Router behind router - how to prevent second router clients from accessing first router clients

[bobby]

I would like to set up the following:
Internet -> modem -> router 1 (ASUS RT66U) -> router 2 (ASUS RT66U)

I will set up a different IP range for both routers:
Router 1 192.168.1.x
Router 2: 192.168.2.x

Router 1 clients - office equipment, VOIP etc
Router 2 clients - guests, using wifi

I read that router 1 clients (further R1C) will not have access to router 2 clients (further R2C) but R2C will have access to R1C if they know the IP address of the R1C.

Goal: To increase security, R2C should not have access to R1C in any circumstance

The most obvious solution would be to switch Router 1 and 2, but due to the wiring in the office, this is not possible (guest room is 100 feet from internet access, and there is no way to put down a second cable)

Question: how do I set up router 2 to prevent any traffic to clients from router 1?

 

[L&LD]

Try using an numerically higher IP range for router 1 (opposite of what you now have).

For example:
Router 1: 192.168.2.1 (or anything higher than the router 2 IP range).
Router 2: 192.168.1.1 (or anything lower than the router 1 IP range).

Note that this will still allow Router 1 to access devices on Router 2 by IP address.

 

[bobby]

Thank you for your answer.

I don't think that router 1 devices can access router 2 devices, because the firewall of router 2 will prevent that.

The problem is the reverse. The firewall of router 2 will let all traffic through (upstream) and this router is behind router 1, so the firewall of router 1 will not interfere with this traffic either.

I am thinking in the direction of blocking traffic from clients of router 2 to devices from router 1, in the settings of router 2.
Under Firewall/network services filter there is a "Network Services Filter Table".

I can blacklist the following variables:

source IP (this would be 192.168.2.0/24)
Port Range
Destination IP (this would be 192.168.1.0/24)
Port range
Protocol (TCP/UDP)

I can't figure out the correct parameters. Should I use * as a wild card like 192.168.1.* or use 192.168.1.0/24?
Same question for the ports. If blank, it means all ports? Or write 1-10000?
Protocol: All or just one? I would think TCP all.

 

[pete y testing]

um why not just use the guest wifi setup as its isolated from all other parts of the lan and other wlan

 

[L&LD]

Thank you for your answer.

I don't think that router 1 devices can access router 2 devices, because the firewall of router 2 will prevent that.

The problem is the reverse. The firewall of router 2 will let all traffic through (upstream) and this router is behind router 1, so the firewall of router 1 will not interfere with this traffic either.

I am thinking in the direction of blocking traffic from clients of router 2 to devices from router 1, in the settings of router 2.
Under Firewall/network services filter there is a "Network Services Filter Table".

I can blacklist the following variables:

source IP (this would be 192.168.2.0/24)
Port Range
Destination IP (this would be 192.168.1.0/24)
Port range
Protocol (TCP/UDP)

I can't figure out the correct parameters. Should I use * as a wild card like 192.168.1.* or use 192.168.1.0/24?
Same question for the ports. If blank, it means all ports? Or write 1-10000?
Protocol: All or just one? I would think TCP all.

Read my first post above once more. I know it will work as I stated. I have a couple of customers that base their networks on this working like I say.

 

[bobby]

um why not just use the guest wifi setup as its isolated from all other parts of the lan and other wlan

Thank you for your suggestion.
I thought about that too.
If I use the Guest Network on Router 2, it will prevent the guests from accessing devices on router 2, not router 1. The firewall is designed to let outbound traffic go through, which includes devices in the range 192.168.1.x (the upper level devices).
I am not 100% sure about this, but it seems logical.

 

[bobby]

Read my first post above once more. I know it will work as I stated. I have a couple of customers that base their networks on this working like I say.

Thank you again for helping me with a solution!!
Unfortunately, I currently have between 40-45 devices on router 1, many of which are on fixed IP addresses. On top of that, 4 outside devices (home offices) are coming in on a VPN, all in the 192.168.1.x range.
It is not feasible to change this set up.

I would like to explore other options.

Is there another way to block devices on router 2 to access devices on router 1?

 

[L&LD]

Thank you again for helping me with a solution!!
Unfortunately, I currently have between 40-45 devices on router 1, many of which are on fixed IP addresses. On top of that, 4 outside devices (home offices) are coming in on a VPN, all in the 192.168.1.x range.
It is not feasible to change this set up.

I would like to explore other options.

Is there another way to block devices on router 2 to access devices on router 1?

You can still try router 2 on IP 192.168.0.1, correct?

 

[bobby]

I can't believe that I didn't think of that... Number 0, the most important of all numbers...
I'll try and report back how I got on.

 

[bobby]

I just set up the second router as described above:

For clarity sake, here it is once more:
Router 1 192.168.1.x
Router 2: 192.168.0.x (connected at the WAN side to router 1 with IP address 192.168.1.2)

Unfortunately, clients on router 2 can access router 1 clients.
Even a client on a guest network at router 2 can access clients on router 1.

I just tried to ping several clients on router 2 from router 1, and they all responded...

