How to isolate subnets from being able to see each other

Topic

New Reply

[enduser99]

Brian Livingston’s article on “Hackers are running your smart home” made a suggestion to “3. Place your IoT devices and computers on two different networks” as a way to isolate the networks.

A quick analogy of my setup:

1. IP provider uBee modem/router combo with LAN IP 192.168.0.1
2. D-Link router with LAN IP 192.168.5.1  – My Internet of Things/Guest access
3. Synology router with LAN IP 192.168.10.1  – My private secure network. Yeah right!
4. The D-Link and Synology routers get their WAN IP’s from the uBee device.

The problem and what I see as an issue is that from any device using my Windows 10 PC I can see and log into each router listed above. I remember previously that you had to be part of and connected to each device subnet IP in order to see those devices. Somewhere along the way that has changed.

Any suggestions on how to stop this free for all traffic between subnets?

• This topic was modified 4 years, 3 months ago by enduser99.
• This topic was modified 4 years, 3 months ago by PKCano.

Reply | Quote

Replies

Anything on the 192.168.0.0 network should not be able to see the other networks, but your uBee router may beg to differ.

192.168.5 and 10 should not be able to see each other, again depending on the uBee router.

If all are visible from anywhere you need to change the uBee router to either prevent access, or create a couple of  DMZ zones on the uBee – one for 5 and one for 10, then set the WAN ports to use the DMZ IP.

cheers, Paul

Reply | Quote

[enduser99]

Thanks Paul for the info. I decided to check the configuration at my parents house that I also had set up similarly but they have a Arris router from the Internet provider. Just as I describe above I was able to log on to any of the other routers even though they are all on separate subnets. They use a D-Link router for their private network.

Encouraged by what I was seeing I decided to check out the setup at my GF house that I also set up. Just like at my home and that of my parents in her setup I was able to log on to any of the routers on separate subnets. She has a spectrum branded router that has a separate modem and router units, and the Synology router for the secure network.

Is this now the new normal for these routers or is this something new to Windows 10?

• This reply was modified 4 years, 3 months ago by enduser99.

Reply | Quote

What you are seeing is not a secure sub-network, despite your expectations.
When you set up a secure subnet, you actively prevent users from one network being able to access the other networks.

How are you connecting to the routers to test the login?

How have you setup the uBee to allow the .5 and .10 networks?

How have you connected the routers to the uBee? Did you use the WAN ports of the other routers?

How do you do DHCP for the subnets?

cheers, Paul

Reply | Quote

The uBee (Main Internet Provider Router “MAIN”) is only supplying the IP to the WAN side of all the other routers via dynamic IP   Each other router has an IP on the WAN side such as 192.168.0.x

The other routers then in turn have their on LAN side IP addresses. On my own network router 1 a D-Link has a LAN side IP of 192.168.5.1 and a DHCP range of 192.168.5.2-254

Router 2 a Synology RT2600ac has a LAN IP of 192.169.10.1 and a DHCP range of 192.168.10.2-254

My Window 10 PC is connected to the Synology router. From my Win10 PC I can at will log in to any router, the uBee by typing 192.168.0.1 on the browser, or the D-Link by typing 192.168.5.1 on the browser without ever having to change from the 192.168.10.1 network that I’m currently residing in.

It used to be that you had to be part of the subnet you wanted to see in order to talk to those devices that is no longer the case. All networks have the same subnet mask of 255.255.255.0

 

 

 

Reply | Quote

Access to the uBee is expected as the Synology is connected directly to the 192.168.0 network

Have you turned the D-Link firewall off?

Can you connect to the Synology from the 192.168.5 network?

cheers, Paul

1 user thanked author for this post.

doriel

Reply | Quote

I look at this as simple as possible.

The uBee is your “coreswitch”. Dlink and Synology are L3 switches.

