Two NAT Routers

[michael baxter]

My SOHO network is growing, and I want to have two levels of security.

To do this, I want to use two NAT routers. One connected to broadband and a number of devices, such as a public FTP server and IP camera to face outwards to the internet. The second router connected to the first, which I will connect my workstations and other kit. Both routers to use NAT.

Does that make sense?

My questions is, what do I use for the second router? Should I be using a cable router, that has a RG45 connection for the 'outside' world and connect this to one of the ports of the first router? Any suggestions on which router model I should use?

I'm a little confused, and any help will be appreciated.

Many thanks,

Michael

 

[tolien]

You're hardly gaining any security for the world of extra hassle, but ho hum.

My questions is, what do I use for the second router? Should I be using a cable router, that has a RG45 connection for the 'outside' world and connect this to one of the ports of the first router?

Yup, though it's an RJ45.

 

[michael baxter]

My intention is to protect the workstations from what is essentially a DMZ area of the first router. There are other Windows PC's in the DMZ area as well.

Do you mean the security risks of having my workstations in the DMZ is not significant?

Obviously, I don't want to set this up if there is no real benefit.

Thanks for the reply.

 

[tolien]

Do you mean the security risks of having my workstations in the DMZ is not significant?

In a home user environment, it's not worth the hassle. Maybe in a corporate environment (where you'd want to segment servers from workstations) or if you were giving out public IPs (and wanted to conserve address space).

You'd either have to punch holes in the firewall or file sharing between the Windows machines would break too.

 

[Andyt_uk]

anyone know how well double nat'ing works? May cause a couple of problems in this setup?

Also why not just plug an extra switch into the first router(if you need extra capacity) and setup the DMZ for your public facing stuff on just the first router?

 

[Phemo]

Double NAT is never recommended. In my experience it's a whole load of hassle when you're using VPNs or even accessing some SSL sites. Too much hassle and no real point either.

 

[Rich]

Save yourself the hassle. Install software firewalls on each host and lock it down as you would have with the DMZ setup. Sure, each device will still live on the same subnet but you will be pretty secure like this.
Or do it properly and buy a multi-interface firewall....expensive. There is always the linux based freebies though, but i would recommend just installed software firewalls on each host.

 

[Pint]

Just buy a decent firewall.
One that lets you specify different security zones,
then you can create a zone for the DMZ and a zone for your internal LAN.

You'll then have different access rules to set up,

LAN/WAN
DMZ/WAN
LAN/DMZ
and vice versa.

Setting up two sets of NAT policies is just overkill.

 

[michael baxter]

Thanks everyone! I feel I have been saved a great deal of trouble, I'll go with software firewalls for each PC, which is what I have already! Although, I may need to tweak the rules!

However, if I did go for a hardware firewall, any recommendations on model? I'm guessing these are several hundred quid?

With appreciation,

Michael

 

[DR_D]

install a software firewall like ipcop it supports everything you are trying to do, all you need is an old pc kicking around with a few network cards on it.

you'll be able to put your DMZ(orange zone) on a different subnet to the Secure Zone(Green)

I use ipcop myself but don't have a DMZ but a wireless zone instead.

If ya wanna know more then hit up google, not sure if posting the link would break any kind of rules.

p.s. its linux based and free.

 

[Rich]

There is also smoothwall if you want to go down this route.

 

[Andyt_uk]

There is also smoothwall if you want to go down this route.

Gets my vote. We used it in our uni house and it proved very stable as well... even with 5 people using BT almost constantly

Does need a spare machine with 3 nics though.

 

[Ricochet J]

If you want guranteed SOHO security with modern features and upgradeablity, why not invest in a Cisco 800 series router and just apply some ACLs? It'll be a powerful bit of kit providing you set the ACLs right

 

[Rich]

He would need to spend quite a bit. An 877 with the Advanced IP services IOS so that he could run multiple VLANS. Retail is probably about £500.

 

[Ricochet J]

He would need to spend quite a bit. An 877 with the Advanced IP services IOS so that he could run multiple VLANS. Retail is probably about £500.

Can't he get a lower model, and a catalyst switch and creat VLANs from there? Will that be cheaper?

 

[Rich]

If he wants to go to Ebay and get them, yes he could. It would need to be quite old kit though. Might get a 2950 for 150-200, then a 2600 maybe. Still looking at £300 give or take - All to achieve the same end goal as a few software firewalls. Anything more than this is overkill imho.

 

[m_cozzy]

Well cisco837's seem to go for around £100 these days on ebay. With the right ios one of the lan ports can be 'seperated' from the other 3 and used as a proper dmz port. This will achieve the required results.

 

[Curiosityx]

If you want to do things properly scrap the NAT based approach and buy yourself a good hardware firewall with multiple DMZ interfaces.

Cisco is the first choice but if your not a command line fan SonicWall and Wacthguard has equally good GUI alternatives.

 

[Rich]

Well cisco837's seem to go for around £100 these days on ebay. With the right ios one of the lan ports can be 'seperated' from the other 3 and used as a proper dmz port. This will achieve the required results.

Tis a fair point!