Messages

The *best* device for handling filters like this is a commercial-grade firewall. Palo Alto, Fortinet are my two recommended vendors. But this does illustrate the limitations of consumer-grade / small-business-grade gear. They'll only do so many things. If you require more finesse or robustness, then a higher-price commercial-grade device is on order. But, if this is in an operational technology environment, it may be all you have to work with, so we better make it work, eh?

Palo Alto is what our customer uses. Of course, they are a multi-million dollar company and we are a small business. Hence the reason I have to make do with what we have, and with my skill level. 

Back to the question: Outbound, the source is the control. Destination is "any" - either the word or a wildcard IP address entry like 0.0.0.0 or *.*.*.*, whatever the vendor permits. Inbound, it's any -> control. If we use only the router IP address, then traffic not originating from the router will play through.

So something like the attached should block all ports for 192.168.1.123 except for 80 and 443, correct? I know it's clunky using a blacklist for this and I'd love to use a whitelist but that would mess up the other uses of the router.

Thanks for the replies.

So for outgoing, the source IP would be the control's and the destination would be the router's, and incoming would be the opposite, correct?

If this is not the best type of device for mocking up scenarios, what is a better option?


Thanks!

I have never used network service filters before, but I think that is what I need in the following scenario. I need to replicate a network configuration that a customer has so that we can troubleshoot a situation with one of our controls. This is the information I got from their network administrator:

"All inbound and outbound traffic is blocked unless we explicitly allow it, though I think we always have ports 80 and 443 open. Only the traffic you requested be whitelisted has been allowed (except for port 22 SSH)."

I have assigned one of our controls a static IP address. What I am trying to do is block all incoming and outgoing traffic through our gateway router (Asus RT-AX58U) except for ports 80, 443, and a few others that our controls use for that IP address. I am assuming that the filter table type "deny" will block items I list in the table, while "allow" will block everything except what I put in the table.

Let's say the control's IP address is 192.168.1.123 and the router's is 192.168.1.19. I have never used these before so I am wondering if someone can tell me which numbers go where in the table? Or is there a better way to do this?

put a transit link between the two network routers like 192.168.3.0/29

Router A 192.168.3.1
Router B 192.168.3.2

put a route on router A to 192.168.0.0/24  next hop ip 192.168.3.2
put a route on router B to 192.168.1.0/24  next hop ip 192.168.3.1
put a default route 0.0.0.0/0 on router B next hop ip 192.168.3.1 for internet

I know what a route is, but what is a transit link?

I see an issue... two different DHCP servers means whoever assigns the address first, wins. What's the switch vendor/model? It should be able to support more than one VLAN (one each for your networks) and then be able to specify the DHCP server for that VLAN.

There are five switches:

• 2x TP-Link model TL-SG1024D
• Netgear model GS752TP
• Netgear model JFS524
• Tenda model TEG1024G

Thank you for responding.

I updated the diagram and added a few points below that hopefully explain more.

• There are 4x 24-port and 1x 48-port switches connected together.
• Each router has 4 LAN and 1 WAN port.
• One of each router's LAN ports is connected to one of the switches.
• Router A's WAN is connected to the modem.
• Router B's WAN is connected to one of Router A's LAN ports.
• The "devices on either network consist of wired and wireless computers, printers, mobile devices, etc and are a mix of static and DHCP.

OBF

I am having trouble setting up a second router to join two networks together. The main reason I am doing this is that we are running out of IP addresses.

The diagram below is a basic overview of what we have.



This is what I need:

• Devices on 192.168.0.x and 192.168.1.x communicate with each other
• Devices on 192.168.0.x and 192.168.1.x connect to the Internet
• Routers A and B assign DHCP addresses to the devices connected to them by wi-fi

These are a few issues I am having:

• Devices on 192.168.0.x can ping devices on 192.168.1.x, but devices on 1.x cannot ping 0.x.
• Internet does not always function for wi-fi devices.
• Wi-fi signals drop occasionally.
• Incorrect DHCP addresses are sometimes assigned.

I have looked and ready many pages and tried several things but I cannot get it to work properly. I would really appreciate some help. I do well at basic networking but this one has me frustrated. 

OBF