Create a second network for my teenager

I want to create a second network for a teenager whose surfing habits seems to get him lots of viruses, to provide some isolation and protection for others in the house. I intend to plug a second router into one of the LAN ports on the existing router (taking care to be sure they are not overlapping in the IP addresses they give out).

Would I get better protection if the careless surfer is on the outer router (the one closest to the modem)? Or does it not really matter significantly?

Thanks

 

Hello

Well, wouldn't it be better to secure the teenagers PC a little more instead?
I mean he would continue to get lots of malware even if you improve the security for the rest.

I assume that your teenager is like every other teenager that checks emails, playing games, and keeps logging on to member accounts here and there. And having malware on a PC while doing that is not so good. So I would improve the protection on the teenagers PC more, or change it out to something that works better with his habits.

 

You could get him a cheapo computer and let him learn the hard way
And then if he gets in real trouble recommend him Wilders Security

 

The teenager isn't the only issue. I also bring in virus laden computers from friends that I clean up.

 

It does not matter significantly whether the careless user/laden computers network is on the outer or inner network.
However, for topology reasons, the main home network should be positioned as the outer network, the network closest
to the modem.

The goal here is to isolate both networks from each other entirely, and allowing Internet access for both networks.
Simply connecting the two routers together, LAN port to LAN port, will not work, that only expands avaliable ports,
and the two networks can still see eachother, even though both routers are on seperate subnets. Also, if File and
Printer Sharing is preferred only between computers behind the subnet of the router they are serviced by, then the
Workgroup Name for all the computers behind the Home Router must be the same, but different from the Workgroup Name
of all the computers behind the Laden Router, and, the Workgroup Name for all the computers behind the Laden Router
must be the same, but different from the Workgroup Name of all the computers behind the Home Router.

To isolate the two networks entirely, provide Internet access for both networks, and restrict File and Printer
Sharing to the subnet of the router, follow the topology below.


HOME NETWORK TOPOLOGY:

Modem/Home Router/Laden Router

01] Modem
The modem currently in use

02] Home Router = Home Network
Plug the modem into the WAN port of the home router
IP address (subnet) of home router = 192.168.1.1
DHCP server of home router starting IP address = 192.168.1.111
Number of DHCP clients for home router = 5
DHCP address range for home router = 192.168.1.111 to 192.168.1.115
WAN settings for home router = Obtain an IP Address Automatically (from internet provider)
Workgroup name for computers behind home router = HOME ROUTER

03] Laden Router = Laden Network
Plug from out of the WAN port of the laden router into the LAN port of the home router
IP address (subnet) of laden router = 192.168.2.1
DHCP server of laden router starting IP address = 192.168.2.111
Number of DHCP clients for laden router = 5
DHCP address range for laden router = 192.168.2.111 to 192.168.2.115
WAN settings for laden router = Obtain an IP Address Automatically (from internet provider)
Workgroup name for computers behind laden router = LADEN ROUTER


To alleviate some of the laden you might consider using Norton DNS ConnectSafe.
Norton DNS ConnectSafe is an free cloud-based Web filtering service by Symantec.
There are three content filtering policies to choose from:
https://dns.norton.com/dnsweb/faq.do#13330138920481&action=contentLoaded&formId=loginForm&height=0


HKEY1952

 

Easy addition to earlier suggestions, check whether your router has wireless lan partition option, useually under advanced wireless options (sometimes under wireless intelligent stream handling options).

see pic

 

Thanks for the responses.

I've created the 2nd network it seems to be working well. Kees, my router has does not have lan partition option.

The reason I was asking about which router to make the outer router was because it seemed to me that since most threats to a network come in through the WAN side, that therefore a router might have better security protections on the WAN side. Which would then suggest putting the virus-laden computers on the outer router, so they are on the WAN side of the computers I want to protect.

If I do it the other way, and put the virus laden computers on the inner router, then all the traffic from the virus laden computers travel through the router of the network that I am trying to protect, on the same set of LAN ports as the computers I want to protect, which seems like it could be asking for trouble.

Thanks

 

I would suggest looking at alternatives for the virus-laden computers you're bringing in from friends. IMO you shouldn't join them on your LAN at all. Instead you would run them inside a sandbox & fix them that way. Or you could run repair CDs on the infected computers & mount the hard drive into the live CD- that way the infected OS isn't actually unleashed on your LAN.

As for the teenager, I would second sweX's suggestion of securing his computer more. Perhaps he needs a more restricted account. If he doesn't have any admin capabilities, then mom or dad would have to approve any installations of legit programs as well as malware. I sound like a sandbox fanboy, but again it's something to look at for him. Run his browser in a sandbox & you'll reduce the infections even if his behavior doesn't change much. If you run a tight firewall that would significantly cripple malicious programs from calling home. it would also make sense to implement some mandatory access controls on the teenager's computer. You may still get the infections but they wouldn't be able to do much.

 

So, if we go by your theory, placing the laden router on the outside, and the home router on the inside, now all of
the traffic from the home router is travelling through the laden router through the vary same ports as the laden
infected computers.....right.....wrong.

The only way your theory would hold true is if the inner router was connected to the outer router via
LAN port to LAN port. Connecting both routers LAN port to LAN port only expands avaliable ports and the networks
are not segragated.

Connectong the inner router out of the WAN port into the LAN port of the outer router totally segragates the two
networks from each other including network connectons. It is irrelevent which of the two networks are positioned
at the networks edge, however, for topology reasons, the main network should be positioned at the networks edge.

