Sign in with
Sign up | Sign in
Your question
Solved

1 ISP, 2 LANs

Last response: in Networking
Share
December 9, 2012 5:23:28 PM

Hi:
I've been reading a lot on this forum and several others, looking for an solution to my situation. I've come close but still need some help.

I have 1 ISP that I'd like to split for two internal networks. I run a small business from my home and would like to split the WAN connection so that we can use the internet for personal use.

The current set up is this. My ISP is connected to a D-Link DIR-655 router. The router does not handle DHCP. From the router, I run wired to a Linksys 24 port unmanaged switch. DHCP is handled by a Windows SBS, 2003 R2, set up as the domain controller. The D-Link LAN address is 192.168.1XX.1. The address pool for DHCP within SBS is set for 30 addresses starting at 192.168.1XX.100 to 130. The subnet mask on the network is 255.255.255.0. All of the clients (hosts) including 2 laptops, 1 PC, 1 NAS, 2 printers, 1 wireless AP, 1 SBS server/domain controller and 1 FTP server get their addresses from the pool, either through reservation or lease.

The FTP server is used for personal use and I want to remove it from the business network. We also have a kids computer that I don't want within the business network. The residential ISP's block all the ports for services like FTP. For this reason, I need to keep the FTP on the WAN provided by my business ISP, but need it segregated from the business network.

Furthermore, my anti-virus is a paid version from Grisoft. One of the licenses is on the FTP server, so communication from the SBS to the FTP for anti-virus updates is important. Also, communication from the PC to the FTP is important to upload files for WAN clients to retrieve.

1) My thought is to add another router, in gateway mode only, from one of the LAN ports on the D-Link DIR-655.
2) Give the new router a LAN address of 192.168.2.1 with a subnet mask of 255.255.255.0.
3) Leave DHCP enabled on the new router/gateway to distribute addresses to clients on this network.
4) Attach the FTP server and the kids computer to LAN ports of the new router/gateway, giving them addresses of 192.168.2.X from DHCP.
5) In the D-Link, set up a route sending all FTP requests to 192.168.2.1 and the client address of 192.168.2.X.

I'd like to know if I'm on track with my thoughts. If not, what would the right suggestion be to resolve this.

And lastly, if I am right, how do I get the SBS and the 1 PC to communicate with the FTP for updates and uploads?

Thank you to anyone who can offer you expertise.

More about : isp lans

December 9, 2012 9:29:56 PM

Depends why you want to do this. The networks are still really together and data can pass between them. Your second router would have to have firewall features to filter if you want to restrict. If you do not plan to firewall then it may not be worth the effort.

Not sure what you mean by gateway mode. I will assume you mean you intend to run it in NAT mode...the other method of really routing the traffic is not supported on many consumer routers.

What you do is assign the wan port a IP in the .1 network. You then port forward the ftp port in your main router to the .1 ip of this new router. Then in the new router you put in another port forward with the new .2 network.

The messy part is that to access this FTP server from you main network you will need to ftp to the wan ip of your new router. You cannot use the .2 address or the external address on the internet.

The security issue is that although none of the machines on the main network can access this new network because of the nat all the machines on the new network can access the main network since to them it appears to be internet
December 9, 2012 10:22:11 PM

Thanks john-b691.

I appreciate your feedback and it's given me some insight as to how my configuration will not be suitable.

Primarily, I need to remove the FTP server from the business network and run it on a network isolated from the business network. This is so that clients that access the FTP from the internet cannot gain access to the business network, essentially giving my business network the security it once had.

I am trying not to incur more cost by asking the business ISP for a second IP address. And the residential ISP I tried has all the ports blocked for traffic such as FTP and refuse to open them. However, the business ISP has ports such as FTP open. For this reason, I need to be running FTP traffic on the business ISP's modem and downstream from there to my two independent networks.

The question then becomes, what is the best way to split one IP address supplied by the ISP into two separate internal networks? And the second question is how to get network 1 to access network two but not vice versa?

