How to achieve multiple subnets with RV042 and 2nd router

[abignet]

How to achieve multiple subnets with RV042 and 2nd router?

Greetings,

I have a RV042 router with a wifi router (E1500) connected as an Access Point (using this method: http://www.smallnetbuilder.com/wire...onvert-a-wireless-router-into-an-access-point). I have the E1500 connected to a port on the RV042 that is set to a separate VLAN (VLAN2 so as to keep Wifi devices from accessing anything on VLAN1. However, I just today realized that the RV042 still assigns IP address to both VLANs from the same pool. Because I also have the RV042 connected to another location via VPN this means that while devices attached via wifi (and thus on VLAN2) can not reach VLAN1 those devices on VLAN2 can reach remote devices across the VPN!! This is very bad! Fortunately the Wifi connection is still controlled via a strong password, but I still want to better segregate my networks for security purposes.

I've discovered that the VLAN abilities of the RV042 are very basic (which I appreciated initially as it made things very easy to set up) so there doesn't seem to be any way to specify Firewall Access Rules based on a particular VLAN. I need to somehow force all the Wifi traffic onto a different subnet so that I can then create Access Rules based on that subnet.

The RV042 seems to have very basic support for multiple subnets, but apparently it can only supply one pool of IP addresses (ie, I do not see any way to have it assign IP addresses to two different subnets).

I have experimented with re-enabling the DHCP server on the Wifi router (and making what I think were the appropriate IP address adjustments), but then devices attached to the Wifi router lost access to the internet. I also experimented with the DMZ settings on the RV042 a little, but I either don't quite understand enough (the more likely possibility) or that option won't work for this.

Does anyone have suggestions for how I can get the Wifi traffic to be on a different subnet? Is it even possible to have the Wifi router with its DHCP server enabled be connected to the RV042?

If someone could confirm for me the basic setup (even just in principle) of how one could have a router behind another router with both having their own separate DHCP servers I could then do some more experimenting, but currently I feel like I'm flying a bit blind because I'm just not sure what the limits are of what can and can't be done. I do realize I will likely have some lower performance for the Wifi router because of likely being double-NATed, but as long as it (and it's connected devices) can access the internet and NOT access the LAN or VPN then I can live with that (assuming it isn't unusably slow, of course).

Many thanks in advance to any who can point me in the right direction here!

 

[coxhaus]

Setting up 2 routers to route to each other is not tricky. The problem I have seen on here is some of the routers will not work as only a router without firewall and NAT. The E1200 seems to have a problem working as a router. You can test your E1500 buy turning off firewall and NAT and connecting the WAN port of your E1500 router to your outside firewall router. IF there is an option for router mode use it on your E1500. The 2 routers will need to be on different networks. Try to ping the WAN port of the E1500 router from the outside router network. Then plug your workstation into the LAN port on the E1500 router. Ping the E1500 router IP address. Then ping the outside router NAT IP address, maybe 192.168.1.1, if you can ping the outside router address and the other pings work then there is hope. You will need to add a route statement to the outside router to find the E1500 router to complete this exercise. Report back with the networks and IP addresses you used and I will help with the route statement. There are examples on this site just use a search.

 

[abignet]

Thanks so much for helping me yet again!

I think I understood what you were saying. The following is what I tried...

RV042 IP: 10.1.11.1
RV042 WAN IP: 10.1.10.10 (SMC Comcast gateway IP of 10.1.10.1. RV042 is in SMC DMZ.)
E1500 WAN IP: 10.1.11.18
E1500 IP: 10.1.12.1

Turned off SPI Firewall on E1500. Connected E1500 WAN to RV042. When the connected port on RV042 is set to VLAN2 attempts to ping the E1500 at 10.1.11.18 resulted in "Reply from 10.1.11.11: Destination host unreachable." Changing that port to VLAN1 resulted in "Request timed out." Disabling "Filter anonymous internet requests" on E1500 resulted in a successful ping. I also found that I could still ping the E1500 even if the SPI Firewall on E1500 was enabled.

