Will this configuration work?

Netgear Prosafe 8-port vpn firewall rout...
August 21, 2009 at 08:57:01
Specs: Windows SBS 2008, Xeon 4GB ram
Hi all. I'm hoping a network guru can help me out here. I have a network installation project at a client site and I've mentally mapped out how I plan to set it up.

They already have a Verizon router set up and it must stay configured as the first device in the chain. They want "guest" users (i.e. those that connect to a WAP) to have no access to the computers on the Windows domain.

Here is the config. I'd like to know if anyone sees any problem with this and can point me in the right direction on a few questions below.

Chain of connectivity
Internet -> Verizon router -> Netgear router -> Switch -> Patch panel (server & workstations)

* Note: WAP devices would hang off Verizon router

Verizon Router
- WAN port connects to internet
- Internal IP:
- DHCP on, range – 100
- LAN port connects to Netgear WAN port

Netgear Router
- DHCP off
- LAN port connects to Netgear switch

- LAN port connects to server and patch panel (workstations)

- IP:
- DHCP on, range – 200

- IP: auto-assigned
- DNS server: *** or auto-assigned?***
- Gateway:


1. Do there appear to be any major problems with the above configuration that will make it not work?
2. The item marked *** above, what should the IP's be?
3. In this configuration, will computers connected to the Verizon router be able to see/access computers behind the Netgear router, since they are on different subnets? (I don't want them to be able to).
4. Vice versa, will computers behind the Netgear router be able to see/access computers connected to the Verizon router?
5. Computers connected to the Verizon router (192.168.1.x) will need to pull an IP from the DHCP server behind the Netgear router (192.168.2.x), and computers behind the Netgear router will need to send/receive internet traffic through the Verizon router. Should this "just work" with the above config or do either of the routers need any special configuration (DHCP relay, static routes, etc) in order to be able to pass traffic in and out?
6. If I wanted to add a WAP to the Verizon router (192.168.1.x), would I just hardwire it to a LAN port on the Verizon router and set it to get an IP automatically from the Verizon router, then disable DHCP on the WAP and set client computers to auto?

See More: Will this configuration work?

Report •

August 21, 2009 at 10:11:26
1. That should work just fine as long as the Netgear router's external interface's gateway IP points at the Verizon router ( Once you've configured the Netgear, it should automatically setup a route between the two subnets allowing for internet connectivity for the internal LAN, but keeping it separate from the wireless network (which will also have internet connectivity).

2. When you're configuring DHCP for all internal clients ensure you set the DNS address as the IP of your DC (Domain Controller) as all clients in an AD integrated windows domain need to authenticate to the DC. You will want to forward your DNS server's DNS too your ISP's DNS server so that external requests can be resolved. Setup properly, your DC's DNS will resolve all internal requests as well as authenticate and will pass along requests outside the local DNS zone.

3. You may want to go into the router's route table and remove any routes from the verizon's subnet to the netgear's subnet to ensure no possibility of access. All that is really required in the routing table is the route from netgear to verizon.

4. Possibly, depending on the router and how it deals with the routes between the two subnets. Also, if there are open shares and they have access to those shares LAN clients may get access to them on the verizon subnbet. I wouldn't worry about this too much though at this point. Get it setup and working first, then check and see if you can.

5. Since each will have it's own separate DHCP server running on different subnets you need not worry about relay agents. Anybody connecting wirelessly will get their DHCP from the verizon. If a client gets physically plugged into the verizon's LAN port, they will also get an IP in that subnet. Anybody plugged into the netgear will get an IP in that subnet.

The few times I've set something like this up (the Netgear router) since you configure one subnet on the external interface (WAN) and the other on the internal (LAN) the routing between the two subnets was automatic. With luck, your netgear will do the same. You do want to check that you don't have a route from the verizon subnet to the netgear though. Easy enough, just try to ping the internal (LAN) interface on the Netgear from any client connected to the Verizon router.

6. Yes and no. Yes, plug it directly into a LAN port. No, don't let it get it's IP from DHCP. Assign it one in the correct subnet that is outside the DHCP scope on that verizon router. Ensure it has the correct subnet mask and gateway IP's as well as DNS.

Report •

August 21, 2009 at 10:36:47

Thanks for the detailed answer, I really appreciate it. So your bottom line is there's nothing crazy here that shouldn't work, and no custom static routes or anything like that should be required?

Report •

August 21, 2009 at 13:30:26
So your bottom line is there's nothing crazy here that shouldn't work, and no custom static routes or anything like that should be required?

It should work yes. Stress on the word "should" lol

I've done this with two linksys SOHO routers and once I'd correctly configured both the WAN and LAN side of the downstream router, it worked perfectly without me manually editing the routing table.

Report •

Related Solutions

August 23, 2009 at 18:20:29
Curt, just wanted to follow up and say thanks. It all worked like a charm and both subnets are running smoothly with the "outer" one unable to see the "inner". Didn't have to do anything fancy as far as static routes or anything like that either, which was a relief. Thanks again...

Report •

Ask Question