Two-layer subnets using Linksys routers?

  • Thread starter Thread starter Alan Cobb
  • Start date Start date
A

Alan Cobb

Hi,

I'm thinking about implementing the following LAN setup:

Internet
|
Cable modem
|
WRT54G
(Linksys wireless access + wired router, NAT,
"Firewall")
|
-----------------------------------
| Subnet A (less secure) |
-----------------------------------
| | *
| | *
| PC1 Laptop 1
| ftp/web server (Wireless)
|
|
BEFSR41 (Linksys wired router, NAT, "Firewall")
|
-----------------------------------
| Subnet B (more secure) |
-----------------------------------
| |
PC2 PC3

All the important data would be in the more secure
subnet B. The less secure subnet A would have only
the "public" data needed for an ftp server and maybe
an IIS web server eventually.

All machines running XP Pro and Norton NIS software
firewalls. File sharing is bound to IPX (unroutable)
on subnet B, but bound to TCP/IP on subnet A.

Questions:

Q1 - Will two things prevent subnet A from being able
to see any directories shared by PCs on subnet B?
(This seems desirable)

a) BEFSR41 is using NAT (only outbound allowed).
b) File sharing on subnet B bound to IPX which
can't get through any router unlike TCP/IP.

Q2 - Will computers on subnet B be able to see/read/write
directories shared on subnet A? (This seems desirable)

Would subnet B's PCs be able to browse web pages
served by subnet A's PC1?

Q3 - Will subnet B have a "little" slower access to the
Internet because of having to go through two routers?

Q4 - Any other comments or suggestions?

Thanks,
Alan Cobb
 
Alan Cobb said:
Hi,

I'm thinking about implementing the following LAN setup:

Internet
|
Cable modem
|
WRT54G
(Linksys wireless access + wired router, NAT,
"Firewall")
|
-----------------------------------
| Subnet A (less secure) |
-----------------------------------
| | *
| | *
| PC1 Laptop 1
| ftp/web server (Wireless)
|
|
BEFSR41 (Linksys wired router, NAT, "Firewall")
|
-----------------------------------
| Subnet B (more secure) |
-----------------------------------
| |
PC2 PC3

All the important data would be in the more secure
subnet B. The less secure subnet A would have only
the "public" data needed for an ftp server and maybe
an IIS web server eventually.

All machines running XP Pro and Norton NIS software
firewalls. File sharing is bound to IPX (unroutable)
on subnet B, but bound to TCP/IP on subnet A.

Questions:

Q1 - Will two things prevent subnet A from being able
to see any directories shared by PCs on subnet B?
(This seems desirable)

a) BEFSR41 is using NAT (only outbound allowed).
b) File sharing on subnet B bound to IPX which
can't get through any router unlike TCP/IP.

Q2 - Will computers on subnet B be able to see/read/write
directories shared on subnet A? (This seems desirable)

Would subnet B's PCs be able to browse web pages
served by subnet A's PC1?

Q3 - Will subnet B have a "little" slower access to the
Internet because of having to go through two routers?

Q4 - Any other comments or suggestions?

Thanks,
Alan Cobb
Click to expand...

Hi, Alan. I'll answer your questions to the best of my knowledge and
experience. However, the only sure way for you to find out if the
setup will work as desired is to try it and see.

Q1a: Yes, the BEFSR41's NAT firewall function will prevent subnet A
from accessing subnet B using TCP/IP.

Q1b: Yes, the router will block file sharing using IPX/SPX.

Q2: Yes, computers in subnet B will be able to access shared
directories on computers in subnet A using TCP/IP. Subnet B PCs send
packets to the BEFSR41, which uses NAT, so packets originating from
those computers will appear to come from the BEFSR41's WAN interface,
which is in subnet A.

Subnet B PCs should be able to access web pages served by PC1 using
either PC1's subnet A address or the cable modem's public IP address.

Q3: Internet access on subnet B might take a few microseconds longer
than on subnet A.

Q4: Don't run XP's built-in firewall (ICF) on any computer. NIS does
everything that ICF does and more, and running two firewalls could
cause problems.

Specify different IP address ranges (e.g. 192.168.0.x and 192.168.1.x)
for subnets A and B -- The BEFSR41's WAN interface will be in subnet
A, and its LAN interface will be in subnet B.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
Hi Steve,
...the only sure way for you to find out if the setup will
work as desired is to try it and see.
Click to expand...

Thanks for your detailed answer. I'll buy the gear and
give it a try :).

PS: One inaccuracy in my original post:

IPX _is_ actually a "routable" protocol. As described here:
http://support.microsoft.com/support/kb/articles/q203/0/51.asp

Although IPX is technically routable, apparently many
routers (including these Linksys models) do not route
those packets though the WAN connection. Hence in
terms of these routers IPX is effectively "non-routable".
(Which provides a desirable extra level of protection
from the TCP/IP based Internet).

From the WRT54G manual p45:

Does the Router support IPX...?
No... IPX, a NetWare communications protocol [is] used only
to route messages from one node to another ... [It] can be
used for LAN to LAN connections, but ... cannot connect
from the Internet to a LAN.

(Please let me know if any of the above is incorrect).

Thanks again,
Alan Cobb
 
Hi Hans-Georg,

Sounds like a good point.

Can you give an example of such a router (and maybe a
website link)? Perhaps they are above the average
"consumer" price range?

Regarding the two smallnetbuilder.com articles:
Although not perfect, would you say smallnetbuilder.com
in-general and these articles in-particular are a reputable
source of information?

Alan Cobb

--------------------
 
Can you give an example of such a router (and maybe a
website link)? Perhaps they are above the average
"consumer" price range?
Click to expand...

Alan,

from my (poor) memory, a few examples could be LanCom 821,
LanCom 1621, Bintec Brick XM. But please recheck before you buy.
There are probably some more.

Hans-Georg
 
Back
Top