Split a 256-node LAN into Secure and Unsecure Nodes

DaveD · December 16, 2020, 09:16:57 PM

Hello,

I have a 256-node LAN set up on an ASUS RT-AC66R router. The router's WAN port is connected to a cable modem. I would like to divide the network into two address ranges: "Low Range" and "High Range" that behave like this:

Low Range: addresses .002 through .063 are isolated from all incoming and outgoing traffic on the internet. They can, however, communicate to any other node on the LAN, .001 through .255.

High Range: addresses .064 through .255 are free to communicate on the internet and to any other node on the LAN, .001 through .255.

If it would be helpful, I can easily configure the LAN hardware so all the Low Range nodes are connected through onto Router Port 1, and leave Router Ports 2 through 4 and the WiFi all to the High Range nodes.

I can also buy another different router if there is a feature needed that my RT-AC66R doesn't have (it's several years old, and is intended for home and small office environments).

Thank you very much for looking at my problem!

David

Dieselboy · December 16, 2020, 10:35:54 PM

Hi Dave,

you could probably do this with three routed interfaces on a router and divide your network into smaller subnets to create a couple of layer 3 private networks. One subnet range would be permitted only to the other subnet. And the "other" subnet permitted to the internet also.

I used this CIDR calculator: http://www.subnet-calculator.com/cidr.php
You can use a /26 mask to have network range from .1 to .63. But the high range is actually two subnets (two different subnet masks to accomodate it):

192.168.0.64/26
192.168.0.128/25

(note the /25 mask). You can play around with these figures in the CIDR calculator.

If you're going to use routed interfaces, then you'll need DHCP per interface as a guess. Youll effectively have LAN#1 and LAN#2.

A cowboy way of doing the same would be with 2 x ethernet routers. You could use home routers like this:

internet link ->>> router 1 ->> LAN 1

The above will give you the normal LAN as you would know it. Then for LAN2 router, you can connect it's WAN port to LAN1:

LAN 1 -> router 2 -> LAN 2
Additional configuration is required on router 1 to send traffic back to router 2, to reach LAN 2 and you'll also need to configure an allow rule to permit traffic from LAN 1 to enter router 2 to access LAN 2.
To prevent LAN 2 from accessing the internet through router 1, make sure router 2 does not have any default gateway pointing to router 1.

Because of the two separate layer 3 networks, instead of using /25 or /26 subnet masks to break up a /24 into smaller chunks making it not-so-simple to remember; I suggest making it easier and using two /24 networks like:

192.168.1.0/24
192.168.2.0/24

You can use any /24 you like, though.

Hope it helps.

DaveD · December 17, 2020, 01:16:44 AM

Dieselboy,

Thank you very much for your quick and very complete answer!

Now that I see I will need a second router, the use of subnets becomes clear and you point about making life easier by using 2^n boundaries is very well taken. I will use the two Class C networks you suggested, 192.168.1.0/24 for LAN 1 (allowed to access the internet) and 192.168.2.0/24 for LAN 2 (not allowed internet access.)

Router 1: WAN port connected to Cable Modem, NAT is enabled, DHCP is enabled, and a single static routing table entry connects it to LAN 2:
HOST: 192.168.2.0 MASK: 255.255.255.0 GATEWAY: 192.168.1.1 METRIC: 1 INTERFACE: "LAN"

Router 2: WAN port is connected to LAN 1, NAT is disabled, DHCP is enabled, and a single static routing table entry connects it to LAN 1:
HOST: 192.168.1.0 MASK: 255.255.255.0 GATEWAY: 192.168.2.1 METRIC: 1 INTERFACE: "LAN"

If all this is correct so far, then the last thing I can think of is how do I take LAN 2 traffic that attempts to access a public address on the internet and direct it into the bit bucket? An individual node on LAN 2, for instance, tries to access a public IP address. Router 2 has no static entry for the address, so it sends the packet out the Router 2 Gateway. I'm not sure what would happen to the packet at that point...would you please explain?

Thank you again for the great reply; I really feel like you've got me on the right path!

David

icecream-guy · December 17, 2020, 06:11:32 AM

Quote from: DaveD on December 17, 2020, 01:16:44 AM
Dieselboy,

Thank you very much for your quick and very complete answer!

Now that I see I will need a second router, the use of subnets becomes clear and you point about making life easier by using 2^n boundaries is very well taken. I will use the two Class C networks you suggested, 192.168.1.0/24 for LAN 1 (allowed to access the internet) and 192.168.2.0/24 for LAN 2 (not allowed internet access.)

Router 1: WAN port connected to Cable Modem, NAT is enabled, DHCP is enabled, and a single static routing table entry connects it to LAN 2:
HOST: 192.168.2.0 MASK: 255.255.255.0 GATEWAY: 192.168.1.1 METRIC: 1 INTERFACE: "LAN"

Router 2: WAN port is connected to LAN 1, NAT is disabled, DHCP is enabled, and a single static routing table entry connects it to LAN 1:
HOST: 192.168.1.0 MASK: 255.255.255.0 GATEWAY: 192.168.2.1 METRIC: 1 INTERFACE: "LAN"

If all this is correct so far, then the last thing I can think of is how do I take LAN 2 traffic that attempts to access a public address on the internet and direct it into the bit bucket? An individual node on LAN 2, for instance, tries to access a public IP address. Router 2 has no static entry for the address, so it sends the packet out the Router 2 Gateway. I'm not sure what would happen to the packet at that point...would you please explain?

Thank you again for the great reply; I really feel like you've got me on the right path!

