as each switch is in its own protective case and routers are pretty hardy unless someone bashes one with a hammer. The number of hops, although large, shouldn't be too too bad given the overall traffic at any one time on the network. Your thoughts?

    Also, these are largely unheated hangars. Not sure what the operating temps are for the LinkSys routers or the switches. That could play a factor during the winter and dog-days of summer. Thoughts?

    My hero. Thanks.
  10. ifican

    ifican Network Guru Member

    Sounds like you have it all in a nutshell. I wouldnt worry about hops, each hop is going to add minimal latency (few ms each) nothing to be concerned with. Electronics in general are very hardy when it comes to cold weather, infact they prefer the cold much more so then the heat. Cold tolerance is amazing as most generate quite a bit of heat all on there own, however heat on the other hand can bring a device to its knees quite quickly. Well enough of that, you have everything worked out and it should all be good to go. Holler if need anything else...
  11. hstaniloff

    hstaniloff LI Guru Member

    Awesome. Thanks again for the advise and expertise.
    I appreciate it.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice