Two subnets block traffic between them but allow internet
Using the setup at the link you provided, just delete/disable the route(s) between the networks you don't want communicating with each other and they won't be able to reach each other. As long as the nets are masqueraded in your NAT rules, they'll still get to the Internet.
GorillaApe
Updated on September 18, 2022Comments
-
GorillaApe over 1 year
I have 192.168.1.1/24 network that has a switch and several access points .There is a adsl modem at 192.168.1.1 . I want to add a new network 192.168.2.1/24 with its own access point and switch.
so far everything is fine
Problem i am struggling to solve one week is how to let 192.168.2.1/24 and 192.168.2.1/24 share internet (and have separate DHCP and block traffic between there subnets)?
Double nating is a solution but i want to avoid it.
I have a spare routerboard RB750 that has router/firewall some vlan support.
So what would be a solution for this problem ? So far maybe with a firewall rule i could block 1.1/24 to 2.1/24 traffic but how should i setup internet to work ?? Somehow traffic should be routed at modem in case it doenst match local subnet... Any solution ?
-
user1984103 almost 11 yearsThere is a adsl modem at 192.168.1.1 -> Does the modem have an integrated router?
-
GorillaApe almost 11 yearsyes it has router and wifi too. also it has a special ethernet port for ip tv
-
user1984103 almost 11 yearsYou will need at least two extra routers then. It looks like you have one, but you would need a second to fully segregate the subnets. Otherwise, double-natting is your only option.
-
GorillaApe almost 11 yearseven managed switch wont help ? you mean i need 3 extra routers?
-
Scott Chamberlain almost 11 yearsHe is talking about a configuration like the one in this answer. you have 3 routers in a Y configuration, doing that makes it so neither LAN can affect the other LAN, if you have only two routers the "outer" LAN that is closer to the internet could intercept or read data coming from the "inner" LAN if there was a malicious user on the "outer" LAN. Also even though 192.168.x.x IP's are non route-able for the internet the "inner" router could let a "inner" PC directly access a "outer" PC via IP.
-
user1984103 almost 11 yearsManaged switch won't help, you need an actual router capable of NAT. You either need two routers behind the modem, one for each subnet (which still technically results in double-natting), or you need a special router with 2 LAN ports (NOTE Most routers have 1 LAN port and a 4-port switch - this is not the same). Either way, you need more hardware. @ScottChamberlain linked to exactly the first thing I was talking about. The second would probably involve a custom router with linux or BSD.
-
GorillaApe almost 11 years@ScottChamberlain at the link you posted isnt this double nating ?
-
Scott Chamberlain almost 11 yearsYes, it is one of the forms of double NATing, and it is the only solution unless you buy specialized hardware like Darth Android suggested that has more than 2 ports on router (Like he said, most routers have 2 ports and a 4 port switch on the inner port, you need something that has at least 3 ports). If you have a router/switch that supports VLANs then internally it must have a distinct hardware port for each external port. So that hardware you mentioned could fall under the "more than 3 ports" category.
-
GorillaApe almost 11 years@ScottChamberlain , DarthAndroid as i said i have RB750 routerboard.com/rb750 that as far as i know you can set multiple dhcp ,vlan has firewall etc. So as it isnt a typical router with one wan port and a plain switch then what is the other solution /?
-
GorillaApe almost 11 yearsnetworkingforintegrators.com/2013/01/… more info
-
Scott Chamberlain almost 11 yearsWhy doin't you just follow the instructions on the page you just linked, they tell you how to do exactly what you are trying to do.
-