Using two routers for securtity without double NAT in Wireless Security

Using two routers for securtity without double NAT in Wireless Security http://www.dslreports.com/forum/r13087961 en Wed, 25 Nov 2009 04:00:55 EDT Wed, 25 Nov 2009 04:00:55 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,14093937 dnoyeB : Yes I did. I'll give it another shot tonight and see to be sure.]]> http://www.dslreports.com/forum/remark,14093937 Tue, 09 Aug 2005 11:56:37 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,14093726 janderso1 : With the factory firewall settings the 334W blocks all WAN to LAN connections with NAT on or off. When you forward a port a firewall rule is automatically created to allow connections to the port from the WAN. Have you tried forwarding the ssh port to the IP address of your server?
--
Jim Anderson]]> http://www.dslreports.com/forum/remark,14093726 Tue, 09 Aug 2005 11:24:35 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,14093565 dnoyeB :

said by janderso1

:

It is true that with NAT off you must use the LAN IP address of the computer you want to access, not the WAN IP of the Zyxel. You have two subnets with R2 routing between them.

The firewall in the second router protects its LAN segment. Try to telnet to a PC on R2s LAN and you will see in the log that the firewall blocked it.

Port forwarding also creates a firewall rule in these low end Zyxels to allow the incoming traffic so if you forward the SSH port to your SSH servers LAN IP you should be able to connect. I forwarded port 515 to my print server and port 53 to my DNS server and they work. In other words port forwarding does what you want with NAT off or ON.

...

Wehn with NAT off you need to target computers by IP, and when you do that port forwarding makes no sense. I have not found port forwarding to work the same with nat on and off. With NAT off I have found I have no port forwarding because the Zyxel assumes you are trying to connect to it and not some device on the LAN when NAT is off. You are experiencing different?

I think you may be seeing some netbios forwarding because that is outside of the port forwarding page/NAT. but if you try to telnet into a computer on the LAN with NAT off I don't think you can.
--
dnoyeB
"Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard. " Ecclesiastes 9:16
]]> http://www.dslreports.com/forum/remark,14093565 Tue, 09 Aug 2005 11:02:25 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,14093116 janderso1 : It is true that with NAT off you must use the LAN IP address of the computer you want to access, not the WAN IP of the Zyxel. You have two subnets with R2 routing between them.

The firewall in the second router protects its LAN segment. Try to telnet to a PC on R2s LAN and you will see in the log that the firewall blocked it.

Port forwarding also creates a firewall rule in these low end Zyxels to allow the incoming traffic so if you forward the SSH port to your SSH servers LAN IP you should be able to connect. I forwarded port 515 to my print server and port 53 to my DNS server and they work. In other words port forwarding does what you want with NAT off or ON.

Setting R2 as the DMZ/default server of R1 allows R2 to log incoming port probes (and I indicated that it was optional). If you are using the Netgear WGR614 as R1, it doesn’t log incoming port probes. Another benefit of setting R2 as the DMZ target is you don’t need to set up any port forwarding on R1 unless you have a server on its LAN segment that needs to be accessed from the Internet.
--
Jim Anderson]]> http://www.dslreports.com/forum/remark,14093116 Tue, 09 Aug 2005 09:42:54 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,14090810 Anav : If you want fidelity and flexibility, stop trying to put a round peg into a square hole. ;-) There is nothing wrong with Janders methods but there are limitations as one should expect with a process, which is a work around from the get go.
--
Ain't nuthin but the blues! "Albert Collins". Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner" LlamaWorks Equipment]]> http://www.dslreports.com/forum/remark,14090810 Mon, 08 Aug 2005 22:51:12 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,14089800 dnoyeB : Well it was all good until I tried to ssh into my linux box. Having issues.

When you don't NAT you cant ssh to the WAN IP of the Zyxel, you must use the actual LAN address of the computer you want.