L&LD - you wrote you have this working at several clients. Did you try to ping "upstream"? Could there be another reason why router 2 clients were isolated in these cases?

I am not an expert, but why would a client under Router 2 not have access to a client under router 1?

 

[Nullity]

Switch router 1 with router 2, then the only way to access the other router's subnet requires port-forwarding. Standard double-NAT.

 

[bobby]

Thank you for your suggestion.

As I wrote in my initial post, this is not possible (guest room is 100 feet from internet access, and there is no way to put down a second cable)

I think there must be a way to configure router 2 not to let traffic go through to router 1 clients.

On my ASUS RT N66U I can blacklist the following variables (under firewall/network services filter):

source IP (this would be 192.168.0.0/24)
Port Range
Destination IP (this would be 192.168.1.0/24)
Port range
Protocol (TCP/UDP)

I cannot get this to work...

Any ideas?

 

[Nullity]

Since one router must pass traffic through another, the only option I know of is VLANs, but that is rather complicated (no GUI interface) for AsusWRT routers.

Maybe consider tomato or dd-wrt firmwares?

 

[bobby]

Since one router must pass traffic through another, the only option I know of is VLANs, but that is rather complicated (no GUI interface) for AsusWRT routers.

Maybe consider tomato or dd-wrt firmwares?

I would not mind changing the firmware of router 2 to Tomato (or Merlin)

Do these firmwares offer the option of blocking traffic upstream?
Or were you talking about VLAN in combination with these alternative firmwares?

 

[Nullity]

I would not mind changing the firmware of router 2 to Tomato (or Merlin)

Do these firmwares offer the option of blocking traffic upstream?
Or were you talking about VLAN in combination with these alternative firmwares?

Those other firmwares have a better VLAN interface, but I am not sure of that as I have practically no experience with tomato/dd-wrt & VLANs.

 

[stevech]

different SSIDs and encryption keys. Some users have only keys for one.
Otherwise, you cannot assure that a brand x client device will choose the "best" or "preferred"

 

[bobby]

Thank you very much for your reply!!

I set up a guest wifi network but even on that network, I was still able to ping the devices on the router upstream.

This seems logical, because a guest network will protect devices on the LAN side, not on the WAN side.

I need to block traffic going upstream, not sideways.

 

[jegesq]

This isn't a new subject and Tim Higgins also wrote an article on this same subject back in 2003 here at SNB: http://www.smallnetbuilder.com/lanwan/lanwan-howto/24428-howtotwoprivlan?start=1. Using his setup will require some additional hardware, but it's pretty cheap these days. All you really need is single additional router/switch (of course could just be another RT-AC66 if you prefer, but there are even less costly ways to go).

Steve Gibson just suggested something similar, but for a different reason, in a recent Security Now! podcast (see https://twit.tv/shows/security-now/episodes/545?autostart=false). He suggested a three router set up (not connected in serial, but parallel) in which you'd connect your two existing routers (as DHCP clients of the main router) and give them each entirely separate sub-LAN addresses, (e.g., one with 192.168.x.x, and the other with 10.0.x.x, or 172.x.x.x). You just need to remember to change each of the subnet routers so that they point to the Gateway IP and Primary DNS of the "main" router. Basically, you're just telling each of your two existing routers (which will essentially now be completely separate networks from one another) to route all internet traffic to the "main" router, and use its DHCP.

Gibson's podcast (the discussion of a three-router set up begins at around 1:06:00), frames the issue in terms of the need to keep you main LAN secure from potential threats posed by many of the new IOT devices (think thermostats and lightbulbs). He refers to the "evil IOT light bulb, that by design remain accessible over the net and which creates an inherent security threat. You want to keep such devices off and away from your secure and private LAN because they pose an open highway to outside malicious threats, even with a good firewall. He's got some really interesting info and it's worth the time to listen to what he has to say.

Check out Tim's article, and Steve Gibson's podcast or just read the show notes and his web stuff on NAT security at GRC.com (see, https://www.grc.com/nat/nat.htm and https://www.grc.com/nat/nats.htm). I think you'll find it helpful to what you're trying to accomplish.

 

[Nullity]

Adminitrating 3 routers seems excessively tedious when compared to using VLANs. A VLAN setup requires a single router & a managed switch, or even just 1 router.

Dealing with only 1 double-NAT setup is annoying enough already. Dealing with 2 double-NAT setups seems borderline masochistic.

 

[bobby]

jegesq - thank you very much for the useful links and advice. I already knew that router 2 devices could access router 1 connected devices.
What was new to me is that malicious router 1 connected devices can intercept router 2 traffic simply because they are on the same ethernet, taking advantage of the ARP protocol!

The problem with 3 routers is off course that you basically hard-wire 2 separate networks. Considering the fact that I am dealing with long distances and multiple unmanaged switches, this is a costly and time consuming exercise.

Nullity - I really like the VLAN idea. I could put Tomato on the router. We currently have several unmanaged switches. Do these all have to be changed out with a managed switches if we put in VLAN?