Creating two networks
 

Hello everyone,
It’s nice to meet the community and hope to have best question-solving time here.

Now, I’d like to get straight to the subject.
I have the need for two Internet networks, a chilling café network and an office network.
The Internet is starting in the office via a DSL modem, configured like a router, to share Internet connection with other office computers through a simple switch.
Due to database requirements office computers must be, and are on static IPs.
In the café I would like to share same Internet connection, but via a wireless router, and I have attached that wireless router to the switch in the office.
My question is: how should I configure the wireless router in café properly, so the visitors will be able to connect to Internet automatically, via dynamic IPs?
I don’t think is normal for them in order to connect to Internet to configure their network cards manually, all the time when they visit my cool café.
Also is it possible to hide somehow local network computers IPs from bad hackers in the café.

DSL Modem is: D-Link 2500U
Wireless Router is: DI-624S - Wireless 108G USB Storage Router (http://support.dlink.com/products/vi...ctid=DI%2D624S)

Some help is really and deeply appreciated.
Thank you very much.

Re: Creating two networks
 

I would suggest you would be needing a firewall somewhere between your more public bits of cafe kit, and the private office stuff.

Most routers will allow you to also set fixed IPs to PCs, but for real security you do want the office to be on a separate subnet.

Basic wiring would probably be:

modem <> wireless router <~~> internet cafe
and wireless router <> firewall and/or 2nd router (set with forwarding to wireless router) <> office

Re: Creating two networks
 

We have just set up something similar for our training room to give people free wireless. We have used a linksys router wrt54gl (I think) and flashed it wih new firmware (dd-wrt) to be able to run a seperate VLAN from it. That way the guys on wireless are oblivious to the office netowork and we have full security. Other than spending a fortune on a router that offers this functionality out of the box this would be the best way.

Re: Creating two networks
 

You may find Steve Gibson's article about multi-router systems interesting. You can use the NAT effect to create isolated subnets.

http://www.grc.com/nat/nats.htm

Re: Creating two networks
 

I would do it like this, it may work out more expensive but is probably the most stable solution:

Attachment 17082

Re: Creating two networks
 

Looks good. Presumably two different LAN IP groups and the double NATting will make cross-hacking virtually impossible?

Re: Creating two networks
 

The IP addresses don't matter as all the users on both networks will be able to see is anything connected to the top router and the Internet (which would include the opposite router but nothing below it)

Re: Creating two networks
 

How would you handle DHCP on a twinned setup like that?

Re: Creating two networks
 

Routers connect one network to another so you'd have 2 routers DHCPing off the main router, with each of the other two routers on a different subnet DHCPing their clients.

Say you could give the main router 192.168.0.1, the two will be 0.1 and 0.2 on their WAN ports, and then 0.1 assigns itself 1.1 (on LAN) and clients 1.2>, 0.2 could assign itself 2.1 (on LAN) and clients 2.2> - if you get it.

Re: Creating two networks
 

As suggested above. Here it is in pretty pictures and some quick notes (I've populated the diagram with some IP addresses for illustrative purposes):

Reserve an address on your office LAN for the WAN interface on your cafe router

Plug the WAN interface of your cafe router into the office LAN (CAT5)

Configure your cafe router LAN with a different subnet or network block to your office LAN

Use the firewall rules on your cafe router to lock access down as you see fit (ie no SMB, NETBIOS or the usual suspects).

[img]Download Failed (1)[/img]

Re: Creating two networks
 

First i want to say i am impressed by the feedback of this forum.
That is pleasant and great.
Thank you everyone!

---------- Post added at 11:13 ---------- Previous post was at 11:12 ----------

That gives some light,
Thanks.

---------- Post added at 11:18 ---------- Previous post was at 11:13 ----------

Sound simple though.

---------- Post added at 11:28 ---------- Previous post was at 11:18 ----------

To make it clear, does this solution give me the possibility to share internet with the cafe via dynamically assigned IPs on visitors computers?
As i mentioned in the first post, the office users must stay on static IPs, while using internet, and that way is the DSL Modem configured, as a router.
Thanks much.

