Why does this work?

Discussion in 'Networking Issues' started by howardkatz, Aug 26, 2007.

  1. howardkatz

    howardkatz LI Guru Member

    Here's the scenario: My LAN has internet access via an RV-042 router; its LAN IP is, Mask

    I have a WRT-54G wireless router connected to the LAN through the WAN port, configured as follows:


    No wireless encryption, i.e. for public access.

    The purpose of this configuration is to enable people connected to the wireless router access to the internet, but to prevent them from accessing my (private) LAN.


    My certified-up-the-ying-yang MCSE Instructor says that it shouldn't work because the two boxes are on different subnets, therefore different networks.

    I say that it should, because the two defined networks intersect: the wireless router can see the RV042, and sees it as its gateway to the internet; the RV042 can see the wireless router because its in its local subnet.

    If I'm wrong, why is this working?

    If I'm right, what do I tell my obnoxiously obstinate instructor to explain to him why he's wrong?
  2. ifican

    ifican Network Guru Member

    The bigger issue here is you dont want to have users behind your network as you have now you want them infront, though that can be a different discussion.

    Now back to your instructor, I have had to rewrite this several times as to not slam him to hard. The short answer is you are correct and he is not. Now I guess the nice thing to do is to explain to him it works and perhaps get a better explanation from him. I suppose you can tell him you have two different lan segments connected via a router. Is that not suppose to be how it works? If he does not agree and does not tell you he is wrong then i would suggest finding a new instructor.
  3. howardkatz

    howardkatz LI Guru Member

    The bigger issue

    There are two classes of users:
    EMPLOYEES are hard-wired to the 192.168.11 subnet, and have access to all internal resources.

    GUESTS gain access through the wireless router, in the 192.168.1 subnet, and (by design) have NO access to internal resources - just the internet. That's why I configured the wireless router with the restrictive WAN subnet.

    Subnets are much easier to configure than firewalls ;-)

    My instructor (great/knowledgeable on all other counts, don't want to slam him, just give him a dose of Internet Justice) says that "there must be a VLAN capability, otherwise this can't work: the network is defined by the network address and mask, if the masks are different, they must be on different networks and therefore can't communicate with each other." Needless to say, I disagree.
  4. ifican

    ifican Network Guru Member

    Your instructor is partially correct and no need to go off on the varying tangents of what and how to work around that statement. Now before I delve to deep into this, it appears from what you have written that the wrt is connected to the lan side of the RV, if this is the case those public wireless users are living on your lan as they have to access your lan to get to the internet. Is this not correct?
  5. howardkatz

    howardkatz LI Guru Member

    You are partly correct. The WAN side of the WRT lives on the LAN. What keeps those public users from accessing the LAN is the Mask on the WAN side of the WRT. Remember that the WAN IP is; the mask is, so the ONLY device the WRT can connect to is - which is the RV042. I have tested this: the public users simply cannot access any other device on the "private" 192.168.11 LAN. In fact, I had a situation where one of our LAN users (with a laptop) inadvertently connected to the public wireless network, and called to complain because he couldn't access any resources!

    One other thing: the WRT can only be managed via its LAN side, either wireless or wired. It is totally inaccessible from the private LAN - which is by design.
  6. ifican

    ifican Network Guru Member

    Yes that works to keep out your basic user. But dont be fooled into thinking your lan machines dont see any of the frames that come out of the wan interface of the WRT. Put wireshark or ethereal on your lan machines and see how much info they really see. Now this is just me, but i would rather overkill security then be sorry later on. If you do any kind of online banking or keep any information on your lan machines that you do not want others to see i would not put the public behind your network. Think of it this way, right now you have no firewall except for that you might have on your machines between the bad guys and you, you are relying solely on network segmentation. As a matter of fact you keep the bad guys behind a firewall, now also take into account you leave the router management for the bad guys on the bad guys network. So if and when it gets broken the bad guys has access to change the mask and now have immediate access to all your lan hosts. I could go on and on about this but will leave it at that, just say that i have been around this buisness far to long and have seen to much to know better then to put public accessable networks "behind" my private and secure lan. Just my 2 cents ok nickels worth. Also if you instructor still gives you hell, have him email me and ill help him to understand ;-)
  7. HennieM

    HennieM Network Guru Member

    Two different subnets/networks can be (and are) connected via ...... routing! The whole damn internet runs on it.

    As for the subnetting idea - that's pretty cool. However, I agree with ifican that it feels too flakey for comfort.
  8. howardkatz

    howardkatz LI Guru Member

    Flying under the radar..

    For big, industrial-strength networks, you are both right, this is flaky.
    However, for a small business, for whom the extra $60 per month for an additional WAN connection would be burdensome, and who would never attract a serious hacker, I'm not too worried. He knows there is a very small (but non-zero) risk.

    Quite frankly we all take a much bigger risk every time we hop in our car, or walk cross the street...
  9. howardkatz

    howardkatz LI Guru Member


    A final clarification: it's the WAN side of the WRT being able to talk to the LAN side of the RV042 that my instructor found impossible to swallow. They are on slightly different subnets (because of the masks) BUT each of the subnet includes the other router!
    My explanation to my instructor will be as follows: so long as the two devices can see each other (taking into account their respective IP addresses and masks) then they can converse.
    * The RV042 can see 254 possible devices from to; since the WRT is at, it can be seen by the WRV.
    * The WRT54G can see 2 possible devices from to; since the RV042 is at, it can be seen by the WRT.
    * The two devices are within each others' scopes so communication is successful!
  10. ifican

    ifican Network Guru Member

    Not to beat a dead horse and i will leave you with this, anytime you leave a network open to the public you ask for trouble. My friends / coworkers just for the fun of it hack into whatever they can when they are not on their own networks. They do it for fun and are very good at it. There is not need for a second wan connection, we are simply saying put the wireless users upfront (directly connected to the internet) and run your private lan behind.
  11. HennieM

    HennieM Network Guru Member

    Explanation to your instructor is cool. You might add, to confuse him a bit ;-), that the netmask only comes into play with broadcasting and the likes, and in particular with Address Resolution Protocol (ARP). In you case, address would be the broadcast address of the one subnet (if my subnet calcs don't let me down) while a point address for the other subnet.

    It's not about IP addresses, but about ARPing those IPs, and only on a single subnet at a time: in order to find the hardware (MAC) address of the device with IP address .1, a device with subnet mask .252 broadcasts/arps on, which happens to include .1 and .2. A device on the .0 subnet broadcasts/arps on .255, which also happens to include .1 and .2.

    To labor the point some more... It may also be possible that your subnet .252 device actually broadasts to (i.e. the broadcast address is incorrect), but then just disregard any arp replies other than .1 or .2 based on its subnet mask. I don't know enough of how ARP actually works, so this is just speculation.
  12. ifican

    ifican Network Guru Member

    The network address in this case is and the broadcast is, actually arp is layer 2 so the broadcast is MAC based not ip. In this case since the RV is the default GW and the WRT thinks its on a point to point link (i.e. the subnet) it only sends a unicast arp for when it first powers on, since there is plenty of network traffic there will be no more arps sent from the WRT, though it will see any broadcast arps from the RV for unknown hosts. Overall very ingenius and koodos to the design, i just dont agree with it in regards to network security. Keep up the out of the box thinking as it is what makes our jobs interesting and fun.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice