Seperating networks

[Bill Mullen]

On Thu, 19 Oct 2006 20:47:28 -0400, Steven C. Peterson wrote:

> I currently use a Linux box running Clark Connect to run my network, 
> this box supply's a modified Linksys wrt54g to provide my wireless
> services that said most of my devices run on the wireless, the wrt54g
> pulls dhcp provided by the Linux box, I am unaware of what software
> Clark connect uses to run the dhcp server.
>  
> My question is Along with my devices and my roommates devices i have 
> some other people who pay me to provide inter net to them (We co-op
> in to a pair of bonded t1 lines), i would like to separate my network
> from every body else's, (I.E. I do not want them to see my printers
> and shared folders, nor do i want to see theirs.)
> 
> Any suggestions other than putting another router in place?

A second router would certainly be the easiest and most secure way to
accomplish this, of course. If I were you, I'd at least seriously
consider it.

I know nothing about ClarkConnect beyond what can be gleaned from a
quick glance at the website; I gather that it is a firewall distro of
some sort, along the lines of IPCop or SmoothWall? If you have root
access to it, some tweaking of the config file for the DHCP daemon
(which is probably dhcpd, so the file is probably "/etc/dhcpd.conf")
should allow you to assign your devices to a different subnet than the
default one used by the other users, based on their individual MAC
addresses, and to have it also hand out sufficiently restrictive
netmasks to all clients that the two subnets would remain *somewhat*
invisible to one another - this is bypassed ridiculously easily by
anyone who gives their own system(s) a static IP and netmask, however.

For example, if the subnet in use at the moment is 192.168.0.x and the
netmask is 255.255.255.0, then you'd tell dhcpd to continue to assign
addresses in that range to clients whose MAC addresses it does not
recognize, and to give them the 255.255.255.0 netmask. You'd then
tell it to assign specific IP addresses to each of your devices, which
it knows based on their MAC addresses, that are found somewhere in the
192.168.1.x range, giving those systems a netmask of 255.255.255.0 as
well. Lastly, you'd change the netmask in use both on the firewall
box's LAN-facing interface and on the router to be 255.255.254.0, so
that they can both "see" whatever is on each of the two subnets.

As I say, this is trivially easy to bypass, but if you can be fairly
confident that the other users are unlikely to try to do so and can be
expected to just accept whatever DCHP gives them, then this gives you
at least some separation. I'd recommend a couple of iptables rules on
your own boxes to drop any packets to and from the other subnet, as
well; just remember that they can easily give themselves a 192.168.1.x
address if they want, and that any decent sniffer app will tell them
about the existence of the second subnet in short order. You may also
have to hack the init script for the Linux box's LAN interface to have
it give itself an alias address on the 192.168.1.x network, and to tell
dhcpd to give that address out to your systems (only) as their gateway
address, or your devices may not be able to find it after the changes.

Really though, for the price of a second router and another NIC for the
Linux box, you'd be much better off, IMHO. Any decent firewall distro
can keep two internal subnets completely and securely separate; I would
expect ClarkConnect to be no different from the rest in this regard. If
for some reason you can't add another NIC to the firewall box, even just
a second router daisy-chained to the first one and operating in NATed
mode (and using its own internal DHCP server) would be a big improvement
over this sort of security-by-obscurity scheme, I'd say.

HTH!

-- 
Bill Mullen
RLU #270075