One Internet Connection, Two Private LANs

[DaveVM]

Tim and staff,

Method two worked for me! I've been doing some digging (for days) on how to use my existing hardware to do "1 internet connection 2 private LANs article". This is the first time I've been able to do static routing! There seems to be steps missing in the other descriptions on the web, or they just were not quite clear enough for my understanding.

Thanks Tim and staff, I appreciate it!

Now I plan on using at least two downstream wireless routers and possibly three, all connected to the upstream router.

My thinking is to use an EnGenius 9850 for the upstream router, radio off, NAT & SPI on. My thinking is since it can handle so many maximum simultaneous connections it should be the first router after the cable modem. Maybe my thinking is flawed here. As I've not read anywhere, where routers should be placed on their networks based on their maximum simultaneous connections.

The downstream routers will have DHCP and radios on.

Since the NAT and SPI are off in the downstream routers, will something that needs to forward ports, PS3, xBox, be able to do so without having to do messy port forwarding setups? Hoping here for UPnP to work through all of this.

 

[thiggins]

Sorry, but specifically, which method are you using (pls provide the page link). The article you refer to does not say to disable NAT on the downstream routers. NAT enabled is required to keep the LANs separated.

 

[DaveVM]

Tim,

I botched that all up, sorry.

My goal is to isolate the kids computers.

I used How To Use a Router To Add Network Ports - Method 2

The upstream router will only have other routers connected to it, statically routed. None of the downstream routers will be statically routed (or bridged as I think the term is) to another downstream router.

To set up static routing in the up and downstream routers, the upstream is at 192.168.1.xxx while the first downstream is at 192.168.2.xxx The other downstreams will be at 192.168.3.xxx with the subnet increasing on each.

The downstream router is connected by it's WAN port to a LAN port on the upstream router as defined in the above article.

The upstream router static routing is;
Destination IP Address 192.168.2.0
Subnet Mask 255.255.255.0
Gateway IP Address 192.168.1.2
Metric 2 (probably should be set to one)

The upstream router also has "RIP Direction = None" "RIP Version = Disabled"

While the downstream static routing is done from WAN IP setup, per the article, and is statically set to,
IP Address 192.168.1.2
Subnet Mask 255.255.255.0
Gateway IP Address 192.168.1.1
Primary DNS 192.168.1.1

There is nothing in the static routing of the downstream router.

My limited understanding is since the downstream routers are in separate subnets and statically routed they should be separate and isolated from each other. And because of that the NAT of the downstream routers could be turned off to avoid double natting. Apparently I am missing or not understanding something. What is it?

I hope I've explained what I am trying to do a bit better. Though it is probably clear as mud.

Thanks In Advance

Dave

 

[thiggins]

You're using the wrong article, Dave. How To Use a Router To Add Network Ports - Method 2 is intended to basically turn the router into a switch.

If you're trying to isolate LANs, you want to use How To: One Internet connection - Two Private LANs.

Much easier and no static routing involved.

Another way to go is to use a smart / managed switch with VLAN capability. But that's another ball o' wax.

 

[DaveVM]

Tim,

I believe that this whole double natting issue is going to be a real problem when using the "One Internet Connection, Two Private Lans" method, because of NAT being turned ON on all of the routers, and the need of UPnP.

And yes I got the "Lan 1 & 2" routers to work with DHCP and no static routing. Though I wonder if security is better with static routing.

Note if the Engenius ESR9850's are set to use DHCP to attain net access as "Lan 1 or 2" their NAT's must be ON, if they are statically routed then NAT may be ON or OFF and still have net access.

You mentioned using a smart/managed switch, and I was looking into that as well.

As you may recall I am trying to isolate the kids, particularly adult Kid 1, as they will not nor do they want to understand safe computing, they will later, and I do NOT want to mess with port forwarding, unless it is the last and only way. Kid 2 has already learned their lessons! Got to try to keep peace in the house.

This is current set up.