Attempts to ping the RV042 resulted in "Request timed out." If I'm set up back with the E1500 as an AP (on VLAN2 and no DHCP) then I can successfully ping the RV042 (but of course that doesn't really help me).

Based on what you were saying it sounds like this might have a shot at working??

One question though: If I leave the SPI Firewall disabled on the E1500 are the E1500 devices going to be protected from the internet by the RV042 firewall? I don't wish to expose the wifi connected devices to no firewall protection.

Also, do you think it will help any to enable the Multiple Subnet feature in the RV042? I tried turning it on again (set to Subnet 1: 10.1.12.1/255.255.255.0 but it didn't seem to make any difference).

Edit: Another option which might be easier and still achieve my overall goal is if it could work to just attach the E1500 to the Comcast SMC router/gateway. Currently the RV042 is set in the DMZ of the SMC and that works well, but there can be only one router/device in the DMZ (heh, my brain just made a Highlander reference... ). I tried out earlier today attaching the E1500 directly to the SMC but it didn't seem to work. But the more I think about it it seems like it should work. I think the main reason I ended up putting the RV042 in the SMC DMZ may have been to reduce any double-NAT issues that could cause problems for the VPN connection. But the E1500 doesn't have that constraint. I think I will try again tomorrow to get the E1500 to work on the SMC (unless you can think of reasons it would be a bad idea security-wise).

If I can get the E1500 to work directly attached to the SMC will I need to do anything extra on the RV042 (eg, set some Access Rules) to protect the RV042 network (or the remote VPN network) from being accessed by devices connected to the E1500?

Thanks for offering to help out here!

 

[coxhaus]

OK, it sounds like you made progress. Make sure the E1500 is in vlan1 with the rest of your PCs. We now need to create a route statement on the RV042 pointing to the WAN port IP address of the E1500.
IP route 10.1.12.0 255.255.255.0 this is the network you are routing
Gateway or next hop in route statement 10.1.11.18 WAN port E1500
Go into your RV042 router and create a static route statement with the above information. This should start your routing and your ping will now work. You should also be able to ping all machines on both networks. You will now need to add a name server for Windows to work. You can use a local DNS, WINS, or a LMhost file.

 

[abignet]

That is awesome! Thank you!

Did you have any thoughts/comments about my realization that I should be able to somehow make the E1500 work directly attached to the Comcast SMC gateway/router (bypassing the RV042 entirely). See my above post for more info. I added all that as an edit previously, so you may not have seen it if you were responding from having read the original post via email.

 

[coxhaus]

I don’t see why you could not replace the RV082 with the E1500 router. What does swapping the E1500 for the RV082 buy you? You need to turn the firewall on again if the E1500 is going to be your front door. Is the Comcast running in bridge mode? I never want to double NAT my traffic.

 

[abignet]

I don’t see why you could not replace the RV082 with the E1500 router. What does swapping the E1500 for the RV082 buy you? You need to turn the firewall on again if the E1500 is going to be your front door. Is the Comcast running in bridge mode? I never want to double NAT my traffic.

Yeah, I guess I wasn't being very clear--sorry about that! What I meant was having both the RV042 and the E1500 connected directly to the SMC (instead of trying to run the E1500 through the RV042, which was creating the unexpected security problem that I'm trying to solve). The Comcast SMC is in the closest thing to bridge mode that it can do.

I tried again today to connect the E1500 directly to the SMC (I re-enabled DHCP, firewall, etc. on the E1500 and connected the E1500 via its WAN port), while leaving the RV042 also connected to the SMC (via the SMC DMZ, as it has been). What I finally discovered is that I had disabled NAT on the E1500 (probably when I had originally set it up as an AP); once I re-enabled NAT on the E1500 I could then access the internet!

So the RV042 is on subnet 10.1.11.0.
And the E1500 is on subnet 10.1.12.0.