Re: Creating two networks
 

that will/would work OC and is fine for fully private (wireless)LANs , but without that 3rd router as per Graham's diagram, anyone on the open cafe LAN can just use a netmask of 255.255.0.0 and see all the data on the office wire without to much trouble.

wireshark and several others would even let you pull the packets and reassemble them to see the full data be it http pages or binary.

Re: Creating two networks
 

Sorry, i only don't understand where do i connect the router? You mean to the regular switch to which other office devices are connected or to some particular office computer?
http://moldova.worldcarp.org/forum_f...d/question.gif
And i would like to mention again that while office computer are on static IPs and use Internet, cafe visitors should be able to connect via automatic IPs.
Thank you.

Re: Creating two networks
 

Graham's 3 way router will work fine for that fixed ip's on the office side router, and the requirement for DHCPd assigned cafe Ip's from the cafe router side.

although taking into consideration what i said about the netmask above and the ability to snoop if you set your mind to it, you can also get your master net<=>router to give out fixed IP's to the office PCs and have it's DHCPd give out the dynamic Ips for the wireless 192.168.1.* parts as well OC for fully private (wireless)LANs.

as for your red edit, its a slight confusion on your part, the 192.168.0.1/24 (i.e a netmask of 255.255.255.0) to 192.168.0.2 line is infact a direct line to the dlink 2500u router, if thats any clearer!

"dlink 2500u router"LAN-port2<=fixed 192.168.0.2 IP=>WAN-port"dlinkDi624s"

---------- Post added at 10:33 ---------- Previous post was at 10:05 ----------

the reason Zeph's 3 router setup works far better, is the basic fact your wireless LAN is connected to the WAN side of the office routers connection rather than the LAN side of a two router setup, so one LAN cant see the other LAN(s) data throughout.

the only way any router3 LAN PC could see router2 LAN PC data is if you tunneled through the routers on both sides using two PCs if you want that OC, but keep that tunnel data info secure and dont let other cafe users know it.

a multicast tunnel might be useful for you though so you can send video streams to both sides and play it on screens around the place.

a simple "Mtunnel" and copy of VLC will probably work for that id think, something to play with anyway :D

http://www.cdt.luth.se/~peppar/progs/mTunnel/
http://www.videolan.org/doc/streamin...o/en/ch02.html

use "UDP Multicast" and an IP of say 224.0.0.1:7777 as your stream channel for instance, good for cafe adverts and entertainment streaming for the whole LAN.

Re: Creating two networks
 

Thank you popper,
I will really try to digest it all, and apply it.

---------- Post added at 14:22 ---------- Previous post was at 14:06 ----------

One more issue if you allow me please,
From one side i want cafe visitors to have DHCP internet and from other side i want to watch from inside office over all cafe's video cameras activity, can i push both tasks through same cafe router? And what method is best for that?
Thanks

Re: Creating two networks
 

Yep thats no problem, if you wanted to view them from outside using my method you would have to forward the port required from the first router to the cafe router and then from the cafe router to the camera(s)

Re: Creating two networks
 

pritty simple , you just need to remember not to use the same Ip ranges on both the second and 3rd routers (or 4th/5th etc) or the master net<===>router/gateway gets confused as it trys to sort out the incomeing and outgoing packets from both.

but in this case its even easyer, as he wants only fixed IPs for the office router (so that DHCPd can be turned off)and so only needs to make sure the single cafe router DHCPd doesnt use the same office IP range or it might give out an already fixed IP thats in use by an office PC.

the office LAN side might use 192.168.0.* and so the cafe might use 192.168.1.* or 10.0.0.* for its LAN side DHCPd range , it doesnt matter as long as your master router can route all the traffic to were it needs to go.

so a good plan of your sections is a very good thing to write down so you dont forget and assign duplicate Ip ranges that might one day come back and bite your master router/gateway.

---------- Post added at 13:11 ---------- Previous post was at 12:48 ----------

or OC depending on how these cafe cams work (we are assuming IP lan connected video cams at the moment) then you could also probably use that Mtunnel+VLC and stream them on different 224.0.0.1:7777 :7778 etc to any VLC client on the office side.

but iv not found any good IP streaming video app that takes several MultiCast IP video feeds as input and turns them into a single multi stream Picture in Picture video outgoing stream.

although VLC can probably do it, but you need to be a CLI/shell wize to work that VLC shell magic, so if you work it out, tell us the full working line command ;).