I have old hardware available to use including two Linksys BEFSX41 routers, 1 BESFR41 router and 1 EZXS88W 8 port workgroup switch. Further, I am not opposed to purchasing different equipment, with the hopes that we're not talking about an $800 firewall.

Thanks again.
Related resources
December 10, 2012 12:43:00 AM

The main security issue may be solved by a simple firewall rule. You can say no machine on the lan on the second network can get to 192.168.1.x network. The problem with this is that when users on your main network attempt to get to the FTP server the server is not allowed to talk to them. You may be able to get around this by allowing traffic sourced from ports 20 and 21 from the server to have access to the 192.168.1.x network. Problem is you would have to read for a while to see which routers have that ability. I would suspect dd-wrt firmware does. It is likely that you could make it work with FTP forced to run in passive mode only.

If all else fails something like sonicwall firewall are pretty cheap and they understand FTP. Also almost any cisco router can do this even 10 year old ones. I would only go 1 or 2 generations back a 2621 or a 2811 on the used market should be inexpensive. Of course cisco is not trivial to configure. In either case these are true FTP aware firewalls. They watch the communication on port 21 and then depending on if the FTP is active or passive they dynamically allow traffic on port 20. They prevent any other outgoing traffic from the FTP server that is not directly associated with the session the users established from the outside.



December 10, 2012 3:21:49 AM

You need to purchase a manage switch with VLAN properties. VLAN has the capability to designate a port to a different subnet or LAN. So you can have half the ports on the switch as 192.168.10.x while the other half on 192.168.20.x

It is manageable like a router normally with a little GUI and web interface. But this will fix your problem.
December 12, 2012 3:00:56 AM

Thank you for your reply.

For now, I must assume the managed switch goes between the modem from the ISP and the two routers. Is this correct?

Also, the business network is already set up as 192.168.1XX.1 with the Windows SBS server handling DHCP and DNS. The server's address is 192.168.1XX.1XX.

You mention that I need two networks addressed as 192.168.10.X and 192.168.20.X. Does this mean that I'll need to change the entire server DNS and DHCP structure to accommodate the aforementioned addresses or can I keep the business structure as it is and add the second network as 192.168.20.X?

Again, thank you for your input and answers.
December 12, 2012 3:42:29 AM

No problem :) 
You will still have the server doing DNS and DHCP for the current 192.168.1.x range then you will need another device to manage the DHCP for the other x.x.x.x range. The range does not have to be in the 192.168.1.x style, it can be something like 10.1.1.x or 192.168.50.x.

I hope this makes sense.
December 12, 2012 4:12:51 AM

Yes, this all makes sense, so far. I found a NetGear ProSafe 8 port gigabit switch I think will do the trick. It seems to have all the specs you recommended. I'm glad to learn I don't have to change the addressing scope of the business network.

However, one last thing you didn't answer from my last post. This new switch should be placed just behind the ISP's modem and then have the two routers come off two of the ports from the new switch, is this correct?

Thanks again.

Best solution

December 12, 2012 4:20:55 AM
Share

You can go like this:
ISP Modem --> Router --> Switch (VLAN 1 -- Business network)
(VLAN 2 -- Router 2 -- Personal network

Or the suggested method you have.

In essence an advanced router like a fortigate does have the same functionality as a managed switch and can manage the DHCP of both networks. However the cheaper alternative is the netgear, from experience I am sure that device will do the job :) 
December 12, 2012 4:26:36 AM

Best answer selected by ed0711.
December 12, 2012 4:27:11 AM

Thank you so very much. I'm going to get on it right promptly.
December 12, 2012 4:28:19 AM

No problem :) 
Let me know how you go and good luck with everything!
December 12, 2012 4:28:49 AM

icefire900 said:
You can go like this:
ISP Modem --> Router --> Switch (VLAN 1 -- Business network)
(VLAN 2 -- Router 2 -- Personal network

Or the suggested method you have.

In essence an advanced router like a fortigate does have the same functionality as a managed switch and can manage the DHCP of both networks. However the cheaper alternative is the netgear, from experience I am sure that device will do the job :) 



I'd like to thank you personally for your help and your patience in walking me through this. Your knowledge is greatly appreciated.
!