[SOLVED] How do I add a second DHCP server to home network ?

[GoodbyeSai]

I have a router giving out 192.168.1.xxx addresses.
A 2nd router is set up in bridge mode and connected to router 1 via the WAN port of router 2
As of now if i plug a LAN cable in to router 2 it gets an IP address from router 1.
If I plug a 3rd router in to the 2nd router using it's WAN port and make it give out 192.168.100.xxx addresses, will it cause any issues?
I do not want any devices connected to routers 1 and 2 (192.168.1.xxx) to be able to see or print to printers on router 3 (192.168.100.xxx)
Will this work?

 

[bill001g]

A bit confusing at first because of the 2nd router but it will function fine.

The 3rd router is treating everything past the wan port including your first network as the internet. Just like internet can not get past the NAT on the 3rd router nothing from other network will be able to also.

 

[Kopexx]

There's a lot of ways to do this. For starters what kind of routers are these?

 

[GoodbyeSai]

Linksys E5600

 

[Murissokah]

Should work fine. You 3rd router has a LAN zone with subnet 192.168.100.0/24, and a gateway in WAN zone 192.168.1.0/24. At default settings it will treat 192.168.1.0/24 as a WAN subnet and won't allow network discovery between that and its LAN subnet, which is what you wany.

It seems a bit inefficient to "daisy-chain" the routers like that instead of connecting 3rd router to the 1st, but I assume you have reasons for that (probably physical location).

 

[bill001g]

Should work fine. You 3rd router has a LAN zone with subnet 192.168.100.0/24, and a gateway in WAN zone 192.168.1.0/24. At default settings it will treat 192.168.1.0/24 as a WAN subnet and won't allow network discovery between that and its LAN subnet, which is what you wany.

It seems a bit inefficient to "daisy-chain" the routers like that instead of connecting 3rd router to the 1st, but I assume you have reasons for that (probably physical location).

It won't allow microsoft "discovery" but there is nothing stopping traffic passing to the ip addresses. If it was malware or someone intentionally doing it they could just scan the entire range to find the machines and then attack them.
You can easily print or mount a drive just by using the IP address. I always seem to use the IP and never the microsoft name.

 

[Murissokah]

It won't allow microsoft "discovery" but there is nothing stopping traffic passing to the ip addresses. If it was malware or someone intentionally doing it they could just scan the entire range to find the machines and then attack them.
You can easily print or mount a drive just by using the IP address. I always seem to use the IP and never the microsoft name.

I got from the first message that the concern was to separate the segments to prevent network discovery. If they are concerned about general traffic between the networks, this should be easily prevented with firewall rules. On routers 3 and 2 allow traffic only to the gateway (router 1) and on router 1 disallow traffic between the networks. Seems unnecessary if all they want to do is prevent computers from seeing each other.

 

[GoodbyeSai]

I got from the first message that the concern was to separate the segments to prevent network discovery. If they are concerned about general traffic between the networks, this should be easily prevented with firewall rules. On routers 3 and 2 allow traffic only to the gateway (router 1) and on router 1 disallow traffic between the networks. Seems unnecessary if all they want to do is prevent computers from seeing each other.

All I want is for computers on the 1st router (192.168.1.xxx) not be able to print to printers on the 3rd router(192.168.100.xxx), and visa versa.

 

[bill001g]

This all depends on how simplistic you want to look at this. If you always use only the names of the printers then just having the second router blocks it. This is security for dummies though. A smart person can still print from the 192.168.100.x network to a printer on 192.168.1.x.

From your original question though traffic can not go from the 192.168.1.x network to the 192.168.100.x network so your solution will work. It is the "visa versa" that changes this.

There are a couple of threads on similar topics in the last couple days so I get confused as to what response I put on each. To completely prevent traffic in both directions you need to put in firewall rules in the second router saying no traffic can go from 192.168.100.x to 192.168.1.x. You can put in a rule the reverse but the NAT already prevents that.