To subnet or not to subnet That is the question.

**Smokin Joe** · August 25th, 2008, 12:20 AM

Hello everyone
NooNoo helped me very quickly last time.
Thanks again NooNoo on the printer driver reinstall.

Here is a challenge for you (all), maybe not for you but it will be for me.
That is why I am here.

I have an operating network consisting of a modem (speedtouch)
a wireless router (DI-624)
a printserver, faxmachine, scanner and bonus television all in one (Asus Tx97e, Pentium 233, 256 mb of ram, running win98se: because XP would kill it)

a Multimedia Center (AsusP4B with a vast assortment of goodies that are irrelevant running XP: because 2000 NT tried to kill me getting it to work with the rest of my network)

a wireless laptop running XP (it’s from Dell and I have lifetime tech support)

a bridge (di-524 with dhcp disabled: it was much cheaper than a real bridge) located at the end of a long underground cat 5 (about 150’ long) ending in our guest house where students like to access the internet thru my network.
I have been thinking more about security lately and I wanted to add a switch after the modem, another DI-624(on a different subnet mask or whatever modus apparendi you guys might suggest)

Why a different Subnet mask you ask?

Because after the modems I want to connect them both to the underground cable (by using another switch I guess) leading to the bridge at which point I was thinking of daisy chaining another bridge (DI-624 with DHCP disabled: you know cheaper than the real thing.) into the first bridge (DI-524)
Okay why all the trouble?

Sometimes I take my laptop over to the guest house and plug it into the TV to show movies on that television which I have stored on the Multimedia Center at the main house. Also I play music in the bar (downstairs in the guest house) from my laptop using the itunes data base on the Multimedia Center. I have been lucky in that most of my guests have been great.
But one day I might get a really bright one who is bored silly and well……so far no one has hacked into my computers. I know of their weaknesses and I feel I should eliminate the risk.
I already have one DSS-8 which I am not using and two new (still in the boxes) DI-624’s.
Soooo LET”S GET THIS PARTY STARTED!

Recapping I wish to (or I THINK I SHOULD)

use two routers and two bridges sharing the same single cat 5 to join the Routers to the bridges. Essentually creating two individual networks (not accessible to one another from a security stand point).
My laptop only needs to access my computers, the internet but not the guest computers.
Their computers don’t need to communicate with one another only have internet access.
My laptop needs to access my network from either house.
Forgive me if this seems stone age in concept but I am from Canada and I’m Slow eh!

**Smokin Joe** · September 14th, 2008, 10:45 PM

I waited diligently for someone to respond to my previous post
100 have read so far...
Just a couple of hints please.

I have run into a couple of problems setting up the new gateway (Home). I can connect to the Internet thru the switch to the modem. Both gateways will work using the same sub-net mask and both have DHCP enabled. I can switch back and forth wirelessly or wired to either router, but when I change the sub-net on the new router, the LAN sub-net, the Internet connection is lost.

I am wondering if I change the sub-net mask on the new gateway to 255.255.255.224 (keeping it a class C).

Will I have to disable the DHCP setting of the new router in order to connect it to the other network on the second switch? Even though it is operating on a new sub-net? Will the wireless connection on my laptop need to have the sub-net mask identified 255.255.255.224 in the settings making it harder to connect to other Wifi hot-spots.

Because the default sub-net has been changed will every computer using the new gateway have to have a static ip address as well as identifying the new gateways sub-net mask?

What other changes should I make within the settings of each computers tcp/ip makeup?

Should I change the sub-net of the new gateway to a default class B or class A network instead?
Possibly eliminating these problems?
Any and all information would be appreciated.
Thank You

**Smokin Joe** · September 15th, 2008, 12:08 AM

Preliminary testing of the new router using a Class B default subnet seems to be working. I have both routers connecting to the modem with a switch.
I can switch wirelessly between routers and connect to the internet without issues of speed loss. I haven't had to do a bunch of static settings in the laptop.

The original gateway is Class C default subnet and the the new gateway is CLass B. Both have DHCP enabled.
The true test is when I try and have them share the same underground cable to the satelites.
Still looking for input of warnings etc

**Matridom** · September 15th, 2008, 07:36 AM

Joe, your posts are a little confusing.

First off, it`s my recommendation that you forget about subnetting. Subnetting is not creating security, in your case, it`s creating the illusion of security. Subnetting was originaly designed to make better use of IP address blocks and as a result of that it shrinkings collision domains.

I`ve encountered similar scenerios when i`ve been working for businesses that have confidential data yet want clients to surf on dedicated machines.

Authorize your modem for 2 IP address`s. Some ISP will give more for free, others you need to pay for. Talk to your ISP about that one.

Modem to Switch

Routers 1 and 2 connect to switch

Public network on router 1, private network on router 2.

In this scenerio, each router will have a public IP address and will act as an independant network, greatly increasing your security.

If you are insistant on having multiple networks on the same hardware (witch is what i think you are trying to do) you would need some fancy equipment that supports VLAN`s or ACL`s. Both these options will be rather expensive.

Hope it helps.

**Smokin Joe** · September 21st, 2008, 03:34 AM

Thanks Matridom for the input

"Modem to Switch

Routers 1 and 2 connect to switch

Public network on router 1, private network on router 2".

Is exactly how I have had it laid out from the beginning.

And I totally agree with the next statment

"In this scenerio, each router will have a public IP address and will act as an independant network, greatly increasing your security."

The issue I believe I have resolved is finding the proper configuration of the subnets.

I need for the hardware to share the same Cat 5 linking the routers with their bridges.

Currently I am testing and successfully have both networks operating on 2 different Class C subnets, with two totally different gateway addresses.

When I add the second switch linking the 2 routers to the long underground cable leading to the wireless access points I am wondering how the equipment and settings will respond.

Forgive me Matridom, because I did read your post, but not understanding Vlan's or ALC's but understanding Mac filters in the router settings has given me hope that I can limit access to my private subnet network thus providing more than enough security.

If the Mac filters are activated in my private networks' router to only allow my computers to access it (private network subnet) won't that present the security I need without affecting access to the public network?

**Matridom** · September 22nd, 2008, 07:52 AM

Let`s dig into things a little cause i`m getting a little confused by your terminolgy..

Originally Posted by Smokin Joe

Currently I am testing and successfully have both networks operating on 2 different Class C subnets, with two totally different gateway addresses.

This is not subneting. Subnetting is when you create two or more sub-networks from one larger IP class. You have 2 seperate networks.

When I add the second switch linking the 2 routers to the long underground cable leading to the wireless access points I am wondering how the equipment and settings will respond.

Your equipment will handle this fine. Cable/DSL modems are cable of receiving multiple communication channels on the connecting port

Forgive me Matridom, because I did read your post, but not understanding Vlan's or ALC's but understanding Mac filters in the router settings has given me hope that I can limit access to my private subnet network thus providing more than enough security.

I was talking about true routing equipment, not anything you would likely find in a residential home. ACL stands for Access Control List, and is used on proffessional routers as a customizable firewall to shape traffic going from subnet to subnet or network to network. Vlans, Virtual lans are a little different, they switch what physical network you are on based on mac address. Again, usualy used on large networks where true subnets exist.

If the Mac filters are activated in my private networks' router to only allow my computers to access it (private network subnet) won't that present the security I need without affecting access to the public network?

Since your two routers are on seperate networks and have seperate IP addresses, the routing that will result from the modem-router will provide all the security you need. MAC address filtering would be a recommendation for the Wireless network (to prevent war-driving). With the wired network, I would not bother, if they have physical access to your network, than filtering is nothing but a minor annoyance.