Set up 2 routers with 1 modem

[GCCRepair]

I would like to know the best way to setup 2 routers and 1 modem so I have to separate networks.
How I have it setup now is modem to first router IP 192.168.1.1 and then 2 computers hard wired and 1 printer hard wired in to this router. Then I have a cable for 1 Lan port on router 1 plugged into router 2's WAN port. Router 2 has IP 192.168.2.1 both are wireless and have different SSID's and passwords. All computers on router 1 can get online and all wireless computers logged in to router 1 can get online. The same goes for router 2. When I ping a computer that’s on router 1 from a computer from router 2 it can ping it but when I ping from 1 to 2 it cannot. How can I get them completely separate and not ping each other?
Router #1 is Linksys WRT310N N-Gigabyte

Router #2 is Linksys WRT54G2
Thanks,
Dennis

 

[teksquad]

Is this for a customer or business? IMO I would get a buisness class router that supports vlans within the internal switch and filter the traffic between them and just use the current devices as AP's. One managed router (with the proper functions) could accomplish this (may need a managed switch if you require more ports for clients etc). Your filtering options will be limited with those home based routers and they arent designed for this. You could actually pick up a cisco 2600XM for next to nothing (with 2 ethernet interfaces) and a 2950 switch and run a "router on a stick" config. (sub interfaces on the router to route between vlans and use ACL's to block what you want)

 

[TechLoopPC]

^ teksquad's method Is the best way to

Otherwise you could put just buy a cheap switch to put between modem and routers

Modem -> Switch
Modem plugged in port 1 of switch
Router 1 plugged into port 2 of switch
Router 2 plugged into port 3 of switch

You will need to get 2 IPs from your ISP. If this is not possible do not try this.

I have one client setup in this manner. Two very small businesses share a building and had networks setup with 2 separate internet connections -- they decided they wanted to share just one internet connection (while keeping networks totally separate). Not elegant but it works fine and doesn't require any Cisco knowledge to setup.

Cisco is worth learning, I am in the process and it's amazing how useful it can be -- I plan to eventually move out of small business consulting on to bigger and better things.... so it's a must for me.

 

[GCCRepair]

Thanks for the reply’s. This is for my home office. It’s mainly for when I hookup customers computers and if they have a nasty virus, I don’t want my computers getting messed up. Also when I setup new servers and new workstations with their own DNS I don’t want it messing with my IP's on my systems. I have had that happen before when I built a new server and workstations for a client and setup there local network it started pulling in my pc's.

So basically I want to use the 2 routers that I have. The way its setup now will that help with my concerns?
Hope this makes sense to you all.

Thanks,

 

[teksquad]

Again I recommend the setup I mentioned earlier. Actually you could keep your existing router used for the internet connection and buy a layer 3 switch. Then create your SVI's for your vlans and filter using ACL's. You can pickup a cisco 3550 for around 200.00 these days. The router will take care of NAT (3550 cant NAT) and use the switch for dhcp.

 

[NETWizz]

The Catalyst 3550 is not a Router; it's a Layer-3 Switch.... It would work fine.

You would want to setup two VLANs with the "swithcport access vlan 2" (or whatever number) and then on the port the modem connects to use the "no switchport" command, so that particular port can become a layer 3 port and get a DHCP assigned IP address from the Router.

You will probably want to enable PortFast, so the ports come up quick enough for DHCP on the computers.

If you have another shared switch in the same (or differnet building) that you ALSO want the same VLANs on, you can configure the interface that connects them with "switchport trunk encapsulation dot1q" and "switchport mode trunk" i.e. If you connect them both on GigabitEthernet0/2, you would configure these two commands on those two interfaces... Then the switches would use 802.1q to tag the traffic to the appropriate VLANs.

^^^^ I have done this before when I had two companies in the same two buildings each sharing the same network equipment with a totally independent setup. They were pretty impressed I could have both of their traffic share the same SX fiber link between the two buildings yet still give each half of each switch as if it was their own private equipment.


*******************

You will want to do something like this:


interface FastEthernet0/1 <=== Connect Modem Here
no switchport
duplex auto
speed auto
!
interface FastEthernet0/2
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/3
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface Port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 190.200.250.33 255.255.255.224
!
interface Vlan3
ip address 190.200.250.65 255.255.255.224
!
ip classless



If you want to isolate traffic between the VLANs, you would need to create an ACL in this setup otherwise the Layer 3 switch will route them as directly connected networks (just saying)



Also, don't use 190 IP's I took this from a lab I was making.

