Sharing a DSL connection between two networks securely?

[Chris C.]

Hello,

I am trying to share a DSL connection (with 4 static IP addresses)
between two separate networks (with their own servers), where one
network has no access to the other network's files or resources and
vice versa. I've searched a little, and found that this can be done
by connecting two routers (call them A & B) to the DSL router.

Can I then connect switches to router A and router B and connect
workstations and their respective servers to those switches and have
the workstations and servers access the internet?

Will I be able to assign the same IP addresses for computers and
printers on different networks? For example 192.168.1.10 for a
workstation on network A and 192.168.1.10 for a workstation on network
B?

Will this method be secure? (In that no one on network A can access
anything on network B and vice versa)

Will a person on network B be be able to access resources on network A
just by plugging the network cable from his computer into the DSL
router or network A's switch?

Sorry for all the questions, I have never tried doing this before

Thanks in advance!

 

[Robert L [MS-MVP]]

yes, if you setup site to site vpn.

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

 

[Yousuf Khan]

Can I then connect switches to router A and router B and connect
workstations and their respective servers to those switches and have
the workstations and servers access the internet?

Yes, they should mostly be able to access the Internet. There will be a few
issues with some applications which don't like travelling through a NAT
router. In this case, you'll actually have two levels of NAT routers, the
DSL router will be the first level, while routers A & B will be the second
level NAT for their own respective networks.

Will I be able to assign the same IP addresses for computers and
printers on different networks? For example 192.168.1.10 for a
workstation on network A and 192.168.1.10 for a workstation on network
B?

Yes, you'll be able to use the exact same IP address ranges between networks
A and B without a problem. However, you will have to use a different range
of IP address between the first and second level routers. For example, you
might have to assign 192.168.0.xxx to the first level network, while
192.168.1.xxx will be sufficient for both of the two second level networks.

However, even though this is doable, it's not a good idea for debugging
purposes. If you're going to be plugging machines interchangeably between
the two secondary networks A and B, it's a good idea to give each a
different IP range so you can keep it straight in your own mind which
network each machine is connected to. For example, you might want to give
network A 192.168.1.xxx, while network B gets 192.168.2.xxx. That way if
somebody who is usually plugged into network A, one day decides to plug
themselves into network B for whatever reason but they forgot they did this,
they'll be mighty confused as to why they can't connect to their usual
network resources. Just be looking at their IP addresses, you'll be able to
tell which network they are plugged into.

Will this method be secure? (In that no one on network A can access
anything on network B and vice versa)

Yes, perfectly. There will be no way to route packets between the two
networks without creating some special port forwarding rules.

Will a person on network B be be able to access resources on network A
just by plugging the network cable from his computer into the DSL
router or network A's switch?

Yes. But keep my previous suggestion in mind about making it easier on
yourself to debug this.

Yousuf Khan

 

[Chris C.]

Hello,

Thank you very much for the informational reply. That answered a lot
of my questions!

I just had some more questions regarding the issue if you don't mind:

Will I be able to setup DHCP just for network A through router A?

If I have three of the same router (same brand and model) can I use
one as a DSL router, one as router A, and one as router B? I'm
wondering about this as the router's IP addresses come preset from the
factory and if I connect router A and router B to my DSL router, all
three routers will have the same IP address. Is there a way I can
navigate to each individual router to change it's IP address, since
all three have the same IP address? I know that most routers have an
internet browser interface where I can just type in http://192.168.1.1
and get to the setup menu for the router, but how will I be able to do
it in this case, since all three have identical IPs?

At the present time, with one network and one DSL connection (DSL
router is connected to my switch), I set the IP address of my (Windows
2003) server as 192.168.1.10, subnet mask as 255.255.255.0 and default
gateway as 192.168.1.1 (which is the IP address of my DSL router). In
my new setup (for two networks with one DSL line), should I set my
default gateway for server A as the IP address for router A or as the
IP address for the DSL router? (My router is providing DHCP)

Thank you so much! I'm still learning and am confused as to how I can
set everything up.

 

[Yousuf Khan]

Will I be able to setup DHCP just for network A through router A?
Sure.

If I have three of the same router (same brand and model) can I use
one as a DSL router, one as router A, and one as router B? I'm
wondering about this as the router's IP addresses come preset from the
factory and if I connect router A and router B to my DSL router, all
three routers will have the same IP address. Is there a way I can
navigate to each individual router to change it's IP address, since
all three have the same IP address? I know that most routers have an
internet browser interface where I can just type in http://192.168.1.1
and get to the setup menu for the router, but how will I be able to do
it in this case, since all three have identical IPs?

You'd have to login to each router through their LAN ports to reset their
LAN IP address ranges. I'd suggest setting up the LAN IPs on each router
properly before you connect up the routers to each other. For example, you'd
startup your main DSL router, set its IP range with a directly attached
computer, but don't connect either of the other routers to it just yet. Then
you'd do the same for routers A and B: set each of their IP ranges. Only
once they've all been setup internally, then you'd attach router A to one
LAN port of DSL router, and attach router B to another LAN port of DSL
router.