I gave you the answer/solution to your question/problem


HKEY1952

 

Interesting- I have learned something here. So the two networks would be completely independent, right?

 

BrandiCandi,
I guess it depends on how you define "independent". I've tried both configurations, and while I cannot see the other computers with normal methods, I can see the other router.
Which seems to leave open the possibility of some creative hacking.

Steve Gibson has a page with lots of good info on this topic here:
http://www.grc.com/nat/nat.htm


If you scroll down to the bottom, he suggests the machines you want to protect should be on the inner router.

I have also considered that perhaps the best way might be to connect a switch to the modem then the routers to the switch. But I'd rather avoid another piece of hardware if I could feel safe with just the routers.

 

The switch can not be the edge device connected to the modem. The switch can not act as an DHCP server and allocate
IP addresses. The switch can not enforce Network Address Translation (NAT). The modem expects to see one computer
and would see past the switch trying to communicate with all the devices connected yet not know which device that
it can support. Modems are designed to communicate with one device at an time, and only support an network adapter,
an game console, or an router.

Switches work at Layer2 of the Open Systems Interconnection (OSI) Seven-Layer Networking Reference Model,
the Data Link Layer, using Media Access Control Addresses (MAC Addresses). The Data Link Layer is responsible for
transmitting data from one place to another. The Data Link Layer is also responsible for putting together and
formatting the header information into correct fields and placing the data in the right place, called the Ethernet
Frame. Switches examine the MAC Addresses of packets using that information to decide whether to forward an packet
to another port. Switches are intellegent devices and remember the MAC Addresses and which ports the MAC Addresses
used during communications. Some switches also amplify the inbound and outbound signals independently per port to
retain the full bandwith in all the communications passing through the switch.

Routers work at Layer3 of the Open Systems Interconnection (OSI) Seven-Layer Networking Reference Model,
the Network Layer, using the Internet Protocol (IP). The Network Layer manages how packets are delivered on the
network or routed to another network using IP Addressing. IP addresses are comprised of two components:
an Network ID, and an Host ID. Packets can be delivered on the Local Area Network (LAN) using the Host ID or routed
to another network using the Network ID. The Network Layer is also responsible for breaking large messages into
smaller messages that fit into the Ethernet Frames created at the Data Link Layer. This size of the Ethernet Frames
created by the Data Link Layer is called the Maximum Transmission Unit (MTU). At the receiving end the Network Layer
reassembles the smaller messages back into the original large message before passing the data up to Layer4 of the
Open Systems Interconnection (OSI) Seven-Layer Networking Reference Model, the Transport Layer. Routers use the
protocols network address to determine on which port an packet is to be forwarded, by using the Logical Address
Space provided by Layer3. Switches use MAC Addresses to determine on which port an packet is to be forwarded, by
using the Flat Address Space provided by Level2 for lower-level devices that use Media Access Control Addresses.

The Modem sees the Wide Area Network (WAN) side of the router and communicates with it, allocating the WAN port of
the router the Internet Providers IP Address. The modem does not need to know that there are other computers or devices
connected on the Local Area Network (LAN) side of the router. As far as the modem is concerned there is only one
device connected to it, the router, as the modem does not communicate past the router or to the Local Area Network.
It is the job of the router to make the connections to the computers, printers, and devices. Routers are capable of
speaking to multiple computers or devices, and can allocate each of them their own Local IP Address by using the
routers built-in Dynamic Host Configuration Protocol (DHCP) Server, for example: (192.168.xxx.xxx).
When the router receives an signal from an computer or device, the router exists the capability to decide whether
that signal either goes to the Internet, presenting the computer(s) or device(s) to the modem as if it were just the
one device (the router) by using the routers IP Address, for example: (192.168.XXX.XXX), and performing Network
Address Translation (NAT) as required for the modem communications, or if the signal goes to another computer or
device on the Local Area Network.

Although I can appreciate Steve Gibsons topology in regards to the 'Seperate LAN Protecting One High-Value Machine'
by positioning it on the inner router, being that there is only one computer making up the network segment.
All of the networks behind their respective router are 'private' and all of the networks behind their respective
router are not 'uncontrollable', and both networks 'face the Internet'. Daisy Chaining routers does not increase
router security. If my goal was to protect 'One High-Value Machine', I would place it within an inner network behind
an Proxy Server. In your case, you want to isolate the teenagers computer from the rest of the home network,
therefore, that computer is best positioned by its self behind its own router within an seperate subnet, as depicted
by Steve Gibsons topology in Post #11.

There are two interfaces within an router, the WAN interface and the LAN interface. By connecting out of the
WAN port on the inner router to the LAN port of the outer router, the inner router is passing through the WAN interface
of the outer router and the two networks are segragated. It is irrelevent which network is positioned at the networks edge.
Both networks are behind their respective router and both routers exist an WAN interface and an LAN interface and
the two interfaces within each router do not communicate with eachother within the router. For topology reasons, the
main network should be positioned at the networks edge. The inner routers must make two or more hops before they can
access the Internet through the edge device, the Modem at the networks edge.


EDIT: clarity


HKEY1952

 

OK thanks for info. I see what you mean about the switch idea not being workable.

I am running it now with the computers I want to protect on the outer router. I prefer it that way since it makes it easier to disconnect the inner router when it is not needed.

 

There ya go, great idea, and good job vincenzo.

Also an good working example of one advantage to positioning the Main Network behind the Outer Router referred to as:
The Networks Edge. The Modem is the Networks Edge Device.


HKEY1952