David

an ACL would be required on the router, or at the layer 3 boundary
something like

01 permit ip 192.168.2.0/24 192.168.1.0/24
02 deny ip 192.168.2.0/24 any

deanwebb · December 17, 2020, 10:36:55 AM

Now, if you want to buy a proxy server, we can make a more complicated scenario that does the same thing.

But seriously... is the only requirement to block direct connections to the Internet from the low range? Or do you also want to block Internet traffic coming via remote sessions or VPNs set up between the low range and the high range?

If you need to block indirect Internet connections, then you will also want to block HTTP, HTTPS, SMTP, IMAP4, POP3, VPN, RDP, SSH, and Telnet sessions outbound from the low network. Best way to do that is to work backwards and permit ONLY the traffic that you want to authorize, possibly only ports for file and print sharing and directory authorization.

DaveD · December 18, 2020, 12:46:41 AM

ristau5741,

I looked into routers that supported ACLs, and the ones I found were definitely commercial grade. Do you happen to know if anyone makes a home router that has multiple routable ports on the LAN side instead of basically a switch? If you were going to buy such a router today, who in addition to Cisco would you look at?

deanwebb,

Yeah, I love complications! Every project I've ever run has caused, at some point, the senior management to use the phrase "gold plate". Gold is good; when was the last time you saw oxidation on gold contacts?

Quote from: deanwebb on December 17, 2020, 10:36:55 AM
...Or do you also want to block Internet traffic coming via remote sessions or VPNs set up between the low range and the high range?

I had not thought of that. Yes, blocking Internet traffic to the low range from remote sessions or VPNs seems like a very good idea.

Quote from: deanwebb on December 17, 2020, 10:36:55 AM
If you need to block indirect Internet connections, then you will also want to block HTTP, HTTPS, SMTP, IMAP4, POP3, VPN, RDP, SSH, and Telnet sessions outbound from the low network. Best way to do that is to work backwards and permit ONLY the traffic that you want to authorize, possibly only ports for file and print sharing and directory authorization.

Yes, that's sounding like a good idea. Start with permitting only file & print sharing and directory authorization. It's common for automation and robots to be configured to send out email for problem reports and status, so I'd probably be adding SMTP to the list of permitted ports pretty quickly. But I like the idea of blocking just about everything, and then allowing individual ports as need arises.

I'm not going to get away with a couple of $80 routers, am I?

Thank you both for all the help! Further comments, thoughts, and equipment recommendations are enormously welcome!

David

deanwebb · December 18, 2020, 09:56:49 AM

So before I recommend hardware, I'll need to know if this is a home or lab network or if it's a production network?

If a home network, we can talk about a cheap used ASA firewall on eBay.

If production, then you're looking at working with your VARs on a requisition for hardware that's under warranty and support.

icecream-guy · December 18, 2020, 01:20:47 PM

Quote from: deanwebb on December 18, 2020, 09:56:49 AM
So before I recommend hardware, I'll need to know if this is a home or lab network or if it's a production network?

If a home network, we can talk about a cheap used ASA firewall on eBay.

If production, then you're looking at working with your VARs on a requisition for hardware that's under warranty and support.

what he said.

DaveD · December 18, 2020, 02:46:37 PM

Quote from: deanwebb on December 18, 2020, 09:56:49 AM
So before I recommend hardware, I'll need to know if this is a home or lab network or if it's a production network?

deanwebb and ristau5741,

The network is a combination of my home office network and a prototype shop used in my business. I don't manufacture here; that's all jobbed out. Nothing has a warranty, and most of the machines are long out of support - a few belong in museums. When they break I fix them or in extreme cases scrap or re-purpose them. So I'm perfectly comfortable with buying off ebay; once I got the whole thing running I'd probably buy a 2nd for backup. I did some reading on Cisco's ASA line, and I was interested that they had included anti-virus and anti-spam in the router. Do these get updated with new signatures from Cisco?

Thank you again for the help!

David

icecream-guy · December 20, 2020, 06:56:49 AM

Quote from: DaveD on December 18, 2020, 02:46:37 PM
Quote from: deanwebb on December 18, 2020, 09:56:49 AM
So before I recommend hardware, I'll need to know if this is a home or lab network or if it's a production network?

deanwebb and ristau5741,

The network is a combination of my home office network and a prototype shop used in my business. I don't manufacture here; that's all jobbed out. Nothing has a warranty, and most of the machines are long out of support - a few belong in museums. When they break I fix them or in extreme cases scrap or re-purpose them. So I'm perfectly comfortable with buying off ebay; once I got the whole thing running I'd probably buy a 2nd for backup. I did some reading on Cisco's ASA line, and I was interested that they had included anti-virus and anti-spam in the router. Do these get updated with new signatures from Cisco?

Thank you again for the help!

David

what model are you talkiing about?

if you are interested in ebay the cisco ASA 5515-X or 5525-X can be had relatively cheap, or some Layer 3 3560's or 3750's if there in no need for a firewall. cheap as well

deanwebb · December 20, 2020, 07:17:30 PM

Yep, a low-end ASA firewall would be fun times and get you what you want. You'll be able to set up rules to only allow traffic you want from that subnet and all other traffic is blocked by default.

Dieselboy · December 20, 2020, 08:55:24 PM

Pretty much all home routers allow you to do ACLs but these ACLs are usually only on the WAN interface on the inbound direction, where I placed this red X

internet -> [WAN port X|router| LAN port]

As a lower cost suggestion but still business grade, I've had good experiences with Draytek.