Re: Creating two networks
 

For good measure I wouldn't fancy going down the route of giving either the office or cafe clients free reign over the connection or relying on the crude firewall implentations in these domestic routers so going forward it might be worth looking at squid/iptables or ISA (depending on which camp you're in) behind the master/wan router. It'll fit in nicely with your 3 router setup.

Re: Creating two networks
 

also another thing to consider installing in the master/router1 section is a bandwidth control app (yes thats STM but YOUR in control of how it gets used, when and for what, and your the one paying for your service so thats fine) so that the cafe users dont inadvertently take all the limited upload/download bandwidth away from the office LAN use, or the office from the cafe if you prefer....

you could use one of the 3rd party firmwares for the wireless router and use the throttling app that way if you prefer, but on the linux firewall PC is probably better and easyer to control/log etc.

you could even probably make a slax booted USB2 key and put these firewall/STM apps etc on that if you dont want a HD/cd installed and have a junk PC that usb/network boots.

Re: Creating two networks
 

So much information and help i get from you fellows that it takes me some time to digest it :).
So, i decided to clarify one more time (for my self actually ;)) what devices i have and how do i have connected them, and is it right or not.
https://www.cableforum.co.uk/images/...2008/10/25.jpg
In the attached image you can see the final current network architecture which shows that actually office computers together with cafe cash computer and video camera device are in the network n#1, and only wireless internet connection for cafe users makes the network n#2.
That is how i want it.
In this case which suggestion is best, Graham's or Zeph's?

Up to the Wireless Router everything is working already fine, with static IPs (as should be).
All i need to do now is to make wireless internet possible for cafe via dynamic IPs and stop cafe visitors from being able to see my local network IPs/machines (unless they physically connect to the hub in the cafe via regular wire:)).

Thank you and sorry for being a dummy.

Re: Creating two networks
 

No not a good idea, because with a bit of ingenuity you could easily access the office PCs from the Cafe network oh and Graham IS Zeph ;)

Re: Creating two networks
 

via wireless only?

Oops...:)

Re: Creating two networks
 

Yep it's still the same network.

Re: Creating two networks
 

I think now i got it.
As long as wireless device is touching LAN area directly in any way, hacking office PCs is very probable, right?

Re: Creating two networks
 

Nope, not any more he's not, not since he offered to become a MOD :angel:, he's only Zeph when he's playing online games.:confused:

assuming your going to put a linux firewall and throttling app on there some time, your short one router and one old PC good enough to install /CD/network/or USB boot the linux and apps IF your going for the 3 router way.

these pictures are a good thing to clarify stuff ,perhaps we need a sticky with generic pictures we can cut and paste into paint and pop in this and other slightly more advanced networking threads were its needed to make it clearer Mr MOD :D

Re: Creating two networks
 

It's possible but probable? depends who comes into your cafe ;)

I didn't realise that it was a public cafe. I originally thought it was a chillout place for employees.

Re: Creating two networks
 

yep, thats right, to be clear, if its touching any other LAN section other than its own (wireless) section, it can be hacked as in see the data for that other LAN section by anyone willing to go to the trouble of running wireshark etc.

the WAN-to-LAN routing NAT stops that cold, unless you open up the ports and forward them on purpose to other sections on them open ports.

as in, port forwarding your master router to pass gaming ports to your cafe for instance but it cant get past the router2 WAN-to-LAN NAT so your fine.

make it go on the WAN section and have that linux firewall/throttler on the master router1

net<===> master-router1/gateway<===> firewall/throttler/other apps<===> router2/3/4/5 sections were you can put your wireless and other bits etc.

Re: Creating two networks
 

Sorry, forgot to mention its a public esoteric shop with a public chillout cafe.

---------- Post added at 18:32 ---------- Previous post was at 16:56 ----------

As a conclusion i should understand that the best secure way for me is:
http://moldova.worldcarp.org/forum_f...kyard/best.jpg
I still want to make sure i will be able to push cash PC data and video camera stream through that cafe router towards the office PC for administration. If so how will i do that?

