Solved Separate Subnets Not Working as Described

June 25, 2011 at 12:55:57
Specs: Windows 7 SP1, Intel
I'm trying to set up 2 separate networks in my home, both of which have access to the internet through a single ISP. I have set up my networks using 2 routers as described in the "Version 2" scenario found here:

http://www.computing.net/howtos/sho...

The problem is, a computer connected to the LAN side of Router 2 is able to ping and map shared folders on computers connected to the LAN side of Router 1. According to the writeup (last paragraph), this should not be the case. I have been over the setup multiple times to ensure it is per the writeup but each time, I am able to ping and map. Is there some additional router/computer settings that I may be missing?

FWIW, here's my take on what is happening (with the ping): When a computer on the LAN side of Router 2 (submet 192.168.1.x) does a ping to a computer on the LAN side of Router 1 (subnet 192.168.0.x), Router 2 sends the request to its Default Gateway (since it's a different subnet). Router 1 however, recognizes this as its LAN side subnet and forwards the request to that computer. The ping response is then routed back from Router 1 to Router 2.

Thanks for your help.


See More: Separate Subnets Not Working as Described

Report •

#1
June 25, 2011 at 18:50:16
Instead of ping, try tracert (trace route). It will tell you where it goes, step by step.

Report •

#2
June 26, 2011 at 00:51:33
As i understand it, what you describe is what you would expect. Private address ranges are not routable via the Internet, but there's nothing to stop diect routing between two private address ranges. If you want to block traffic between the subnets just set up firewall rules in the routers.

Report •

#3
June 26, 2011 at 05:53:22
✔ Best Answer
SOHO level equipment is a lot less configurable, and flexible, than higher-end equipment. As ijack said, the simplest way to ensure there's no inter-subnet communication would be to use the firewall aspect of the routers if you can't do it with routing alone.

As far as I know, with SOHO, you can't stop computers on the LAN side of router 2 from accessing the LAN side of router 1 without using the firewall.

Typically with this level of equipment, you're segregating the LAN on router 2 from the LAN on router 1 but the reverse is not necessarily true....depending on your equipment and it's capablities.

What I would suggest at this point is that you check the static routes on router 2 and if there's a router from that LAN on router 1 to the LAN on router two, kill that route. This won't prevent the LAN on router 2 accessing 1, but will prevent 1 accessing 2.

If you want two completely separate subnets, with this level equipment, you'd need a 3'd router to be sure there's no crossover between the two subnets. You would configure something like:

Router 1 - connected to the internet
LAN: 192.168.1.1/24
SM: 255.255.255.0

Router 2 - connected to LAN on router 1
LAN: 192.168.2.0/24
SM: 255.255.255.0
Static route from 2 to 1

Router 2 - connected to LAN on router 1
LAN: 192.168.3.0/24
SM: 255.255.255.0
Static route from 3 to 1

With no return routes from 1 to 2 or 3, then there could be no crossover communication between 2 and 3.


It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

Related Solutions

#4
June 26, 2011 at 10:02:01
Thanks everyone for the replies. So, let me make sure I understand. When the referenced article said:

"Once setup and working properly, the 192.168.1.0/24 LAN will have internet access, connectivity with anything else plugged into Router2 but will not have access to anything plugged in to Router1. The reverse is true also, computers plugged into Router1 will have internet access and LAN access to devices plugged into Router1. But they will not have access to anything plugged into Router2."

That was not quite correct?


Report •

#5
June 27, 2011 at 19:44:57
if setup like this
modem<.networkA<>networkB

It has been my experience that network B can access pcs on network A.
Unless something special is done [route add] Network A can not access pcs on Network B.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#6
June 28, 2011 at 06:50:14
I'm going to have to get Justin to edit my "how-to" and change " but will not have access to anything plugged in to Router1" to " and will also have access to anything plugged in to Router1"

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#7
June 28, 2011 at 07:06:35
MountainBreeze

First, my apologies for the confusion. I wrote that "how-to" guide some time in the past and apparently didn't read it over too well.

I've made revisions and sent them to Justin to have the how-to updated to be correct.

wanderer is correct and my previous post (Response #3) was an attempt to clear up my mistake.

Just to be clear, with SOHO level equipment, you can't segregate the upstream LAN (router 1) from the downstream (router 2). This is because router 2 will make the route from it's LAN to the default gateway of router 1 which is router 1's LAN IP. It may be possible to keep the downstream LAN from accessing the upstream by using the firewall in router 1 but I can't say for sure having not ever tried.

That guide was designed around the basic concept of adding a second subnet to an existing network and making the new subnet secure from (inaccessible from) the original subnet............not the other way around.

If you want to have two, or more, subnets that are separated and inaccessible to each other, you'll need a 3'd router as per my reply above (Response #3).

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#8
June 28, 2011 at 07:27:45
Hi,

I'm in the opposite situation of wanting both SubnetA and Subnet B to be transparent to one another with regard to LAN traffic. I'm planning to have RouterA connect to the Internet with RouterB (VPN) connecting to RouterA. While I could have all machines/traffic connect to RouterB, for various reasons I would like to have a few devices only on A but would like shared drives etc be accessible from either subnet.

Is this done via static routes set up on the respective routers?


Report •

#9
June 28, 2011 at 15:57:55
Thanks again for the replies. I was certain I had missed something and I was pulling my hair out trying to figure out what it was. So, the results I got was correct. Good. I'm not going crazy. I'll try the third router setup if I can figure out how to configure the "static routes" you describe. Are there any details on how that is done?

Report •

#10
June 29, 2011 at 08:00:38
buddhahatnyc

If you want both subnets to cross communicate fully then yes, you would just ensure you have a static route from Router 1's LAN to Router 2's LAN. This would be created on Router 2's routing table where the automatically created route from Router 2's LAN to Router 1's LAN is.


MountainBreeze

No, you're not going crazy and I've already had my how-to guide edited to reflect the correct information. Sorry about the confusion, that was entirely my fault.

Start by setting up Router 1 which will be connected to the internet. Then, as per my guide (now revised.....lol) connect Router 2 using the "LAN port to WAN port" method for a separate subnet. As per the guide, and your own experience, Router 2 will automatically create a route between it's subnet and the LAN subnet on Router 1.

Now do the same with Router 3 giving it it's own unique subnet

example:
Router 1
LAN IP: 192.168.1.1
SM: 255.255.255.0

Router 2
LAN IP: 192.168.2.1
SM: 255.255.255.0

Router 3
LAN IP: 192.168.3.1
SM: 255.255.255.0

Both 2 and 3's LAN's will be able to communicate with Router 1's LAN, giving them internet access. As long as there are no routers from Router 1's LAN to their own, they won't be able to communicate with each other.

Which is to say:
Router 2 should not have a route like this: 192.168.1.0/24 >> 192.168.2.0/24

and Router 3 should not have a route like this: 192.168.1.0/24 >> 192.168.3.0/24

To test, get a client on Router 2's LAN to attempt to ping a client on Router 3's LAN and vice versa. If they communicate, then you have a return route from Router 1's LAN to both Router 2 and 3's LAN and you need to get rid of it.

To the best of my knowledge, there shouldn't be. As far as I know, Router's 2 and 3 will only create (automatically) the static routes from Router 1's LAN to their own.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

Ask Question