The VPN connection in the RV042 is only for subnet 10.1.11.0, so between that and the RV042's firewall, it seems like everything should be secure now because there should be no way that a device connected to the E1500 (on subnet 10.1.12.0) would be able to jump over to the RV042 subnet (of 10.1.11.0), correct?

I really appreciate the help and troubleshooting you've provided! There are so many details to wrap my mind around with all this stuff. It is great having a forum like this to talk through things with others.

 

[coxhaus]

Connecting 2 outside routers to Comcast at the same time is not going to work unless you have multiple IP addresses from Comcast. My impression of your network now is the Comcast modem/router is routing and you are running 2 routers connected to your inside private network using double NAT. I could be wrong but I would need the IP addresses of the WAN port of all routers.

 

[abignet]

Connecting 2 outside routers to Comcast at the same time is not going to work unless you have multiple IP addresses from Comcast. My impression of your network now is the Comcast modem/router is routing and you are running 2 routers connected to your inside private network using double NAT. I could be wrong but I would need the IP addresses of the WAN port of all routers.

I'm confused, because I've got it setup and it is working (at least, I have internet access from both networks, and the VPN works fine). What did you mean by "not going to work"? I may very well be missing something.

Here's the info you asked for:
RV042 WAN IP: 10.1.10.10 (from SMC Comcast gateway)
E1500 WAN IP: 10.1.10.11 (from SMC Comcast gateway)
The SMC has the dynamic WAN IP given to it by Comcast.

 

[Jesse B]

I'm confused, because I've got it setup and it is working (at least, I have internet access from both networks, and the VPN works fine). What did you mean by "not going to work"? I may very well be missing something.

Here's the info you asked for:
RV042 WAN IP: 10.1.10.10 (from SMC Comcast gateway)
E1500 WAN IP: 10.1.10.11 (from SMC Comcast gateway)
The SMC has the dynamic WAN IP given to it by Comcast.

If the SMC is giving 10.x.x.x addresses out to the WAN of the other two routers, it's NAT'ing; those addresses are reserved for private networks. If the SMC was truly bridged, you'd need 2 IP's from Comcast to have two routers connected. You're double NAT'ing from the sounds of things.

 

[abignet]

If the SMC is giving 10.x.x.x addresses out to the WAN of the other two routers, it's NAT'ing; those addresses are reserved for private networks. If the SMC was truly bridged, you'd need 2 IP's from Comcast to have two routers connected. You're double NAT'ing from the sounds of things.

Hey, thanks for chiming in!

Yeah, what you're saying makes sense. I don't think there's anything I can do about the double-NATing though (apart from paying for IP's, which I don't want to do).

From what you're saying I was already double-NATed on the RV042, so my main concern is just the security side of things at this point. Do you agree that the RV042 should be totally protected from the E1500 at this point given that they're both on separate subnets?

 

[Jesse B]

Hey, thanks for chiming in!

Yeah, what you're saying makes sense. I don't think there's anything I can do about the double-NATing though (apart from paying for IP's, which I don't want to do).

I have an SMC modem/router combo from my ISP; I know that in my case, I need to call my ISP and they need to put it in bridge mode themselves. To my knowledge there isn't a way for consumers to do so. I'm not 100% sure on all this, that is just my current understanding. YMMV.

From what you're saying I was already double-NATed on the RV042, so my main concern is just the security side of things at this point. Do you agree that the RV042 should be totally protected from the E1500 at this point given that they're both on separate subnets?

Clients behind the RV042 should have no access to clients behind the E1500, as there are no routes set between the subnets, unless you manually set up routing tables between routers.

 

[abignet]

I have an SMC modem/router combo from my ISP; I know that in my case, I need to call my ISP and they need to put it in bridge mode themselves. To my knowledge there isn't a way for consumers to do so. I'm not 100% sure on all this, that is just my current understanding. YMMV.

Yeah, I've been down that road a bunch early on with Comcast and so whatever I have now is apparently the extent of what they can do in my case, which regrettably is not a true bridge mode, as you've observed.