Kid 1:
- Laptop - Wired and WiFi - uses Frostwire - needs UPnP
- xBox 360 - Wired and WiFi - needs UPnP
- PSPgo - Play Station Portable - WiFi - UPnP needs unknown
- Wii - Wired - UPnP needs unknown

Kid 2:
- PS3 - Wired and WiFi - needs UPnP
- Laptop - Wired and WiFi - UPnP needs unknown
- NintendoDS - WiFi - UPnP needs unknown
- Desktop - Wired - UPnP needs unknown

Office:
- Two desktops - Wired
- Laptop - Wired and WiFi
- NAS (inwork)

And all this is currently being run through two Netgear WNR834b routers, set in repeating mode (repeater in Kid 2's room), and one unmanaged switch. Yes I know there is more in this house than a lot of small businesses! And I probably need to go back to school and learn about networking.

So I know this needs improvement. Which is why I'm trying to use the "One Internet Connection, Two Private Lans" article and really do three private LAN's.

Now I am beginning to see and understand the need for the use of a smart/managed switch or router for their VLan capabilities. Right now I'm leaning towards the Netgear GS105E or their GS108E switches, simply because of price, don't like the fact they can not be configured by a browser, but... unless there is some other wired manageable router with VLan capabilities, that could be used as the "Internet" router, at about $150.00. Article suggestions or reviews.

The other unknown for me is if the use of a smart/managed switch would solve the double nat issue. I've downloaded and read lot of pdf files from manufacturers trying to understand this all, but they seem to gloss over this area.

So as I said I have some spare stuff floating about here, 2 Engenius ESR9850's, 1 Netgear WNR3500L, 1 Netgear WNR2000v2 and finally 2 Netgear WNR834bv2's which I hope to retire.

My plan is to use one of the ESR9850's for the "Internet" router, the WNR2000 for "Kid 1 (Lan 1)", the second ESR9850 for "Kid 2 (Lan 2)" and the WNR3500L for the "Office (Lan 3)".

Now if I buy a smart/managed switch my thinking and current understanding is it would plug in between the "Internet" router, and the "LAN x" routers, with each "Lan x" pluging into the switch with their own VLan, or I could replace the "Internet" router and switch with a VLan capable router. Yet this is where I still see the double NAT issue being raised.

Thoughts, problems, issues. I'm open to ideas.

Thanks

Dave

 

[thiggins]

You have plenty of routers. Just get a smart switch. If you want a web interface and like NETGEAR, get a GS108T.

 

[DaveVM]

GS108Tv2

Finally got around to getting the Netgear GS108Tv2 and well...

I can say that somewhere I think something is broke and I believe it is at Netgear. Why?

Netgear claims: "Web-based management lets you monitor, configure, and control your switch remotely using a common Web browser, ... "

Well when I first tried to access the menus I got the log in screen at the IP the router said it was. Entered the password and waited, and waited, and waited, and waited some more, never timed out. But alas nothing showed.

Repowered everything, got to login screen entered password and nothing.

Did a hard reset to the GS108Tv2 and got to login screen, entered password and nothing.

This was using both Chrome and Firefox on my Linux laptop. Rebooted each time through this.

Then tried with my Win 7 box and Chrome, same story, tried wives XP box with IE8 and son of a gun I'm in, only to find that some screens require JAVA, JAVA is not listed by Netgear as needed, and in my thinking is not part of a "common browser". Surely Netgear could have done this with out JAVA. Note I am not talking about javascript.

Went back to my Win 7 box and tried IE8, and it worked, though still needing JAVA. Tried Chrome, no go.

Tried Linux laptop again with both Firefox and Chrome, and again neither worked.

Had truly intended to manage this with the laptop but apparently Netgear has blocked some browsers from working with the GS108Tv2 as I could only get to communicate with it with IE8.

It is a shame that what appears to be a decent product can not be managed by what I feel are mainstream and "common" browsers and then the JAVA dependency.

So this GS108Tv2 is going back.

Stepping down from my box.

Apparently I will have to subnet the LAN to get done what I need. Though I will look at PFSense. Because there is always more than one way to do it!

Dave