What's new

Segregate Home and Bus LAN via Cascading Routers

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

VishNZ

New Around Here
Hi all,

I am planning to move my Windows Small Business Server (SBS) home. This server acts as email and file and PPTP VPN server. I want to have my staff continue to VPN to the server for file access and use Outlook as they currently do.

I want to be able to access the server for the same from my home desktop. But, I don't want my staff to be able to access my personal desktop or other shared personal devices once they are connected to the SBS VPN.

I have two Asus RT-AC68U Routers. I think I can only get this working by having my main router as the 'business' network, then LAN to WAN the other Router for my 'Home" network. That way I can see the shared files on the server and connect to the exchange server, and also see home shares as normal.

Meanwhile my staff can VPN through the main router to the SBS and work as normal but cannot get to my home network.

Is this a good solution? Is there anything else I should consider here? I see a lot of other options like triple Y routers and VLANS but I don't think I need those...?

Thanks gents.

V
 
That is not the way it would be done in a large company but if it does what you need use it. I guess you can keep all the business equipment local so you don't have to push multiple networks down one wire to different rooms. You may have a few issues accessing your home router from the WAN side.
 
Another business dumb enough to use a consumer router.
Why only security for yourself? Instead you should make it so that users cannot access each other. This can be done by isolating them to their own network each or similar.

On a router like mikrotik routerOS all you have to do is add your VPN users to an address list and prevent forwarding between them using address lists and a single rule. This means that VPN users can see office LAN but cannot see each other. 1 router, enterprise features, 1 rule, 1 address list which is very simple and easy to do in an enterprise router like proper cisco, juniper, mikrotik routerOS but is very complicated to do with consumer routers.

This also means that your office network is vulnerable to man in middle attacks such as the pineapple hack, rogue DHCP servers and gateways and such. Cisco made a tutorial that requires a configurable router more than 10 years ago to defeat these sort of attacks and to this day no consumer router has ever implemented such security.

To add more complexity you dont want the business network to see the VPN networks so you create another firewall rule of forward with drop, another address list that excludes the needed servers and just deny from VPN list to business LAN. You could just add the server to the list and say not servers instead though you may need to add some accept rules beforehand.

I see you're trying to make a tunnel (VPN isnt the only way). On your windows server try to make forwarding rules that allow and deny access to certain IPs. On your AC68U as the main server that is doing VPN, create a static route with weights.
For example you could have 3 networks on your router
Network Gateway, weight
192.168.1.0/24 192.168.1.1 0 (LAN)
192.168.2.0/24 [Your router's VPN IP] 1 (VPN)
0.0.0.0/0 (your router's WAN IP) 2 (Internet)

You will need IGMP to forward layer 2 stuff over VPN.
 
Last edited:
Cascading routers, aka double natting, is a fail except in the most simple networking situations. The inside network will need the outside network to port forward anything not originated on the inside network. Nobody on the outside network will see the inside network, but that includes you for anything, such as a VPN, intended for the inside network that originates from, say, you in a hotel room, without special preparations.

Not saying you can't do it. Just that you need to think it out and plan to port forward and test a lot.
 
Thank you for the comments.

I won’t need to access the ‘home’ network from the internet. Any services or files needed, I can throw on the ‘business’ network. which really, will only have the Windows SBS server and a NAS on it locally, nothing else. WiFi will be disabled on the 'main' 'business' router.

I know these aren’t commercial grade routers but they are what I currently have so want to try and use them if I can. There are only 3 remote users and me as the one local user.

I’m not worried about users accessing each other or business LAN being able see the VPN network. I will be the only user on the local business LAN. But I will look into the mikrotik routerOS. I was running smoothwall but it wouldn’t pass GRE for the PPTP VPN. Hence why I got the second Asus router which is working great right now at the office location.

I don’t know if it makes any difference but the Window Server Box is the VPN, not the main router.

From what I have read here, while it could be done better and more secure, it will work fine and be functional for my need. Does that about sum it up?
 
Might also consider running pfSense on a small form factor PC - VPN support along with very robust routing capabilities... and it runs on small memory and a thumb drive...
 
You might look at Untangle UTM firewall. It is a good business firewall much better than a basic router. They have a free version which runs on a PC and includes VPN. I run Untangle at my house but I have not used the VPN function. Since it is free you can run it and find out. I ran Smoothwall 10 years ago and Untangle is so much simpler to run with free nightly updates.
 
mikrotik routerOS is just an example. Theres also pfsense, juniper, a real cisco (not cisco RV). Than just use your asus routers as APs. You wont need to cascade than.
 
If I do use a routerOS/pfsense etc box. How are the two networks seperated? Or how to I acheive the segregation I require as mentioned above? For me to access the business server from the 'home' network I don't want to go out to the net and back in. I suppose I could make this less complicated and have a seperate desktop at home connected to the business LAN. But trying to avoid having to do that.
 
You either do what you are doing or setup VLANs. You can also use pfsense or Untangle and setup separate networks by using 3 NICs. One NIC for your WAN interface and one NIC for the business network and one NIC for the home network. If you want to route your workstation to the business side plugged into the home network it is done in pfsense or Untangle routing. You may find it easier to leave your workstation in the business network and then maybe you don't need to route between networks. You can figure this out over time. You can use pfsense or Untangle to setup VLANs or you can buy a layer 3 switch for your VLANs. There are many options. You do not need to setup doubleNAT with your original setup. DoubleNAT does reduce your payload not by a lot but some so your download speed is reduce for the home network.

PS
The one comment I have about Untangle is I know very little about it. It just runs in the background updating itself and I never work on it so I know very little other than it works. There is the initial setup but after that it is a piece of cake.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top