Messages

So before I recommend hardware, I'll need to know if this is a home or lab network or if it's a production network?

deanwebb and ristau5741,

The network is a combination of my home office network and a prototype shop used in my business.  I don't manufacture here; that's all jobbed out.  Nothing has a warranty, and most of the machines are long out of support - a few belong in museums.  When they break I fix them or in extreme cases scrap or re-purpose them.  So I'm perfectly comfortable with buying off ebay; once I got the whole thing running I'd probably buy a 2nd for backup.  I did some reading on Cisco's ASA line, and I was interested that they had included anti-virus and anti-spam in the router.  Do these get updated with new signatures from Cisco? 

Thank you again for the help!

David

ristau5741,

I looked into routers that supported ACLs, and the ones I found were definitely commercial grade.  Do you happen to know if anyone makes a home router that has multiple routable ports on the LAN side instead of basically a switch?  If you were going to buy such a router today, who in addition to Cisco would you look at?

deanwebb,

Yeah, I love complications!  Every project I've ever run has caused, at some point, the senior management to use the phrase "gold plate".  Gold is good; when was the last time you saw oxidation on gold contacts?

...Or do you also want to block Internet traffic coming via remote sessions or VPNs set up between the low range and the high range?

I had not thought of that.  Yes, blocking Internet traffic to the low range from remote sessions or VPNs seems like a very good idea.

If you need to block indirect Internet connections, then you will also want to block HTTP, HTTPS, SMTP, IMAP4, POP3, VPN, RDP, SSH, and Telnet sessions outbound from the low network. Best way to do that is to work backwards and permit ONLY the traffic that you want to authorize, possibly only ports for file and print sharing and directory authorization.

Yes, that's sounding like a good idea.  Start with permitting only file & print sharing and directory authorization.  It's common for automation and robots to be configured to send out email for problem reports and status, so I'd probably be adding SMTP to the list of permitted ports pretty quickly.  But I like the idea of blocking just about everything, and then allowing individual ports as need arises.

I'm not going to get away with a couple of $80 routers, am I?   

Thank you both for all the help!  Further comments, thoughts, and equipment recommendations are enormously welcome!

David

Dieselboy,

Thank you very much for your quick and very complete answer! 

Now that I see I will need a second router, the use of subnets becomes clear and you point about making life easier by using 2^n boundaries is very well taken.  I will use the two Class C networks you suggested, 192.168.1.0/24  for LAN 1 (allowed to access the internet) and 192.168.2.0/24 for LAN 2 (not allowed internet access.)

Router 1:  WAN port connected to Cable Modem, NAT is enabled, DHCP is enabled, and a single static routing table entry connects it to LAN 2:
HOST: 192.168.2.0  MASK: 255.255.255.0  GATEWAY: 192.168.1.1  METRIC: 1  INTERFACE:  "LAN"

Router 2:  WAN port is connected to LAN 1, NAT is disabled, DHCP is enabled, and a single static routing table entry connects it to LAN 1: 
HOST: 192.168.1.0  MASK: 255.255.255.0  GATEWAY: 192.168.2.1  METRIC: 1  INTERFACE:  "LAN"

If all this is correct so far, then the last thing I can think of is how do I take LAN 2 traffic that attempts to access a public address on the internet and direct it into the bit bucket?  An individual node on LAN 2, for instance, tries to access a public IP address.  Router 2 has no static entry for the address, so it sends the packet out the Router 2 Gateway.  I'm not sure what would happen to the packet at that point...would you please explain?

Thank you again for the great reply; I really feel like you've got me on the right path!

David

Hello,

I have a 256-node LAN set up on an ASUS RT-AC66R router.  The router's WAN port is connected to a cable modem.  I would like to divide the network into two address ranges:  "Low Range" and "High Range" that behave like this:

Low Range:  addresses .002 through .063 are isolated from all incoming and outgoing traffic on the internet.  They can, however, communicate to any other node on the LAN, .001 through .255.

High Range:  addresses .064 through .255 are free to communicate on the internet and to any other node on the LAN, .001 through .255.

If it would be helpful, I can easily configure the LAN hardware so all the Low Range nodes are connected through onto Router Port 1, and leave Router Ports 2 through 4 and the WiFi all to the High Range nodes. 

I can also buy another different router if there is a feature needed that my RT-AC66R doesn't have (it's several years old, and is intended for home and small office environments).

Thank you very much for looking at my problem!

David