Creating Network Test Lab with Isolated Subnet

ThatNoobGuy28

Reputable
Jun 12, 2015
3
0
4,510
Hello everyone,
I am currently researching about creating a network test lab for my home that would allow me to be isolated from the other computers on my router. I would like to create a network environment that will allow me to practice setting up servers and pentesting without accidentally missing up the entire network and having to hear about it from my g/f.

Here is what I have figured out so far for connection:
ISP ---> (WAN) Main Router (LAN) ---- 192.168.1.2 ---> (WAN) 2nd Router (LAN) ----192.168.2.x

Questions that I still have:
1.) To allow the the 2nd router to have internet access will I have to port forward all protocols I wish for that 2nd router to have such as HTTP, SMTP, SSH etc from the Main router to 2nd router.

2.) Am I able to have the 2nd router run DHCP to obtain an IP Address (192.168.2.x) or do I need to disable it due to the Main router running DHCP.

3.) Am I able to assign the 2nd router with a different SSID and password than the Main router to make it where only hosts with the correct password can access the 2nd router.

Thanks for any advice anyone is able to give me!
-Patrick

 
Solution
Unfortunately it will work backwards to what you want. The devices behind you main router will not be able to get to the test network behind the second router because of the nat but the test devices will have pretty much full access to your main lan. The only thing really protecting them is that the device have no way to know what the ip addresses (even though you use common ones) because there is no dns mapping.

You would need some form of firewall in the second router to only allow access where you wanted...including the internet.

Unless you plan to test from the internet I would only port forward on the second router and place your testing machine on your LAN that way you do not expose things to the internet.

DHCP is up to you...
Unfortunately it will work backwards to what you want. The devices behind you main router will not be able to get to the test network behind the second router because of the nat but the test devices will have pretty much full access to your main lan. The only thing really protecting them is that the device have no way to know what the ip addresses (even though you use common ones) because there is no dns mapping.

You would need some form of firewall in the second router to only allow access where you wanted...including the internet.

Unless you plan to test from the internet I would only port forward on the second router and place your testing machine on your LAN that way you do not expose things to the internet.

DHCP is up to you most test networks use static ip but it will work fine with DHCP on if you want. The SSID should be different or the devices will just connect to what they think is the strongest signal which may be the wrong network.
 
Solution
Thanks for your reply bill001g,
If I wanted to practice in the test network (2nd router), would I risk missing with the computers connected to the main router since the 2nd router is connected to the main router? For example, if I had two computers running vulnerable OS to practice pentesting on the 2nd router, would any computers connected to the main router be affected by what I did in the 2nd router? I'm just trying to make sure I don't mess up the main network and be in the dog house for a couple of weeks. Thanks for your help!
 
You should be able to attack the second router safely from the main network. Assuming you aren't using brute force tools that broadcase out mac or arp etc. A machine on your main network itself should be safe from the internet. Maybe block the machines from the internet so they do not go out and download something when you aren't watch.