Physical Isolation vs VLANs

[Guest]

I would like to create a network topology that shares an Internet cable
connection between two LANs in such a way that both LANs can access the
Internet but are completely isolated from each other (.i.e. a backdoor
infecting one LAN could not spread to the other LAN).


I've heard about VLANs, but what about simple physical isolation? Is there
any reason why I can't just split the coaxial cable from the ISP into two
separate cable modems, each for a different LAN? Wouldn't the DHCP simply
assign two different IPs to the cable modems, thus providing isolation?


Thanks.

 

[Steve Winograd [MVP]]

I would like to create a network topology that shares an Internet cable
connection between two LANs in such a way that both LANs can access the
Internet but are completely isolated from each other (.i.e. a backdoor
infecting one LAN could not spread to the other LAN).

Here's a simple setup that I use to completely isolate two LANs from
each other (one for my own trusted computers, and one for visiting
friends and clients:

Get three inexpensive home broadband routers. Connect the WAN port of
#1 to the cable modem. Connect the WAN ports of #2 and #3 to LAN
ports of #1. Connect one group of computers to the LAN ports of #1.
Connect the other group of computers to the LAN ports of #2.

#1 must use a different subnet than #2 and #3. #2 and #3 can use the
same subnet as each other.

I've heard about VLANs, but what about simple physical isolation? Is there
any reason why I can't just split the coaxial cable from the ISP into two
separate cable modems, each for a different LAN?

I'm not aware of any cable ISP that lets you connect two cable modems.
Some ISPs will let you have two IP addresses through one cable modem,
probably for an additional monthly fee, but that isn't enough to do
what you want. You'd also need a router for each LAN.

Wouldn't the DHCP simply assign two different IPs to the cable modems,
thus providing isolation?

Cable modems assign public IP addresses, which, by definition, aren't
isolated from each other.

Thanks.

You're welcome.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Guest]

Here's a simple setup that I use to completely isolate two LANs from
each other (one for my own trusted computers, and one for visiting
friends and clients:

Get three inexpensive home broadband routers. Connect the WAN port of
#1 to the cable modem. Connect the WAN ports of #2 and #3 to LAN
ports of #1. Connect one group of computers to the LAN ports of #1.
Connect the other group of computers to the LAN ports of #2.

#1 must use a different subnet than #2 and #3. #2 and #3 can use the
same subnet as each other.

In your reply did you mean connect one group of computer to the LAN ports of
#2 and the other group to the LAN ports of #3?


Also, could you explain how your topology works? I don't yet understand how
your subnet assignments provide isolation. Do you mean that if #2 and #3 have
the same subnet while #1 is different, #1 will never forward packets between
#2 and #3?



Again, thanks.

 

[Steve Winograd [MVP]]

In your reply did you mean connect one group of computer to the LAN ports of
#2 and the other group to the LAN ports of #3?

You're right. I'm sorry for my mistake.

Also, could you explain how your topology works? I don't yet understand how
your subnet assignments provide isolation. Do you mean that if #2 and #3 have
the same subnet while #1 is different, #1 will never forward packets between
#2 and #3?

#1's LAN subnet has to be different than #2, and #1's LAN subnet has
to be different than #3. For example, if #1 had the same subnet as #2,
#2 wouldn't be able to route packets between LAN and WAN, because its
WAN and LAN interfaces would be in the same subnet.

It doesn't matter whether #2 and #3 use the same subnet or different
subnets. #1 won't forward packets between #2 and #3 in either case.

In my setup, the LAN subnets for the routers are:

#1 - 172.16.0.x
#2 - 192.168.123.x
#3 192.168.10.x.

The WAN IP addresses for the routers are:

#1 - public IP assigned by ISP
#2 - 172.16.0.2
#3 - 172.16.0.3

Assume that a source computer connected to #3 tries to send a packet
to a destination computer connected to #2. That packet can't be
delivered. Here's what would happen:

1. The source computer sends the packet to its gateway: the LAN
interface of router #3.

2. If the source and destination addresses are in the same subnet (#2
and #3 use same LAN subnet), #3 tries to find the destination on its
LAN interface. #3 doesn't pass the packet to its WAN interface, so
the packet can't get to the destination computer.

3. If the source and destination addresses are in different subnets
(#2 and #3 use different LAN subnets), #3 sends the packet to its
gateway: the LAN interface of #1.

4. #1 sees a packet addressed to 192.168.123.x. #1 doesn't know that
192.168.123.x is the LAN interface of #2. #1 has no entry for that
subnet in its route table, so #1 sends the packet to its gateway,
which belongs to the ISP.

5. Since the packet is addressed to a non-routeable private subnet,
the ISP's gateway router drops the packet.

Again, thanks.

You're welcome.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com