none
How to set up a 2 subnet lan

    Question

  • I'm trying to set up a 2 subnet ETHERNET ONLY LAN such that computers on both subnets can access each other, BUT that those on the second subnet are isolated from the internet.  I've been searching both the TechNet and the internet in general and have found dozens of articles and tutorials about what the subnet masks are all about.  I understand all that.  What I DON'T understand is how to physically set up a LAN to use all that good information.  For example:

    1) Do I need to use two routers, or will one do the job?

    2) Either way, what settings must be made and where?

    3) If two routers are used, are there other special settings that must be made?

    I'd be very grateful if anyone can provide, or point me to, information addressing the practical side of this issue instead of the theory.


    Creacon

    Thursday, February 20, 2014 5:49 PM

Answers

  • Hi,

    I think the "dg" means the default gateway and it is simpler to use static IP addresses. If you deploy DHCP server in this environment, you need to take multiple things into account.

    Best regards,

    Susie

    • Marked as answer by creacontech Tuesday, February 25, 2014 1:21 PM
    Tuesday, February 25, 2014 9:56 AM
    Moderator

All replies

  •   That is not easy. The routing needed to give you full inter-subnet routing will also give you Internet access from both subnets. You would need to use some other technique to block Internet access from subnet 2 (such as disabling DNS).

      There are several possible scenarios, but not one to allow that particular requirement.

      Yes, you need two routers - one for Internet access and one for inter-subnet routing. Here is a possible  setup for full routing with Internet access. You can of course use any IP subnets you like.

    Internet

    |

    Public address

    Internet router

    192.168.1.1
    |
    Subnet 1 machines
    192.168.1.x   dg  192.168.1.1
                        dns 192.168.1.1

    |
    192.168.1.254   dg  blank
    LAN router
    192.168.21.254  dg  blank
    |
    Subnet 2 machines
    192.168.21.x  dg  192.168.21.1
                         dns 192.168.1.1

     The Internet router is configured as a NAT router so that it can share its public connection to the inner subnet(s). The internal router is configured as a LAN router.

    All that is required to complete the setup is to configure a static route on the Internet router so that it will forward traffic for the second subnet to the LAN router so that it can be delivered in the correct (192.168.21.0) subnet. eg

    !92.168.21.0   255.255.255.0   192.168.1.254

    This will give you routing between subnets and Internet access from both subnets. To prevent Internet access from subnet 2 machines, set the DNS value to blank. They will then be unable to resolve URLs to IP addresses. 


    Bill

    Friday, February 21, 2014 3:54 AM
  • Thanks a million for your response, Bill.  I do, however, have a couple of questions, which may or may not matter regarding your instructions, but I'd like to be sure.

    1)  The main - internet- router currently installed has an address of 192.168.254.254 instead of the usual 192.168.1.1 etc.  Does this require any changes to the template in your post?

    2)  Currently, the installation uses only desktop and laptop computers.  In the future we may add a server which needs a static IP address on the internet router.  What, if any, changes to your above settings would then be necessary?

    Thank you again


    Creacon

    Friday, February 21, 2014 1:55 PM
  • I think Bill have used 192.168.1.1 as an example you can keep the same DG IP.
    Friday, February 21, 2014 9:30 PM
  • Thanks a million for your response, Bill.  I do, however, have a couple of questions, which may or may not matter regarding your instructions, but I'd like to be sure.

    1)  The main - internet- router currently installed has an address of 192.168.254.254 instead of the usual 192.168.1.1 etc.  Does this require any changes to the template in your post?

    2)  Currently, the installation uses only desktop and laptop computers.  In the future we may add a server which needs a static IP address on the internet router.  What, if any, changes to your above settings would then be necessary?

    Thank you again


    Creacon

    No, a server does not need to use anything different from a client OS. A static IP is fine as long as you set the netmask, gateway and DNS correctly.

    Did I ever suggest that they were not static in the example? I made no mention of DHCP - that is a whole new ballgame in a routed network!


    Bill

    Friday, February 21, 2014 11:36 PM
  • I'm still rather confused about this.  I had planned to set up the 2 subnet LAN in my home office as a test before setting it up in my wife's background screening business in town.  I have a server, a laptop and a tower desktop on my home office LAN, and I have a static IP from my ISP for my server to work with RDS (I'm in Georgia but my users are in Florida).  My router is a Linksys WRT54G.

    Static IP" enabled with the following fields filled in"

    In the "Internet Setup" panel:

    Internet IP Address: my assigned IP Address

    Subnet mask: 255.255.255.224

    Gateway: an assigned setting but NOT THE TYPICAL 198.162.1.1

    Static DNS 1: an assigned setting

    Static DNS 2: an assigned setting

    Static DNS 3: 0.0.0.0

    In the "Network Setup panel":

    Local IP Address: the typical 192.168.1.1

    Subnet Mask: the typical 255.255.255.0

    In the Network Address panel:

    DHCP Server Enabled

    Starting IP Address: 192.168.1.2

    Maximum Number of DHCP Users: 50

    IP Address Range: 192.168.2 to 51

    Client Lease time: 0

    WINS: 0.0.0.0

    Finally, there's an "Advanced Routing" page which has the following fields, but none with entries.

    Operating Mode:  Gateway/Router.  The instructions indicate to use router if another router exists on the LAN.  When set to "Router", the following fieds are available:

    Dynamic Routing: RIP & Choices are: Disabled, LAN & Wireless, WAN and Both

    Static Routeing: Select set number (1 - 20)

    Enter Route Name: instr. say, "Enter the name you would like to assign to this route

    Default LAN IP: no current entries

    Subnet Mask: no current entries

    Default Gateway: no current entries

    Interface: w/choices of LAN & Wireless or WAN

    In describing all this, I infer (hope I'm correct) that the first setup panel (Internet Setup) s/b left alone, since in describes only the internet settings.

    For the rest, however, I'm at a loss as to which of your suggested settings go where.  Also, in your outline above you mention dg and dns.  While I think I know what the "dns" is, the dg is a mystery to me.  I don't see anything like that anywhere in my router settings.


    Creacon

    Saturday, February 22, 2014 1:51 AM
  •  Sorry, that is beyond the scope of this forum. Basic routing problems are fine, details of programming third party devices is not.

      Basically you need to set up the static route I described earlier in the Linksys where static routing in mentioned.


    Bill

    Saturday, February 22, 2014 10:25 PM
  • OK, I get that.  I realize that idea was a bit out of line, and should have been directed to the router manufacturer; I apologize for that, but perhaps you could answer two general questions.

    1)  What is the meaning of that "dg" you mentioned above in your explanation?

    2)  Must I use internal static IPs for all the computers, or at least in all of the computers in the second subnet?

    I'm still in the dark about those two things.


    Creacon

    Sunday, February 23, 2014 1:58 PM
  • Hi,

    I think the "dg" means the default gateway and it is simpler to use static IP addresses. If you deploy DHCP server in this environment, you need to take multiple things into account.

    Best regards,

    Susie

    • Marked as answer by creacontech Tuesday, February 25, 2014 1:21 PM
    Tuesday, February 25, 2014 9:56 AM
    Moderator
  • Thanks Susie.  Somehow I missed the connection between dg and Default Gateway.  Boy am I getting senile in my old age!  I sort of inferred the need for static IPs there, but just wanted to be sure.

    Thanks again for clarifying those things for me.

    Rob


    Creacon

    Tuesday, February 25, 2014 1:24 PM
  • Hi,

    It is my pleasure. Have a good day!

    Best regards,

    Susie

    Wednesday, February 26, 2014 1:58 AM
    Moderator