Setting up dedicated network for infected machines - who does this?

alluseridsrejected said:
Got an extra router laying around? Then you have what you need. Just configure it on a different subnet. Instead of the PCs all being 192.168.1.xxx or whatever your current network is, set the router to 192.168.2.xxx for example.
Click to expand...


I understand the theory of doing that but would the isp accept 2 separate connections at the same time? :confused: It's a simple solution if it can be done.

So router 1 set with a scope of 192.168.1.1 - 192.168.1.50, mask 255.255.255.0, router 192.168.1.254 and connected to the isp.

router 2 set with a scope of 192.168.2.1 - 192.168.2.50, mask 255.255.255.0, router 192.168.2.254 and connected to the isp.

Double BT adapter.

Link the routers together?

Btw I work from home and have standard adsl
 
Last edited:
I understand the theory of doing that but would the isp accept 2 separate connections at the same time? It's a simple solution if it can be done.
Click to expand...

router2 is connected to router1. So the ISP only sees router1. You should be able to just plug the uplink port on router 2 into any open port on router 1. Or do the DD-WRT "Client Mode" like in my previous post.
 
we do this at work we have cisco switches and use vlans. We have a separate vlan for infected machines. This separate vlan only has access to the internet and not to anything on our internal network.
 
tankman1989 said:
If I had more business I would definately have a dedicated network and DSL/cable connection but at this point I can't really justify it. So do you not even connect from one to the other at ANY point - using a secure VPN or whatever?
Click to expand...

Never for any reason. With the kinds of malware-infested systems I see, the risk is TOO high...
 
Martyn said:
Thanks, didn't see the DD-WRT bit. :o I'll go that route.
Click to expand...

DD-WRT isn't really the "answer". You should understand the logic behind what is happening especially if you are going to work with businesses networks in any capacity (I don't say this negatively - I'm speaking from experience I wish I had in my earlier days). It is pretty simple to understand.

Many ISP's that offer DSL as their service offer modems with built in routers. By default, the modems are often setup as 192.168.1.1 (or 254). If you add your own router to the mix you will have to set it to something like 192.168.2.1 and have this router assign all IP's to machines on the network. Now I believe both routers are going to be using NAT (Network Address Translation). NAT allows multiple computers on a private network to use a single public IP address for their Internet connection. In this situation the second router is just another piece of hardware with it's own private IP addy.

I know this can be explained MUCH better but I'm short on time tonight. If you are foggy on the idea maybe read a little on NAT and subnetting.
 
tankman1989 said:
DD-WRT isn't really the "answer". You should understand the logic behind what is happening especially if you are going to work with businesses networks in any capacity (I don't say this negatively - I'm speaking from experience I wish I had in my earlier days). It is pretty simple to understand.

Many ISP's that offer DSL as their service offer modems with built in routers. By default, the modems are often setup as 192.168.1.1 (or 254). If you add your own router to the mix you will have to set it to something like 192.168.2.1 and have this router assign all IP's to machines on the network. Now I believe both routers are going to be using NAT (Network Address Translation). NAT allows multiple computers on a private network to use a single public IP address for their Internet connection. In this situation the second router is just another piece of hardware with it's own private IP addy.

I know this can be explained MUCH better but I'm short on time tonight. If you are foggy on the idea maybe read a little on NAT and subnetting.
Click to expand...

Hi Tankman,

You are right that DD-WRT is not THE answer, but I think DD-WRT "Client Mode" configuration is AN answer. It is not bridged. I hear what you are saying about NAT, and yes, both routers are doing NAT. But correct me if I am wrong, I don't think the computers can access each others resources across subnets as long there is no port forwarding configured. NAT alone does not get you there as far as accessing resources on those PCs between subnets.

All I know for certain is I have 2 subnets configured. My private home network/router is set for 192.168.0.xxx and the router I hook customer PCs to is configured using DD-WRT Client Mode on 192.168.2.xxx subnet. I can map network shares and printers & so on between any of the PCs on my home network, but if I try mapping a share from the customer network I get
>net use z: \\192.168.0.197\c
System error 53 has occurred.

The network path was not found.
Click to expand...

Also if I run a network scanner like Softperfect Network Scanner from a PC on the 192.168.2.xxx network and tell it to scan from 192.168.0.1 to 192.168.2.255 it does not see the PCs on the 192.168.0.xxx network and only sees the PCs on it's own subnet.

There may be some holes in my network I am not aware of, but if that is the case I am certainly glad to be posting about it here so I can learn to close them.:eek:

Also, every customer PC gets a disk image of C drive as well as examined for malware from PE environment before it's own OS ever plugged into the network.
 
Last edited:
tankman1989 said:
DD-WRT isn't really the "answer". You should understand the logic behind what is happening especially if you are going to work with businesses networks in any capacity (I don't say this negatively - I'm speaking from experience I wish I had in my earlier days). It is pretty simple to understand.

Many ISP's that offer DSL as their service offer modems with built in routers. By default, the modems are often setup as 192.168.1.1 (or 254). If you add your own router to the mix you will have to set it to something like 192.168.2.1 and have this router assign all IP's to machines on the network. Now I believe both routers are going to be using NAT (Network Address Translation). NAT allows multiple computers on a private network to use a single public IP address for their Internet connection. In this situation the second router is just another piece of hardware with it's own private IP addy.

I know this can be explained MUCH better but I'm short on time tonight. If you are foggy on the idea maybe read a little on NAT and subnetting.
Click to expand...