So the first router does NAT and the 2nd router doesen't. But this raises the question of what kind of protection is being provided by the 2nd router? Port forwarding don't make sense on the 2nd router since its not doing NAT. Ports only get forwarded when they are targeted towards the routers WAN address, but this don't work with NAT off if I am comprehending correctly.

On this same notion it does not make sense to have the first router target the 2nd router as its DMZ since stuff targeted toward the router with NAT off just gets blocked.

The scheme just does not work. With NAT off it basically walls off the whole thing. You can initiate connections from within the router, but nothing can be initiated from without. You can't tell the router what to do with an incoming port without NAT...]]> http://www.dslreports.com/forum/remark,14089800 Mon, 08 Aug 2005 20:45:23 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,14031375 janderso1 : That should work but I haven’t tried it. 172.16 through 172.31 are valid private Ips.
--
Jim Anderson]]> http://www.dslreports.com/forum/remark,14031375 Mon, 01 Aug 2005 11:03:22 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,14031114 dnoyeB : If I map R2's MAC address to 172.x.x.2 in R1. Then in R2 enable DHCP for the WAN port. R2 should get the proper IP address from R1 based on MAC, and possibly it will get the DNS servers as well?

Just trying to get automatic DNS address updating as my ISP likes to tinker.
--
dnoyeB
"Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard. " Ecclesiastes 9:16
]]> http://www.dslreports.com/forum/remark,14031114 Mon, 01 Aug 2005 10:16:29 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,13986371 janderso1 : When you disable NAT on R2 (the Zyxel) it acts as a pure router. When a PC on the R2 LAN accesses the Internet its real 192.168.8.x address is passed to R1 by R2. R1 then replaces the 192.168.8.x with its WAN IP address (which is why R1 must be able to do NAT for more than one subnet).
--
Jim Anderson]]> http://www.dslreports.com/forum/remark,13986371 Tue, 26 Jul 2005 09:23:08 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,13986305 dnoyeB : Its not clear to me how this avoids double NAT. Its seems like both routers are on seperate subnets!?]]> http://www.dslreports.com/forum/remark,13986305 Tue, 26 Jul 2005 09:08:37 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,13842516 seezar : You could always get a soekris box (net4801) for about $275, »www.soekris.com/ which has a WAN port and 2 LAN ports and then run M0n0wall on it, »m0n0.ch/wall/ . I have my wired LAN on one LAN interface and my wireless on the other. Then configure each interface for 2 different subnets and a firewall rule on the wired LAN to block all traffic from the wireless LAN. That way the wireless network is behind NAT but cant get to my wired LAN but I can access the wireless network via the wired.]]> http://www.dslreports.com/forum/remark,13842516 Fri, 08 Jul 2005 12:40:57 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,13842453 janderso1 : Yes, R1 must do NAT for both subnets (not all routers will doe this, the ones I mentioned will). On the Zyxel routers you can enable/disable NAT and the SPI firewall separately. You may be able to do this with some of the Linksys routers.
--
Jim Anderson]]> http://www.dslreports.com/forum/remark,13842453 Fri, 08 Jul 2005 12:32:39 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,13842278 apara0 : With the NAT disabled in R2, 192.168.8.0 addresses reach R1 and then use R1's NAT to go out to the internet?

So there is still a firewall even with NAT disabled? I always thought that NAT was the firewall in most routers. I guess the SPI firewall is separate from NAT and still does not allow arbitrary traffic INTO the router?

Thanks.
-AP_]]> http://www.dslreports.com/forum/remark,13842278 Fri, 08 Jul 2005 12:08:13 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,13841683 janderso1 : The route add tells the wireless PC to use the alternate gateway to reply to a request from the wired PC. The wireless PCs are still blocked from initiating a request to the wired segment by the firewall in R2. In my case I forwarded port 515 to the IP address of my print server on the wired segment to allow wireless PCs to print to it.
--
Jim Anderson]]> http://www.dslreports.com/forum/remark,13841683 Fri, 08 Jul 2005 10:47:07 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,13841530 apara0 : Jim,

So if on the wireless PC a route add is done, will wired users be able to see the wireless users and vice versa?