It used to be that you had to be part of the subnet you wanted to see in order to talk to those devices that is no longer the case. All networks have the same subnet mask of 255.255.255.0

I think its still the same, but your setup is different. Your D-Link and synology routers are L3 switches at this case, I think you should set them to GATEWAY mode, so they use their own NAT for devices connected to them. Thus making other devices from other routers invisible, because this agteway, does not know their IP.
Thats my assumption.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

We usually refer to L3 as Layer 3 of the network stack, which is the basic level of operation for a router. Is this what you meant?

cheers, Paul

1 user thanked author for this post.

doriel

Reply | Quote

Yes, I think, we are talking about the same. I refer to ISO/OSI model.
L2 switch is “dumb” switch.
L3 switch is managable device, where you can define VLANs for example, or routing.
His routers are definatelly L3. It requires management to make it work as required. It has built-in DHCP, VLAN management and other functions, that require to be adjusted.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Now we are getting somewhere, this is an interesting question indeed. To be clear:

Outermost uBee router has a LAN of 192.168.0.x on which it is 192.168.0.1
DLink inner router has a LAN of 192.168.5.x
Synology inner router has a LAN of 192.168.10.x

From a device connected to the Synology router,
you can access the outermost one using 192.168.0.1
you can access the D-Link router using 192.168.5.1

Access to the outermost uBee at 192.168.0.1 is to be expected from a Synology client. To block this,  you would want to configure the router to block anything going out with a destination IP of 192.168.x. This requires outbound firewall rules, something very rare in consumer router. Synology claims to have firewall rules but good luck figuring this out.

To block this from the outermost uBee router, you need to look at locking down LAN side access. Perhaps by source IP? Perhaps by MAC address? Perhaps by using a non-standard port? Routers vary drastically in the options they offer here. Again, consumer equipment is not likely to offer many options for this.

For the DLink router, I would expect you to be able to access it using a 192.169.0.something IP address. To block that, you need to lock down remote access in the DLink router. This should be simple and easy on most routers.

However, if you can access the DLink router at 192.168.5.1 from the Synology router, then I have no explanation. Only a device connected to the DLink router should be able to use that IP address. Any device connected to the Synology router should only see the DLink router at its 192.168.0.something IP address

 

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

doriel

Reply | Quote

[doriel]

Firewall rules can do the tick here, but with all respect, thats not the solution, you just cure the symptoms.
In enterprise sphere, the visibility between VLAN is driven by port setup.

On the core switch (in this case uBee router) you define all VLANs, that exist in the network.
Then you manage RJ45 ports, if they are “tagged” or “untagged” and to wich VLAN they belong.
“Tagged” means, that you can access all VLANs defined on th switch (router).
“Untagged” means, that you can acess only VLAN, that the port is set to.

So..
@enduser99 needs to set two “untagged” ports.
One untagged port for the DLink with VLAN5 192.168.5 / 24
One untagged port for the Synology with VLAN10 192.168.10 /24

and connect corresponding devices with cable into them.
But Im not sure if uBee can do this management. Some small Cisco manageble switch can do that.
For example (sorry for czech link, hope you can access the webpage)
Cisco SG250-08 8Port approx 100 USD

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

• This reply was modified 4 years, 3 months ago by doriel. Reason: oh grammar

Reply | Quote

>Firewall rules can do the tick here, but with all respect, thats not the solution, you just cure the symptoms.

Outbound firewall rules can prevent the two inner routers (Synology and DLink) from sending any outbound requests to the LAN of the outermost router (uBee). But, that assumes these routers support outbound firewall rules which is unlikely.

>In enterprise sphere, the visibility between VLAN is driven by port setup.

VLANs are off-topic, as I understood the question. I am a big fan of VLANs, some of my best friends are VLANs, but I don’t think any of these three vendors support VLANs.

I don’t think your definition of “tagged” is correct. Tagged applies to individual data packets, not to Ethernet ports. Terminology often gets in our way, no doubt that happened here.  As you say, Ethernet ports can be configured to either expect VLAN tagged packets or not. I am not sure what the official terminology for this on/off state is. Peplink uses the terms “access” and “trunk”.

We don’t know the specifics of the uBee router, so there is only so far we can go.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

2 users thanked author for this post.

Perq, doriel

Reply | Quote

Terminolgy indeed and translation too (in my case).