Thanks for the tips on learning ip sub netting Tankman. Sorry don't have a sarcastic smiley on my iPad :)
 
alluseridsrejected said:
Got an extra router laying around? Then you have what you need. Just configure it on a different subnet. Instead of the PCs all being 192.168.1.xxx or whatever your current network is, set the router to 192.168.2.xxx for example.
Click to expand...

I tried this and it doesn't really work whilst connected to an ADSL modem router. Whilst hosts on the ADSL router's LAN cannot see hosts on the second routers LAN, hosts on the second routers LAN can see hosts on the ADSL router. So the separation is unidirectional only.,
 
What some people are saying is that they have a separate VLAN for infected machines, but this is not really acceptable, either.... i.e. You should not take 4 separate customer's machines and put them on the same infected VLAN.

Instead, each machine should be connected to its own VLAN with communication only to the Internet and NOT any other machine infected or not.
 
I have a seperate vlan for customer computers.

Virus Spyware is cleaned off before it even boots into windows so it's really not even needed. Like I've said before my virus/spyware removal is based around Linux (Antivir) and a small shell script that deletes temp folders and checks Application Data folder for any .exe or .bat's

"But but rootkits!" Yeah, the part that is in MBR is still there and can have the opertunity to redownload the payload but having tdsskiller run from a batch file instantly upon reboot takes care of this.

VLAN to each computer is overkill, you want to do it, great, I don't need it.
 
tankman1989 said:
DD-WRT isn't really the "answer". You should understand the logic behind what is happening especially if you are going to work with businesses networks in any capacity (I don't say this negatively - I'm speaking from experience I wish I had in my earlier days). It is pretty simple to understand.

Many ISP's that offer DSL as their service offer modems with built in routers. By default, the modems are often setup as 192.168.1.1 (or 254). If you add your own router to the mix you will have to set it to something like 192.168.2.1 and have this router assign all IP's to machines on the network. Now I believe both routers are going to be using NAT (Network Address Translation). NAT allows multiple computers on a private network to use a single public IP address for their Internet connection. In this situation the second router is just another piece of hardware with it's own private IP addy.

I know this can be explained MUCH better but I'm short on time tonight. If you are foggy on the idea maybe read a little on NAT and subnetting.
Click to expand...

Yep, a second router setup in this manner will work just fine for most applications, but in this scenario, the second router is double NAT'd and can cause issues with some applications such as VPN's or some streaming apps... just FYI. But as it's being discussed here - as an "isolated" network for infected machines, it should be fine...

I still prefer using a dedicated VLAN myself - easier to configure, no question about network isolation, and doesn't require any additional equipment beyond a VLAN capable switch.

-Randy
 
ProTech-MN said:
Yep, a second router setup in this manner will work just fine for most applications, but in this scenario, the second router is double NAT'd and can cause issues with some applications such as VPN's or some streaming apps... just FYI. But as it's being discussed here - as an "isolated" network for infected machines, it should be fine...

I still prefer using a dedicated VLAN myself - easier to configure, no question about network isolation, and doesn't require any additional equipment beyond a VLAN capable switch.

-Randy
Click to expand...

When i tried this, the 2nd router created a network that was capable of seeing the first network but not the other way around. I think this is because any non LAN2 traffic is set out to Router1 and if Router1 is a typical ADSL modem-router then its ethernet interfaces also operate as a switch thus connecting it to LAN1.
Whether this is just my particular Netgear ADSL modem-router or not I don't know but I can't see it being particularly unusual in its design.

So I assume the people just adding a second router plugged into their broadband router are doing something extra?

With the VLAN - I assume you're still using another router to connect the vlan to the internet, or those vlans don't have net access?
 
Last edited:
It's based on routing tables.

If Router 1 is the main router with WAN of 100.100.100.100 as a routable internet address

inside Router 1's lan it is 192.168.0.1/32

Another router is setup with a WAN address of 192.168.0.2 and a LAN address of 192.168.1.1/32

Machines on the inside have a routing table that looks like this.

If it's on the LAN send it to the LAN
otherwise to THE DEFAULT ROUTE (Router/Gateway) 192.168.1.1

Which means the packets get forwarded to the router

The router than takes it and looks at it's routing table...

If it's on the LAN send it to the LAN
Otherwise to THE DEFAULT ROUTE (Router / Gateway) 192.168.0.1

So machine on inside of the second router can route to machines on the inside of the main router but not vice versa. If you are going to use double NAT the way of doing so is put your office computers on Router 2 and customer machines on Router 1. I don't recommend it, this is why VLAN's are a much better option.
 
MobileTechie said:
With the VLAN - I assume you're still using another router to connect the vlan to the internet, or those vlans don't have net access?
Click to expand...

No, you can take 1 port on your routers switch and VLAN it to another network connect it up to a larger switch and run your cables to the computers off of it. Assign your router a second LAN IP address that is addressable by the 2nd VLAN and you have separated your network properly.

Can be done on one router.
 
So what does your vlan solution look like exacty, so that the vlans can still access the net but not each other?
 
It would look like this...

VLAN.png
 
You must log in or register to reply here.

Similar threads

K
Anyone currently using MeshCentral?
Replies
1
Views
568
Sky-Knight
Sky-Knight
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
2K
trevm999
trevm999
GTP
No going back!
2 3 4
Replies
60
Views
3K
Sky-Knight
Sky-Knight
callthatgirl
Does Classic Outlook and New Outlook share any data files?
Replies
0
Views
279
callthatgirl
callthatgirl
HCHTech
Comcast Business Service - What am I looking at?
Replies
4
Views
805
Markverhyden
Markverhyden
Back
Top