 

[FoolishTech]

you can do this with ddwrt and one router...

 

[hondablaster]

A router is a NAT firewall. So when you ping an address on Router 2 its being blocked. The only pingable address is the Router 2 itself. That is because the packet does not know where to go on the 192.168.2.0 network from the 192.168.1.0 network. So you need a static route.

Find out how to setup static routes on the 1st router. And setup a static route to your 192.168.2.0 network.

http://en.wikipedia.org/wiki/Static_routing

http://www.manualowl.com/m/Linksys/WRT310N/Manual/4572?page=13 (page 13)

An easier solution would be to active a dynamic routing protocol. One that is common on cheap routers is RIP v1 or RIP v2 I think either one of these will get you going.

In some cases setting up RIP can be dangerous because bad guys can give you fake routes through the WAN. You may need to do research on that, or spend time researching "static routes" which I think in the long haul is a safer bet. I hope this helps.

 

[itech88]

+1 for ddwrt ! Check it out http://www.dd-wrt.com/site/index
Make sure your router is supported and follow the steps correctly and be patient.

 

[PC Ops]

So basically I want to use the 2 routers that I have. The way its setup now will that help with my concerns?
Hope this makes sense to you all.

Thanks,

Well if it's any help, it certainly makes sense to me
I have an almost similiar setup for exactly the same reason. Only differences: I have a wrt320n on 192.168.1.1 and a wrt54g on 10.0.0.1. The wrt45g is used for customer pc's.
Modem ~ wrt320n~LAN ~ WAN~wrt54g

They have different SSID's and passwords and operate on different channels. Ofcourse the default router login names and passwords have been changed.

No need to blow budget on new gear if you ask me. Ofcourse if budget isn't an issue, go for more professional gear

Hope this helps.

 

[teksquad]

The Catalyst 3550 is not a Router; it's a Layer-3 Switch.... It would work fine.

Who said it was a router? It is a L3 switch with routing functions. Also no need to make the port connected to modem a L3 port. You could create another SVI say vlan 80 and ip it. Then put the switch port connected to modem in that vlan

switchport access vlan 80

The benefit of this is if you have to move the router to a different port on the switch you just need to put the new port in that vlan without having to ip a L3 interface.

 

[YeOldeStonecat]

A router is a NAT firewall. .

A router in gateway mode usually runs NAT. But the statement "A router is a NAT firewall" is not always true. Home grade/SOHO grade routers are usually in gateway mode which is why lots of people think this. But in business/enterprise, routers are used for many other things...large networks, wide area networks, etc.

 

[YeOldeStonecat]

I would like to know the best way to setup 2 routers and 1 modem so I have to separate networks.
How I have it setup now is modem to first router IP 192.168.1.1 and then 2 computers hard wired and 1 printer hard wired in to this router. Then I have a cable for 1 Lan port on router 1 plugged into router 2's WAN port. Router 2 has IP 192.168.2.1 both are wireless and have different SSID's and passwords. All computers on router 1 can get online and all wireless computers logged in to router 1 can get online. The same goes for router 2. When I ping a computer that’s on router 1 from a computer from router 2 it can ping it but when I ping from 1 to 2 it cannot. How can I get them completely separate and not ping each other?
Router #1 is Linksys WRT310N N-Gigabyte

Router #2 is Linksys WRT54G2
Thanks,
Dennis

Several ways to handle this. I would take the simple approach, many small business grade routers support port based VLANs. Or even a basic router, combined with a managed switch that supports port based VLANs. Basically 2 ports (or more) on the switch are put into separate VLANs...nodes on one VLAN literally can not communicate with nodes on the other VLAN. It's like the switch puts a wall up in between them. Yet you can have them share the same gateway.

For the wireless...there are wireless routers, or dedicated access points, which also give similar functionality...so wireless clients cannot mix.

If you don't want to spend the money on more business grade hardware, depending on the version of your router(s)...may support 3rd party firmware that supports these features, such as DD-WRT.