The DSL router's LAN would essentially become the WAN for routers A & B. So
you'd be attaching each WAN port of A & B to a couple of the DSL router's
LAN ports.

At the present time, with one network and one DSL connection (DSL
router is connected to my switch), I set the IP address of my (Windows
2003) server as 192.168.1.10, subnet mask as 255.255.255.0 and default
gateway as 192.168.1.1 (which is the IP address of my DSL router). In
my new setup (for two networks with one DSL line), should I set my
default gateway for server A as the IP address for router A or as the
IP address for the DSL router? (My router is providing DHCP)

Just let each router's DHCP do its work, and it will set not only the proper
IP addresses, but also DNS and gateway information. Don't try to set it up
statically, it's just not worth the headache.

In general the default gateway is always the IP address of the nearest
router, i.e. the router that the computer is connected to.

Yousuf Khan

 

[Chris C.]

Hello,

I just had one more question: If I have 4 static IP addresses from my
DSL provider, how can I assign one of the static IPs to network A and
another IP to network B?

Thanks again!

 

[Yousuf Khan]

Hello,

I just had one more question: If I have 4 static IP addresses from my
DSL provider, how can I assign one of the static IPs to network A and
another IP to network B?

This is a completely different question from the one you asked before. Here
you have two choices, and each depends on whether you still want to have the
two level network you were talking about before.

If you still want to have a dual-level network we talked about previously
(that is level 1 being the DSL router, and level 2 being routers A & B),
then you'd have to get yourself dual-WAN router. Dual WAN routers are just
like regular broadband routers however, they have two WAN ports instead of
just one. These routers can take two totally separate broadband sources and
double your speed by using both simultaneously. They can make use of various
load-balancing techniques, including assigning dedicated bandwidth between
the WAN and LAN ports.

Your second choice is simpler, and much more cost-effective, because it will
get rid of one of the routers altogether. Instead of using a primary router,
the "DSL router" as you called it, to connect to two other network routers,
why not connect routers A & B directly to the DSL modem? All you'd need to
connect the two routers at the same time to the same DSL modem is a simple
hub or switch in between. Now a hub or switch won't have any firewall
functionality, but you really won't need it since the two network routers
can do that for you already.

Yousuf Khan

 

[Chris C.]

Again, thank you so much for the information. It's helping me learn a
lot!

About my last question, I wasn't clear in how I expressed it. I guess
what I'm really tying say or do is the following:

Since the DSL provider gives us 4 static IP addresses, is there any
way I can use one of those IP addresses to provide a VPN connection
from a home computer to a server on network A? How will the router or
switch "know" which IP address I am using as the connection for my
VPN?

I'm sorry about the many questions, as I'm still learning about
setting up this dual layer network.

Many thanks again!

 

[Yousuf Khan]

Since the DSL provider gives us 4 static IP addresses, is there any
way I can use one of those IP addresses to provide a VPN connection
from a home computer to a server on network A? How will the router or
switch "know" which IP address I am using as the connection for my
VPN?

I'm no expert on VPN's, but usually what happens with a VPN is that you have
to setup one computer within each private network to be a VPN server. The
VPN server is given direct access to the Internet (i.e. it's own public IP
address). Since you have two private networks, that would mean you need two
such servers. Note that since this server is connected directly to the
Internet, therefore it is a vulnerability within your network, so you would
need to provide firewalling services to it in someway.

This is where my knowledge of VPNs is limited, and you might want to ask
other people about VPNs. I got some idea, but it may not be the only way to
do it, or even the right way to do it. This is how I would probably setup a
VPN:

Most broadband routers have support for VPNs based on the IPsec standards,
which allows VPN traffic to pass through a firewall unimpeded. So if you
want to put your VPN server behind the firewall, it will allow you to.
However, I think this only works with one VPN server maximum, you'll need
two, so you won't be able to put both your VPN servers behind the broadband
router. One or both have to go outside the router and sit on the Internet
directly. This VPN server would have to have two network cards; in each
case, one card attached to the Internet, and one attached to each private
network. Therefore your users from outside the office may connect to their
respective office networks by login into the VPN server's IP address, and
that server will then connect them directly to their local office networks.
You will have to provide separate firewalling software on the VPN servers to
protect them from attack from the Internet.

This is how I think you would need to use up your 4 public IP addresses:

IP#1: network A router
IP#2: network A VPN server
IP#3: network B router
IP#4: network B VPN server

Yousuf Khan

 

[Chris C.]

Yousuf,

Just wanted to thank you again for all the the valuable information
you have provided. I've learned a lot just by reading your posts.

Thank you!

 

[Yousuf Khan]

Just wanted to thank you again for all the the valuable information
you have provided. I've learned a lot just by reading your posts.

You're welcome.

Yousuf Khan