Complex, 3 Routers Interconnected

[Kevin K]

I'm trying to run a 'trusted' home network and a separate 'untrusted' network. I'd like to remove a router dependency.

Today, I have trusted devices connected to my "trusted" AC68. My AC68 WAN port connects to an "untrusted" AC66, which also has the untrusted devices connected. The AC66's WAN port connects to my ISP's router-and-modem-in-one-box.

I'd like to connect "trusted" and "untrusted" to the ISP router in parallel, instead of running "trusted" through "untrusted". Today, if untrusted goes down, so does trusted. If both AC routers are connected to the ISP router, then one can go down without impacting the other.

And... I need devices on trusted to be able to connect to devices on untrusted, but not vice versa.

With trusted running through untrusted, this "just works" without a lot of security configuration (which I might mess up). If I connect both ACs to the ISP router, and configure:

• ISP router LAN netmask = 255.255.0.0
• ISP router LAN address = 192.168.1.x
• untrusted router LAN netmask = 255.255.255.0
• untrusted router LAN address = 192.168.2.x
• trusted router LAN netmask = 255.255.255.0
• trusted router LAN address = 192.168.3.1

Should that suffice? Will I need to specifically define a route from 192.168.3.x to 192.168.2.x on the ISP router, or will ARP sort that out?

I know I'll need to define firewall rules on untrusted, to permit incoming traffic from trusted. Is there a way to permit ALL incoming traffic from trusted into untrusted, or will I have to do that IP by IP?
Thanks!

 

[L&LD]

Unless you have two public IPs available from your ISP, this won't work.

 

[Kevin K]

Unless you have two public IPs available from your ISP, this won't work.

What an interesting idea! What specifically will fail? The ISP router does NAT. It is used to having multiple IPs on its LAN.

 

[cptnoblivious]

If the internal systems were all just routers, you would add a route on the trusted router (3.x) for how to reach the untrusted network (2.x) via the external interface of the router connecting the untrusted network (1.?).

It would actually help if you drew this and added the actual IPs of the router interfaces.

So, assuming the trusted router has interface 192.168.1.3 and the un-trusted router has 192.168.1.2 you need to define a route so that the trusted router knows that to reach 192.168.2.0/24 go to 192.168.1.2 and the forward that traffic. It would have a default route to the Provider router (assuming that's 192.168.1.1 for now) but shouldn't need to router there to reach the 2.x network.

Now since these are also NAT / Firewalls, I'm not sure what other complexities this brings as I haven't tried it.

 

[Kevin K]

Now since these are also NAT / Firewalls, I'm not sure what other complexities this bri

Oh. There you go. NAT - That's a complication and a simplification. From the standpoint of the ISP router, there is no 192.168.2.x or 192.168.3.x -- just the external IP of 'trusted' and 'untrusted'.

The ISP router does not have the ability to manually add routes. So, as cptnoblivious suggested, 'trusted' will have to know to route traffic to 'untrusted' via its external IP and vice versa. That's one route command on each router. Easy enough.

The remaining trick will be -- how to tell the firewall on 'untrusted' to permit all incoming traffic from the external IP of 'trusted'. That ought to be something close to

iptables -A INPUT -s 192.168.1.3/255 -j ACCEPT

on 'untrusted' (assuming I set up the ISP router to assign 192.168.1.3 to the WAN port on 'trusted').

So the short form is: 'trusted' and 'untrusted' need to know how to route traffic for each other's LAN via the other's WAN IP, and 'untrusted' needs a firewall to accept all connections from 'trusted'.

I think...

 

[L&LD]

So, the ISP is giving you two Public IP's. Is that what I'm reading?

 

[Kevin K]

L&LD - Thanks for the reply. We seem to be talking past one another. You said it won't work without two external IPs. I asked what specifically will fail? Now you've assumed a second IP.

I can buy another public IP address if I understand the need for one.

But I don't need the outside world to be able to initiate connections to any of my LAN devices, except for the cases where I set up port forwarding rules on the ISP router. I already have a few of those set up. They already forward to the external IP of 'trusted' or 'untrusted', so I don't see those changing (except that 'trusted' will have a new external IP).

Changing from:

trusted->untrusted->ISP_Router->internet

to

trusted -----+
             +-----ISP_Router ---> internet
untrusted ---+

What specifically will fail with only a single, external IP? What am I missing?

 

[L&LD]

We're not talking past each other; you're not answering the queries.

Will the ISP 'router' give a Public IP address or a Private IP address to 'trusted' and 'untrusted'?

If it is a Private IP address, then the 'trusted' network really isn't.

If it is a Public IP address to each, then unless you have an ISP that gives you two Public IP addresses, that setup will fail.

If they both are 'inside' the WAN side of the network, then neither of them is safe.

 

[RMerlin]

The "correct" way to properly handle network isolation is to put the entire network behind a managed switch, and configure VLANs. Put APs on each VLANs.

You can tinker something by having two separate routers handling each subnets, both using a third router as their primary gateway, but you will have to configure firewall rules on each of the two routers to block inbound traffic from the other subnet's IP range. And you will have to deal with double NAT.

 

[Kevin K]

L&D: Thank you for your reply.

Will the ISP 'router' give a Public IP address or a Private IP address to 'trusted' and 'untrusted'?