Is there a way to make it so that wired uses always see wireless users but wireless users cannot see wired users?

I really want to isolate my wireless users from my wired lan. In case there is a break into the wireless network, I don't want them to be able to break into my wired lan.

Thanks.
-AP_]]> http://www.dslreports.com/forum/remark,13841530 Fri, 08 Jul 2005 10:26:21 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,13840948 janderso1 : With this setup the wireless users can’t see anything on the wired LAN. The wireless users will only be accessible if the route add is done on the wireless PC.
--
Jim Anderson]]> http://www.dslreports.com/forum/remark,13840948 Fri, 08 Jul 2005 08:30:45 EDT Re: Using two routers for securtity without double http://www.dslreports.com/forum/remark,13840800 apara0 : Will this setup prevent wireless users from seeing the wired lan thereby creating a firewall between those users accessing the wireless lan and those connected with a wire? I also would like to be able to see the wireless users without them seeing me. Will this work in this fasion?

Thanks.
-AP_]]> http://www.dslreports.com/forum/remark,13840800 Fri, 08 Jul 2005 07:48:44 EDT Re: Using two routers for secur without double NAT http://www.dslreports.com/forum/remark,13169131 Shootist : DMZ on a Zywall5 is/can be totally different than any home routers DMZ. You can set firewall rules to allow or not allow all kinds of stuff. DMZ on most if not all home router is like placing the PC/s connected to it on the NET. Not so with the Z5 or it can be. It's all how you set it up.
--
Shooter Ready--Stand By BEEP ********]]> http://www.dslreports.com/forum/remark,13169131 Thu, 14 Apr 2005 13:05:04 EDT Re: Using two routers for secur without double NAT http://www.dslreports.com/forum/remark,13166651 TheGiant : I would hate to put the wireless client in a DMZ without even simple NAT protection from the internet. I think the Idea of separate IP address and XP firewall with Blocked Ips to local LAN to be the simplest solution.]]> http://www.dslreports.com/forum/remark,13166651 Thu, 14 Apr 2005 04:59:39 EDT Re: Using two routers for securtity without double NAT http://www.dslreports.com/forum/remark,13092018 janderso1 : I agree that a Zywall five is a better solution if you need most of its features. However, a Z5 costs almost $400 dollars and is overkill if all you want to do is protect a wired home network from wireless intruders. Also, the Z5 doesn’t have a DHCP server for the DMZ and wireless costs extra. The purpose of my post is to explain how to set up a DMZ using relatively inexpensive equiptment (less than $125 if you use two P334WTs).
--
Jim Anderson]]> http://www.dslreports.com/forum/remark,13092018 Tue, 05 Apr 2005 09:35:14 EDT Re: Using two routers for securtity without double NAT http://www.dslreports.com/forum/remark,13088554 Anav : Why not just get the ZyWALL 5, which has a DMZ interface with which to have a private LAN and a Public LAN.]]> http://www.dslreports.com/forum/remark,13088554 Mon, 04 Apr 2005 21:07:51 EDT Using two routers for securtity without double NAT http://www.dslreports.com/forum/remark,13087961 janderso1 : Using two routers to secure a subnet without double NAT

Doing NAT in two routers is undesirable because it tends to break some software such as VPN and online games. By purchasing the correct equipment you can eliminate double NAT.

Router one must support NAT for IP addresses that are not on the same subnet as the router and support static routes. If router one is providing wireless access, it needs to support WPA to be secure. Router one should also have SPI firewall for security. You could also use a wired router and a separate wireless access point. For testing this I used a Netgear WGR614 version 5 wireless router ($20 after rebate). As far as I know, all the Zyxel routers, firewalls, and DSL modem/routers support all of these requirements except wireless/WPA and some of them support WPA. Router one will support the DMZ/wireless subnet.

