[SOLVED] Connecting secondary router WAN to primary router LAN

Nov 28, 2020
3
0
10
goals
  1. isolate secondary router clients from primary router LAN access.
  2. Using internet access from primary LAN connection.

Is this possible? Can I restrict primary LAN access to all secondary clients via different subnet or will I need firewall rules as well?
 
Solution
You don't really need a vpn but you can if you are worried about data interception. That is a far different thing just preventing access between the networks.

Lets say your network looks like this.

internet--router1--192.168.1.x----router2---192.168.2.x.

By default 192.168.1.x can not open any session with 192.168.2.x this is the NAT port forwarding "problem" that helps in this case.
192.168.2.x machine can though intiate conenctions to 192.168.1.x. If the router2 has the feature all you need is a rules that denys all access to 192.168.1.x.

kanewolf

Titan
Moderator
goals
  1. isolate secondary router clients from primary router LAN access.
  2. Using internet access from primary LAN connection.
Is this possible? Can I restrict primary LAN access to all secondary clients via different subnet or will I need firewall rules as well?
You can prevent primary router clients from getting to secondary clients. You wouldn't protect primary from secondary IF the secondary knows the IP address.
To totally isolate them you would want a primary router that supports VLANS , You would create the "secondary" network with a different VLAN and IP range. Then you could use the secondary router as an access point/switch rather than a router.
Any decent business class router can handle the VLANS, and multiple DHCP servers.
 
If the second router has a firewall you can put a rule in that prevents any access to the subnet in the primary lan. You can block the entire subnet including the gateway ip of the main router. That will prevent any attempt to access the router but it will still allow internet traffic to pass to the main router.
 
Nov 28, 2020
3
0
10
Thanks for your input.
To further explain:
The Primary Router is not owned nor controlled by "us" but is the property of our Corporate Customer.
The Secondary Router(owned by we, the vendor) has attached "our" clients that provide a proprietary service to their corporate process.
The Primary(Corporate Customers router) sole purpose is to provide internet service to the Secondary router.
Therefore, we(the vendor/secondary router) are concerned with security for both parties.

We are also implementing a VPN between the Secondary router and internet connections
 

kanewolf

Titan
Moderator
Thanks for your input.
To further explain:
The Primary Router is not owned nor controlled by "us" but is the property of our Corporate Customer.
The Secondary Router(owned by we, the vendor) has attached "our" clients that provide a proprietary service to their corporate process.
The Primary(Corporate Customers router) sole purpose is to provide internet service to the Secondary router.
Therefore, we(the vendor/secondary router) are concerned with security for both parties.

We are also implementing a VPN between the Secondary router and internet connections
If the "purpose" of the primary router is to provide connectivity, then it should be capable of providing you with a VLAN which will isolate your traffic to only your hardware and the internet. What do your terms of service with the provider say?
 
You don't really need a vpn but you can if you are worried about data interception. That is a far different thing just preventing access between the networks.

Lets say your network looks like this.

internet--router1--192.168.1.x----router2---192.168.2.x.

By default 192.168.1.x can not open any session with 192.168.2.x this is the NAT port forwarding "problem" that helps in this case.
192.168.2.x machine can though intiate conenctions to 192.168.1.x. If the router2 has the feature all you need is a rules that denys all access to 192.168.1.x.
 
Solution
To further explain:
The Primary Router is not owned nor controlled by "us" but is the property of our Corporate Customer.
The Secondary Router(owned by we, the vendor) has attached "our" clients that provide a proprietary service to their corporate process.
The Primary(Corporate Customers router) sole purpose is to provide internet service to the Secondary router.
In this configuration, you have nothing to worry about because just like any other wan connection coming into your router, all packets not intended for your network will be discarded--doesn't matter if it is coming from the Primary Router's LAN or the Internet--as far as the secondary router is concerned, both are the same and generally discarded.
 

TRENDING THREADS