It will assign non-routable, private IPs from 192.168.x.x. That's what it currently assigns to 'untrusted's WAN port. I do have the occasional port forward from the ISP router, but the ISP router's WAN port is the only external IP address on my network, and will remain that way.

Devices on 'trusted' belong to the responsible adults in my family. We're "over the top" about avoiding malware.

Devices on 'untrusted' belong to our teen and 20-something children. I don't *know* their devices contain malware, but I want their machines separated from the adult's LAN.

Neither 'trusted's nor 'untrusted's machines are externally addressable.

Merlin: Thank you for your reply (and for the firmware):

you will have to configure firewall rules on each of the two routers to block inbound traffic from the other subnet's IP range.

If my two ASUS routers have

• WAN IPs 192.168.1.2 and 192.168.1.3
• LANs IPs 192.168.2.x and 192.168.3.x
• netmask 255.255.255.0,

I'm thinking they'll each block traffic from the other router by default, and I'll have to add firewall rules to *permit* desired traffic from the other's WAN port. Since they're doing NAT, that traffic will have the source IP of their WAN port, and I'll only have to permit that single address *from* 'trusted' into 'untrusted'. Or do I have it all wrong?

And you will have to deal with double NAT.

Shucks, with my current untrusted -> trusted -> ISP_Router setup, I'm already doing triple-NAT on the 'trusted' network. I haven't really experienced any inconvenience except I have to set up port forwarding for the little incoming traffic I do permit.

I *think* I mostly understand firewalling and routing, but I never really learned the details of all the things one can do with a smart switch such as VLAN. I sorta suspect that with a whole bunch of configuration I could do this all with a single ASUS 8-port router + my (mandatory) ISP router+modem. But I'm reluctant to do a concept-learning project that involves protecting my data.

So long as using a netmask of 255.255.255.0, and NAT, and separate 192.168.x.x LANs on my 2 ASUS routers blocks traffic from the other ASUS router by default, my inadvertent omissions should lead to too much blocking rather than too much passing.

 

[cptnoblivious]

L&D: Thank you for your reply.



It will assign non-routable, private IPs from 192.168.x.x. That's what it currently assigns to 'untrusted's WAN port. I do have the occasional port forward from the ISP router, but the ISP router's WAN port is the only external IP address on my network, and will remain that way.

Devices on 'trusted' belong to the responsible adults in my family. We're "over the top" about avoiding malware.

Devices on 'untrusted' belong to our teen and 20-something children. I don't *know* their devices contain malware, but I want their machines separated from the adult's LAN.

Neither 'trusted's nor 'untrusted's machines are externally addressable.

Merlin: Thank you for your reply (and for the firmware):

If my two ASUS routers have

• WAN IPs 192.168.1.2 and 192.168.1.3
• LANs IPs 192.168.2.x and 192.168.3.x
• netmask 255.255.255.0,

I'm thinking they'll each block traffic from the other router by default, and I'll have to add firewall rules to *permit* desired traffic from the other's WAN port. Since they're doing NAT, that traffic will have the source IP of their WAN port, and I'll only have to permit that single address *from* 'trusted' into 'untrusted'. Or do I have it all wrong?


Shucks, with my current untrusted -> trusted -> ISP_Router setup, I'm already doing triple-NAT on the 'trusted' network. I haven't really experienced any inconvenience except I have to set up port forwarding for the little incoming traffic I do permit.

I *think* I mostly understand firewalling and routing, but I never really learned the details of all the things one can do with a smart switch such as VLAN. I sorta suspect that with a whole bunch of configuration I could do this all with a single ASUS 8-port router + my (mandatory) ISP router+modem. But I'm reluctant to do a concept-learning project that involves protecting my data.

So long as using a netmask of 255.255.255.0, and NAT, and separate 192.168.x.x LANs on my 2 ASUS routers blocks traffic from the other ASUS router by default, my inadvertent omissions should lead to too much blocking rather than too much passing.

For 'piping' the traffic into the network, you typically map an external source port of the NAT -> Internal IP and destination port on the 'private' network.

You don't get access to the whole network, only the specific service you pipe in.

FAQ from Asus here: https://www.asus.com/support/FAQ/1037906

Again, I highly recommend you draw this, with the systems that should be access and the specific service that need access and then start detailing your forwarding rules for the NAT.

1 picture = 1,000 words.

 

[dosborne]

If my two ASUS routers have

• WAN IPs 192.168.1.2 and 192.168.1.3
• LANs IPs 192.168.2.x and 192.168.3.x
• netmask 255.255.255.0,

I'm thinking they'll each block traffic from the other router by default, and I'll have to add firewall rules to *permit* desired traffic from the other's WAN port. Since they're doing NAT, that traffic will have the source IP of their WAN port, and I'll only have to permit that single address *from* 'trusted' into 'untrusted'. Or do I have it all wrong?

Should work fine IMO.

 

[Kevin K]

For the record, it works quite nicely.

• 2 ASUS+Merlin routers defining 2 networks behind one ISP router.
• Kids' network on one router; adults' network on the other.
• Each router has a manually added route to direct appropriate traffic to the other.
• Firewall on the kids router has a rule to permit traffic from the adults' network, allowing me to reach out and touch kids' machines when they ask for help.
• Each network has a printer, and I've added firewall rules to permit either network to print to the other.

Thanks for the help!