The second router must support a SPI firewall with NAT disabled to secure the protected LAN. To use DHCP on the protected “LAN”, the second router must support manually assigning DNS servers (which will be given to the DHCP clients). I used a Zyxel P334WT for the second router (less than $62 shipped). As far as I know, all the Zyxel routers and firewalls currently in production support these requirements. Router two will provide Internet access to the “secure” LAN through router one.

You must use two subnets. For this example I use 172.30.100.0 for the DMZ and 192.168.8.0 for the LAN both with masks of 255.255.255.0 (172.30 is a class B block under the now obsolete IP class rules and the normal mask for a class B is 255.255.0.0 but you could always subnet a class B). You can use your existing subnet for the LAN as long as you use a different subnet for the DMZ.

Assign router one a LAN IP address of 172.30.100.1 mask 255.255.255.0
Create a static route in with a destination of 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2
Set the DHCP server start address to 172.30.100.100 end address to 172.30.100.149 (or any range you want as long as it doesn’t include .1 and .2 and is part of the same subnet)
Optionally Set the default DMZ server to 172.30.100.2 if you want to see port probes in the P334WTs logs.
If you are going to be using wireless, setup and enable router ones wireless LAN
Connect the WAN port of router one to your DSL or cable modem.

Disable router twos wireless LAN if it has one.
Assign router two a LAN IP address of 192.168.8.1 mask 255.255.255.0
Set the DHCP start address to 192.168.8.100 end address to 192.168.8.149 (or any range you want as long as it doesn’t include .1 and is part of the same subnet)
Set the first DNS server to IP address assigned by you ISP as first choice (You can get these from router ones status)
Set the second DNS server to IP address assigned by you ISP as second choice (You can get these from router ones status)
Set the third DNS server to 172.30.100.1 (LAN IP of router one)
Set Windows networking (Netbios over TCP/IP to allow between LAN and WAN (on the LAN setup page)
Assign router two a WAN IP address of 172.30.100.2 mask 255.255.255.0 gateway 172.30.100.1
Set address translation to NONE on a Zyxel P334WT (uncheck enable NAT on a Zywall 5)
Set Windows networking (Netbios over TCP/IP to allow between LAN and WAN (on the WAN setup page)

Connect the WAN port of router two to a LAN port of router one.
You should install a software firewall on all the wireless and DMZ PCs. I use the free version of Zone Alarm and set it to trust the LAN subnet.
Connect any wired “DMZ” PCs to LAN ports on router 1 (use a switch if you need more ports)
Connect your “secure” LAN PCs to LAN ports on router 2 (use a switch if you need more ports)

If you need to access shares on a PC attached that connects to the DMZ subnet (wired or wireless), go to the PC and at a cmd prompt enter

Route add 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2 
Or
Route -p add 192.168.8.0 mask 255.255.255.0 gateway 172.30.100.2

if you want the route to be semi permanent (you can delete it)
Then use find compute to find the DMZ PC. If you share a folder read/write on the PC, you can transfer files in both directions.

If you need to access share on the LAN from a DMZ PC, the cheap way is to temporally disconnect the PC from the DMZ an connect it to the LAN.

Since the P334WT has a limited VPN server the other option to access the LAN from the DMZ is to setup a VPN rule on the P334WT and install VPN client software on the DMZ PC(s). I use this method to access a shared printer from my wireless notebook PC. You can download a free (but old) VPN client here.

»ftp.up.ac.za/pub/linux/ssh/pub/sentinel/

This link is from the top of the VPN forum here.

If you are using P2P software, you may want to consider a more router more robust than the Netgear WGR614 such as a second P334WT for router one. I did a second successful test using my P334T as router one and my Zywall 5 as router two.

I think this should go in an FAQ, but I am not sure which one because it applies to both wired and wireless network security.

--
Jim Anderson]]> http://www.dslreports.com/forum/remark,13087961 Mon, 04 Apr 2005 20:00:06 EDT