 

[teksquad]

A Vlan is a separate broadcast domain so if you had 2 vlans on a switch (say vlan 10 and 20) they would not be able to communicate (No router in the mix yet). Why? Because being in a separate broadcast domain each pc wouldn't be able to arp for the others mac address (arp is a layer 2 broadcast). Arp requests are not forwarded between vlans. You can test this on a switch and try to ping form one to the other. In the ARP table you should see an "incomplete" entry. If you through a router into the mix and that router has routes for both subnets then yes they would be able to communicate. You would then have to filter via ACL's on the routers L3 interfaces.

Now if you had a managed switch that supported vlans (say 10 and 20 again) using a home based router with one internal interface, this still wouldn't work. The vlan on the same subnet as the internal router's ip address would be able to get to the internet but not the other vlan. Why? Same reason as before, the other vlan would arp for the routers internal ip but it will be unsuccessfull as they are in different broadcast domains. To make this work you would need a router with multiple internal interfaces, supported sub-interfaces, or used a L3 switch stated earlier.

You can't have L3 connectivity if L2 is broken.

 

[YeOldeStonecat]

You would make the port the router is uplinked to on the managed switch a member of both VLANs. Example...plug router into port one on the switch. Now when you build your two different port based VLANs...port 1 (which uplinks to the router only) is simply a member of both VLANs.

Or....on some business grade routers with multiple LAN ports...if it supports port based VLANs..so your VLANs there. The gateway (to the internet) feature of the router is naturally shared this way to all VLANs. (budget router than can do this, the Cisco RV082/RV016 line for example)

 

[teksquad]

You would make the port the router is uplinked to on the managed switch a member of both VLANs. Example...plug router into port one on the switch. Now when you build your two different port based VLANs...port 1 (which uplinks to the router only) is simply a member of both VLANs.



Or....on some business grade routers with multiple LAN ports...if it supports port based VLANs..so your VLANs there. The gateway (to the internet) feature of the router is naturally shared this way to all VLANs. (budget router than can do this, the Cisco RV082/RV016 line for example)

On cisco switches an access port can only be a member of 1 vlan. The only exception is if you have a voice vlan. So a port can be a member of vlan 10 for data and vlan 20 for voice. To carry traffic from multiple vlans would require a trunk. So from switchport - dot 1 trunk and subinterfaces on the router.

I do see that those devices support port based vlans allowing them to be members of multiple vlans. So I see how that would work on those devices.

 

[YeOldeStonecat]

Yup the typical Cisco (true Cisco, not the Linksys biz stuff) tend to be odd in that way, amongst other ways.

 

[teksquad]

On the home based or small business stuff they tend to use the vlan as a filtering technique between subnets. In reality it can be used like that but the main benefit of the vlan is each vlan is its own broadcast domain. I think alot of people get confused about what a vlans main purpose is.

 

[NETWizz]

Who said it was a router? It is a L3 switch with routing functions. Also no need to make the port connected to modem a L3 port. You could create another SVI say vlan 80 and ip it. Then put the switch port connected to modem in that vlan

switchport access vlan 80

The benefit of this is if you have to move the router to a different port on the switch you just need to put the new port in that vlan without having to ip a L3 interface.

The problem here is that the modem is only going to give out one IP address (most likely) from the ISP. A L2 port isn't going to accept an IP address as a router Interface.

 

[NETWizz]

A Vlan is a separate broadcast domain so if you had 2 vlans on a switch (say vlan 10 and 20) they would not be able to communicate (No router in the mix yet). Why? Because being in a separate broadcast domain each pc wouldn't be able to arp for the others mac address (arp is a layer 2 broadcast). Arp requests are not forwarded between vlans. You can test this on a switch and try to ping form one to the other. In the ARP table you should see an "incomplete" entry. If you through a router into the mix and that router has routes for both subnets then yes they would be able to communicate. You would then have to filter via ACL's on the routers L3 interfaces.

Now if you had a managed switch that supported vlans (say 10 and 20 again) using a home based router with one internal interface, this still wouldn't work. The vlan on the same subnet as the internal router's ip address would be able to get to the internet but not the other vlan. Why? Same reason as before, the other vlan would arp for the routers internal ip but it will be unsuccessfull as they are in different broadcast domains. To make this work you would need a router with multiple internal interfaces, supported sub-interfaces, or used a L3 switch stated earlier.

You can't have L3 connectivity if L2 is broken.

This is all correct only VLANs don't just block only ARP. They block all Layer-2 Traffic. Even if you setup a manual Layer-2 test with KNOWN MAC addresses, it still won't work between VLANs for security reasons.