Clients behind the RV042 should have no access to clients behind the E1500, as there are no routes set between the subnets, unless you manually set up routing tables between routers.

That's great! The RV042 is for the LAN which houses sensitive data, and the RV042 also is the VPN conduit to another site. The E1500 is for wifi access for a few special things, but because of the sensitivity of the data behind the RV042 I don't want any chance of the devices connected to the E1500 to ever be able to reach any device behind the RV042 (even though I'm also using a strong password, etc. for the E1500 wifi connection). So it sounds like I should be good to go!

Thanks everyone for all the help!

 

[Jesse B]

Just going to pipe in on sensitive data. I'm not sure what exactly it is, so take my advice with a grain of salt.

First off, anything you're that worried about should be protected by very strong encryption. If it's dangerous in any way, I would store it in a way that's not directly connected to the internet in any way.

I may just be being paranoid, but you spoke as if it were especially sensitive data. Just thought I'd chime in

 

[abignet]

Just going to pipe in on sensitive data. I'm not sure what exactly it is, so take my advice with a grain of salt.

First off, anything you're that worried about should be protected by very strong encryption. If it's dangerous in any way, I would store it in a way that's not directly connected to the internet in any way.

I may just be being paranoid, but you spoke as if it were especially sensitive data. Just thought I'd chime in

Hey thanks, I definitely hear you! I'm very cautious about this stuff too. And I am using multiple layers of passwords, encryption (eg, Truecrypt), etc. But I wanted to be extra sure I had the network stuff working right (since I'd missed something previously) as I don't want someone to even have a chance to start trying to break through all the other layers of protection.

 

[coxhaus]

I have a question. Do you have access to the router from Comcast and do you make changes to it? How do you open ports? Do you trust the Comcast router? If you trust the Comcast router then use it as the main router. If you don’t want to use the Comcast router as your main router then we should design something which will work with the Comcast router being a bridge instead of a router.

 

[abignet]

I have a question. Do you have access to the router from Comcast and do you make changes to it? How do you open ports? Do you trust the Comcast router? If you trust the Comcast router then use it as the main router. If you don’t want to use the Comcast router as your main router then we should design something which will work with the Comcast router being a bridge instead of a router.

I definitely do not want to use the Comcast router as my main router. It is a very basic router. I do have access to it and I can change settings (of the very limited settings it has).

At this point, unless there is a security concern you can point out to me about my current setup I'm not interested in making further changes. I know that double-NATing is not ideal, but it has been working fine for me for the past several years (ie, the RV042 has been behind the Comcast router for several years). My main concern recently was just regarding how I could better protect the RV042 network from the E1500 network, which I believe my most recent changes accomplishes well (though please correct me if I'm wrong!).

I went round and round with Comcast when I originally was getting my account established with them (this is a Comcast Business Class account) regarding any ways that the Comcast router can be put into a true bridge mode. And the result of many phone calls was consistently that the only way that could be achieved with the Comcast router currently was if I purchased static IP addresses (which I'm not interested in doing at this time, especially since my current setup seems to work fine). I do know what true bridge mode is as I have my home network setup that way (because I have purchased my own cable modem for that, but Comcast is very resistant to letting me provide my own modem for my Business Class account).

So all that to say, I appreciate your desire to help me establish a true bridge mode with my Comcast router, but I'm really okay with the way things are so long as there aren't any security issues with this setup that I'm unaware of.

Thanks!

 

[coxhaus]

We might be able to get rid of the double NAT if you can turn off NAT on the Comcast router. You could then add 2 route statements on the Comcast router to point to your other 2 routers. If you want to explore this let me know.
PS
I am sorry this idea will not work the more I thought about it.

 

[abignet]

We might be able to get rid of the double NAT if you can turn off NAT on the Comcast router. You could then add 2 route statements on the Comcast router to point to your other 2 routers. If you want to explore this let me know.
PS
I am sorry this idea will not work the more I thought about it.

Hey, no problem. And thanks for offering!