Sitting a Server on a different subnet to the router

feenster99 · 30 Aug 2006 at 22:35

Hi all,
Quick one. I have a Netgear DG834G that has an IP address of 192.168.8.1. All other PC's on the network use 192.168.8.x addresses. Is it possible for me to stick a server on the network with a 192.168.16.x address for example to seperate it out from the other PC's? The idea being, if one PC is hacked, the server cannot be seen. Consequently, the server cannot see other networked machines.

Cheers,
Matt

PS. Sorry if this is a dumb question!

malcolm · 30 Aug 2006 at 22:41

How do you intend to do this? If you put it on a separate physical network and use one system as a router between the two subnets, then once a hacker is in one system, he can find the router and eventually, the server. Since you want all your PC's to have access to the server, the server will have to be visible on the network.

feenster99 · 30 Aug 2006 at 22:46

Perhaps i should explain a bit more. I have a Windows SBS 2003 server with a bunch of PC's running XP etc. I then have a Linux server that I want to keep completely seperate - there is to be no interaction between them whatsoever, and I need to keep the Linux machine as safe as possible, hence my thinking of putting it on a different subnet.

I don't know all that much about networks though, so I may be grasping at straws.

Matt

growse · 30 Aug 2006 at 23:17

Ok, you're router is routing between the internet (one big network) and the network 192.168.8.0. I don't know about that particular model, but a lot of adsl routers will only know about the wan and then just one lan. However, that said, a lot of routers can route to two different lans. How you do it depends on what your aims are and how much money you have.

If you have a router that can route to two separate networks, then it is cheap just to put the linux box on a different network and not route between the two lans. That way, they won't be able to see each other but should be able to see the network. As has been said, that's not much use if your router is compromised. Other single-router methods involve using a combination of VLANs and multiple networks to give security. If you're not bothered about security and just want network efficiency, VLANs + separate networks is a good idea. If you want security, you might have to go a bit further.

However, the only way to keep them completely separate is to get another phone line installed and buy another router + adsl line. You can guarantee separation within your control then. However, you have to weigh up the cost vs the risk of doing this and decide if it's worthwhile.

feenster99 · 31 Aug 2006 at 07:40

growse said:
However, the only way to keep them completely separate is to get another phone line installed and buy another router + adsl line. You can guarantee separation within your control then. However, you have to weigh up the cost vs the risk of doing this and decide if it's worthwhile.

Growse - thanks for that. Judging by the above, I was being a bit niave

The Netgear is a relatively basic model so probably won't be able to route 2 different LAN's. I don't think another ADSL line is worth it to be honest - i'll just try and secure the network as best I can.

Thanks again,
Matt

atomiser · 31 Aug 2006 at 08:52

just as a suggestion... if you have an old pc lying around (or you can pick a nice sff one up for less than £30 of the bay) then one of the linux firewall distributions will do exactly what you want.

you could then either just replace the netgear, or you could add the linux firewall distribution to the netgear and secure your other linux box behind that.

the nice thing is that you can also run the firewall distributions headless, without a keyboard or mouse, off a cf card (using a cf > ide converter) etc so they are very quiet and use very little power.

best of all you need very little actual linux experience to set one up, and the documentation is very good - often explaining the basics of networking too, which by the sound of it would be beneficial to you.

hope this helps!

BeelzebubUK · 20 Oct 2006 at 12:25

The Netgear won't do it but several of the Draytek ADSL routers have VLAN fuctionality which means you can have sevarl different subnets attached to the router and you can decide which subnets can/can't talk to each other.

I have the Draytek 2800G and this has that capability

feenster99 · 20 Oct 2006 at 13:08

Blast from the past! Thanks for the reply though.

A nice Draytek it is then.

Matt