I found that Cisco uses term trunk too. We use Extreme who uses tag/untag

https://networkdirection.net/articles/network-theory/taggeduntaggedandnativevlans/

I think you are correct, but as Extreme switches offers tag/untag setting for each port, I assumed, that its related to every single port. One must learn all the time. Lets wait for Enduser99 reaction here.

Doriel

Reply | Quote

Hello.
I quite do not understand what you mean by “see each other”.

Whats your “coreswitch”? I mean all devices are connected through one device right? Then you shoud do some VLAN management on this “coreshitch” of yours.

How have you setup the uBee to allow the .5 and .10 networks?

And Im missing your subnt mask. Thats what defines your VLAN.

example:
If your SM is 255.255.0.0 then all your 192.168.x.y are on the same VLAN (x,y = 0..254).

What are your subnet masks?

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

Regardless of masks, the routers should enforce isolation – that’s what internet routers do.

cheers, Paul

Reply | Quote

By “see each other” I understand that they can PING for example, or access web interface through IP (printers etc.).

Maybe @Michael432 is correct, maybe @enduser99 is talking about different SSIDs, not about cable connection.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

[Michael432]

The question is unclear.

The biggest omission is which router the Win10PC is connected to. Then too, is each router only Ethernet? If not, are there Guest networks on each router?

That said, any device connected to the uBee router via Ethernet or main SSID will be able to see both other routers. However, if the DLink and Synology routers have remote admin disabled, you should not be able to get at their web interface from the uBee router.

To learn more about using multiple routers see
https://www.michaelhorowitz.com/second.router.for.wfh.php

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

• This reply was modified 4 years, 3 months ago by Michael432.

1 user thanked author for this post.

Kirsty

Reply | Quote

I know this is an old thread but I wanted to provide the final resolution to the original problem. In the end no matter what I tried I could never achieve the complete isolation I was looking for between subnets until now. Thanks to all who participated on this matter and provided great insight.

The Synology router that I have the RT2600AC recently updated their firmware to allow each of the 4 LAN side ports to be individually mapped, and since it also has 4 WiFi antennas each of those can also be mapped to their individually assigned ports. It also gave me the option to connect to each LAN port strictly via Ethernet only, strictly by WiFi only, or both Ethernet and WiFi combined. I set them to combined modes since not all IoT devices have Ethernet connections.

So what I did was map each LAN port to a specific IP address. For consistency sake I assigned LAN port 1 have the IP address 192.168.1.1, port 2 IP address 192.168.2.1, port 3 IP address 192.168.3.1, and port 4 IP address 192.168.4.1. On each individual port I was also able to adjust the DHCP range to between 2-254. Now all I had to do was connect a switch to each port and connect devices to each individual switch based on what subnet  I wanted them to be associated with. I now also have 4 individually isolated WiFi networks operating at the same time.

On my Windows PC when connected via Ethernet I can can’t see each subnet unless I physically connect to that specific switch via the Ethernet cable. If I use WiFi on my PC instead, all I have to do is connect the PC to the specific WiFi subnet I want to see and control and I can see only those devices associated whit that subnet but none of the others.

On my cell phone when at home I just have to switch to that specific WiFi network to view those devices associated with that subnet. When I’m out and about I can control each device via the cell provider without any issues since I’m now on the WAN side of the network and don’t have to deal with switching to or selecting individual WiFi networks.

This firmware change on the router extremely simplified everything I was trying to accomplish without having to use multiple routers. My network now consists of a cell phone gateway running as a always on 5G data modem [good riddance cable company and the ridiculous constant price increases] the Synology router the brains of the operation, and 4 separate gigabit switches to expand the single port assigned at the router.

Thanks again to those who provided input. I now have peace of mind knowing that the questionable and insecure IoT devices are isolated from my important data systems.

1 user thanked author for this post.

Cybertooth

Reply | Quote

enduser99 wrote:

When I’m out and about I can control each device via the cell provider

Are you saying you have remote access to your network / router?
This is bad m’kay, unless you use 2FA and a VPN to connect.

cheers, Paul

Reply | Quote

I have remote access to the IoT devices, zero access to the router itself as it does not permit WAN access to itself. All subnets access are via VPN when setup in the router. It clearly stated that during the setup process.

Reply | Quote