Two routers on different subnets - will this configuration work?

Solution 1:

  1. Not really

  2. DNS right? If 192.168.2.2 is your internal DHCP(Windows AD DC, I'm assuming), then you'll configure that to push out whatever DNS server you want, the same pc, 192.168.2.2 if you're running DNS on it also.

  3. No. The stuff on the verizon router is "on the internet" as far as the stuff behind the netgear is concerned. The only incoming traffic allow will be what you define in the Netgear, ie. Portforwarding.

  4. Yes

  5. PC's behind the Netgear will "just work". I'm a little confused, You want wireless clients to connect to the Verizon router, and you want don't want them to have access to the LAN, right? Don't you want them to just get an address from the VZ router, and not from an internal DHCP server?

  6. Yes. If it's actually a WAP, it probably doesn't have a DHCP server, it's just like a switch but without the...wires. You can use a consumer wireless, turn off the DHCP server, and don't even bother with the WAN port.

The main thing is 5 about DHCP. You'd have to set up portfowarding to get DHCP to assign through the Netgear, but I don't think you want to do that. You just want them to get DHCP from the VZ router right?

I hope this makes sense

Solution 2:

This is a relatively common pattern. Let me try to answer your questions in order.

  1. At a high level your design makes sense. No big gotchas here as long as the wan port and cpu on the netgear router is fast enough to handle your traffic and the Verizon device supports static routing. I would setup the Netgear to do routing not NAT though.
  2. I would have DNS information fed by the DHCP server.
  3. For most firewall/router products out there the answer is no. You should be able to configure your Netgear device to allow or deny whatever traffic you want.
  4. By default Yes. This depends on your configuration. Most firewall/routers allow you to configure exactly what outbound traffic to allow as well as what to allow.
  5. You really want DHCP info for the guest net to come from the Verizon device or the Access Points not the internal network. The other way can be done but most small network firewall solutions do not relay DHCP from the internal net to the outside. I would set things up as follows:

    • Verizon router - Static route for 192.168.2.0:255.255.255.255.0 pointing to 192.168.1.250
    • Verizon router - DHCP on, DNS points to a public DNS server.
    • WAP devices - DHCP off - GOTCHA - some access points do not handle dhcp relay properly. In that case you need to turn DHCP on with the gateway pointing at 192.168.1.1 and dns pointing at a public server or the verizon firewall.
    • Netgear router - DHCP off, NAT off, additional rules as needed.
    • Netgear router - Default gateway 192.168.1.1.
    • LAN nothing special here.
    • Server handles DNS and DHCP for LAN. Setup dns forwarding to use a public DNS server for internet sites.
    • Workstations get network setup information (address, gateway, netmask, DNS, time, etc) from DHCP.
  6. Normally the answer is yes but some Access Points do not handle DHCP relay very well. Always test your new access points with multiple simultanious connections before putting into service.

The other common pattern is a 3 armed network where one firewall connects to both the guest and the internal network.

Solution 3:

prestomation, thanks so much for the reply. I'm glad you think it should work with this setup. To answer your questions:

2.DNS right? If 192.168.2.2 is your internal DHCP(Windows AD DC, I'm assuming), then you'll configure that to push out whatever DNS server you want, the same pc, 192.168.2.2 if you're running DNS on it also.

Yes 192.168.2.2 would be the windows SBS 2008 running DHCP and DNS. So on the LAN workstations, I'd just set them up to get IP and DNS servers automatically and they should be able to find the DHCP on the SBS server and pull the info without a problem? Or do I need to set the DNS server on the LAN computers with the SBS server IP?

3.No. The stuff on the verizon router is "on the internet" as far as the stuff behind the netgear is concerned. The only incoming traffic allow will be what you define in the Netgear, ie. Portforwarding.

OK. So speaking of port forwarding, with this setup would I need to specify each rule on both routers? i.e. to open http to the server, I'd need to forward port 80 from the VZ router to the Netgear router (192.168.1.250) and then on the Netgear router forward port 80 to the server (192.168.2.2)?

5.PC's behind the Netgear will "just work". I'm a little confused, You want wireless clients to connect to the Verizon router, and you want don't want them to have access to the LAN, right? Don't you want them to just get an address from the VZ router, and not from an internal DHCP server?

My mistake, you're right. The wireless clients should pull IP info from the VZ router, not from the SBS server on the LAN. So it would be the same setup on the wireless computers....just automatic IP and DNS, and it will pull it from the Verizon DHCP since that's the only one it sees?

6.Yes. If it's actually a WAP, it probably doesn't have a DHCP server, it's just like a switch but without the...wires. You can use a consumer wireless, turn off the DHCP server, and don't even bother with the WAN port.

The WAP is a Netgear WG302, it actually does have a DHCP. So if I just disable that DHCP, then wireless clients with auto IP assignment should pass right through and pull an IP from the VZ router any relay or static routes or any of that mess?