Re: Creating two networks
 

Connect the Cash PC to the Office router and forward the ports for the video camera?

Re: Creating two networks
 

The easiest way to do it is just run a cat5 patch from your office lan to a switch or hub in your cafe area and plug the cash pc and camera host into that. Saves messing about with port forwarding rules although the physical connection could theoretically be compromised.

Re: Creating two networks
 

What is a cat5 patch?

Re: Creating two networks
 

A network cable :) Although to do a neat job you might want to put a socket at the end.

Re: Creating two networks
 

Knocked up another quick diagram to show how it would be possible to implement a caching proxy with the 3 router solution. Other than the price of the hardware and some learning/configuration time, a linux OS and Squid are going to cost nothing. You can configure squid to run as a transparent proxy relatively easily so there's no manual configuration of browser settings required on the client side.

Proxy has 3x NICs, for example:

eth0 is WAN side and connects to the adsl modem
eth1 connects to the WAN interface of the office router
eth2 connects to the WAN interface of the cafe router

So even the WAN interfaces on your office and cafe routers are physically segmented but you can still control other traffic inbound/outbound such as SMTP and POP3 using the iptables access control rules on the proxy box.

http://img61.imageshack.us/img61/4931/cafe2af7.jpg

Re: Creating two networks
 

That would work, but the Routers wouldn't need to be routers any more with that setup

Re: Creating two networks
 

it would if you didnt want to worry about that wireshark netmasking type snooping though, the full linux router/+caching proxy/+throttling setup is not going to stop that in a single router+2switch setup.

so thats why we have talked about the easy 3 (wireless)router/WAN-to-LAN NAT way all day, to keep it simple but effective for stopping cross lan section snooping for your average end user thinking about these free open community wireless sharing setups.

Re: Creating two networks
 

I know it is a one off cost vs an ongoing cost but how about a second internet connection for the cafe?
That way cafe traffic will not impede the internet access of the office.

Re: Creating two networks
 

sure that would work too, but you just know your going to want to Multi-WAN Bond these two connections for better combined throughput from whatever side your on at the time if your paying for these two connections ;)

about 30 minutes after you realise you can Bond them, thats when your head explodes :confused: thinking about the rule sets your going to have to use to route packets for different protocols for best use of the connections seeing as their not end to end bonded with your (ISP)provider(s).

Re: Creating two networks
 

Interesting to see everyone's ideas thrown into the pot :tu: I hope the OP's head hasn't exploded yet ;)

Re: Creating two networks
 

:)
Interesting idea.
Worth taking into consideration.

Re: Creating two networks
 

So after all the thinking i have decided before buying anything to do the minimum security setup with the hardware i have just to make sure i will be able to make it work.
If everything will go smooth i will go ahead and get something better for more security.
Here its the hardware i have now, and i would like to get something of it:
http://moldova.worldcarp.org/forum_f...ckyard/net.jpg
What would be the best connection architecture with it in order to give out free internet for dynamic IP but stop users from simple access of office computers? (office computers are on static IPs)
Thank you very much.

Re: Creating two networks
 

No you want the Hub in the Cafe connected to the top router in the Office and then the Office connected to another port on the same router as there is still a chance someone clever enough will be able to access the stuff on the office network - See my original Diagram.

Re: Creating two networks
 

There's some more help in the following link Eugen. How is the weather in Moldova at the moment?

http://mybroadband.co.za/vb/showthread.php?p=2173733

Re: Creating two networks
 

Thank you :)
Weather is cold and wet, i'd call it London weather...
How's weather in your location?

Re: Creating two networks
 

i find it interesting that noone in that external thread included the simple 3 router way we have put forward, perhaps someone should post there and link back here.....so they can read up on it.

if buying the extra kit is a problem Azmandious, you do know you can just use any old PC,install 3 ethernet cards, and boot live router CD/USB2 stick and set it up as you require!

Re: Creating two networks
 

Actually the true is that i will have to invest mon in order to have real simple and actual security, so the 3 routers way is the best so far.