Isolating one group of computers

By Odyssey ยท 15 replies
Aug 9, 2009
  1. I have a fibre optic DSL connection and several computers on a home network. My wife is not interested in learning how not to avoid malware and principally uses an WXP Home computer, but she also does banking on her Apple Mac Mini. I would like to isolate the Mac Mini and my linux computer from the wired/wifi network that we now use. (BTW we are out in the countryside and the WiFi is unlikely to be problematic).

    I was thinking about putting a D-Link DI-604 router behind one of the wired ports on the existing Zyxel P330W v2 wifi router. The idea is that wife, kids, and guests can browse, hopefully not getting infected, but in any case 'isolated' (?) from the D-Link network behind.

    I can imagine the possiblity a sniffer getting installed on the Zyxel network which might then be able to monitor traffic from/to the D-Link network as it passes through the Zyxel. Would such a sniffer be able to monitor the Zyxel traffic or is the latter encrypted or otherwise unsniffable as it leaves the D-Link and passes through the Zyxel?

    Alternatively, is there a way for the two routers to sit side by side and somehow share the DSL connection without being reachable by the other, say if a switch sat in front of the routers (don't know if a switch with divide traffic in this way or not)

    So, are either of these a good approach and if not, why? TIA
  2. jobeard

    jobeard TS Ambassador Posts: 11,173   +989

    So the isolation is to protect you from possible infections from her? The Mac has
    a firewall too and there aren't too many direct attacks on Macs --
    but yes you can isolate it from the others
    so it would look like
    modem--Zyxel (x.y.1.1)--- wired systemes
             +--- (x.y.1.2) DI-604 (x.y.2.1) .... WiFi connections @ x.y.2.*
    Yes a sniffer on the Zyxel will see ALL traffic as it is the highest level router but only see the tcp header info, not the payload of every packet due to encryption
    The secret is the Default Gateway. Unless there is a specific route to force
    output to a specific subnet, all traffic flows upward thru the Default Gateway.
    The Zyxel attached systems will flow ONLY up to the ISP.
    The DI-604 attached devices will flow Up to the Zyxel. Any software attempting
    to 'probe for other systems' could discover systems attached to it but not see them
    as easily as looking for File Shares (which is the only access that could be acquired anyway).

    If you FLIP the positions of the router, eg Modem--Di-604--Zyxel, then the WiFi system would never reach the Zyxel systems.
    just fine :)
  3. Odyssey

    Odyssey TS Rookie Topic Starter Posts: 23

    Very helpful although I see I have confused things.

    The Zyxel is the Wi-Fi, so it would handle guests (wireless), kids (wired and wireless) and wife (who is always wired). I will refer to this as the insecure network because of possible user behaviour.

    The D-link is wired only, and because of it's age, I should ask if it needs replacing with a later router that might have better built-in security?

    For clarification, I have fibre optic to my home and the incoming terminates on an exterior wall where a converter box (modem/gateway type device) which converts the optical signal to a digital signal, is installed. The digital line then comes into the house like a phone line. So I do not have a modem per se inside the house but rather now plug my router directly into a RJ45 female socket in the interior wall.

    I'm unsure if I understand your guidance on use of a switch. Depending on how separate communications streams on different ports are from each other, an ideal solution for me (because I already have all three piieces of kit) is a switch plugged into the wall, with the two routers plugged into it. My linux computer and her Mac will sit behind the (wired-only) D-Link, and I think I can train her to simply unplug the insecure network router from the switch when she is doing online banking.

    What comments on this plan please.
  4. jobeard

    jobeard TS Ambassador Posts: 11,173   +989

    more likely I did :) got it now
    That's your modem+router :)
    yes that would work but only if your modem+router has DHCP and would assign a unique IP address to each. You'll find out quick enough like this
    1) connect the switch to the wall plate
    2) connect the wired router to a switch port and one running system to the router;
    test should give timing data using
    get a command prompt (run-cmd) and enter
    3) now connect the other router to the switch (you don't need a system attached to it just yet)

    Repeat the test in (2); should give same results. *IF* NOT, enter ipconfig /all
    and it's likely that you have no ip address assigned -- due to IP Address Conflict.
    This says the modem+router has no DHCP and therefore you can not use the switch as the first device connected to the wall plate :(

    You can but that is overkill :)

    show her the WAN side connection to the WiFi router and disconnect it (which is still overkill)

    Back to Encryption:
    The WiFi router can be configured with {wep,wpa,wpa2} encryption -- the D-link wired has NONE! Therefore, the online banking relies upon https (SSL) to encrypt the data packets.

    Let's investigate the ISP connection. Connect any system (with a firewall active)
    directly to the wall plate. Test using (2) above to be sure you're connected.

    Then use ipconfig /all >mytcp.txt and follow-up by attaching mytcp.txt

    That will tell us your exposure to a sniffer upstream from your wall plate.
  5. Odyssey

    Odyssey TS Rookie Topic Starter Posts: 23

    Wow! What a fabulous reply. Here is the ipconfig output:

    C:\Documents and Settings\Administrator>ipconfig /all

    Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : ROBERT
    Primary DNS Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Mixed
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . :

    Ethernet adapter Local Area Connection 3:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : KTI ET32/Px Series PCI Ethernet Adap
    Physical Address. . . . . . . . . : : xx-xx-xx-xx-xx-xx
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . :
    Subnet Mask . . . . . . . . . . . :
    Default Gateway . . . . . . . . . :
    DHCP Server . . . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :
    Lease Obtained. . . . . . . . . . : Sunday, August 09, 2009 3:35:30 AM
    Lease Expires . . . . . . . . . . : Sunday, August 16, 2009 3:35:30 AM

    C:\Documents and Settings\Administrator>

    While you are digesting that, I will re-read yours yet again to try to get all that I can, given my limited expertise. What can I do next?
  6. jobeard

    jobeard TS Ambassador Posts: 11,173   +989

    I assume this is the system directly connected to the wall plate
    hmm; the ISP router is at
    and your system is on the same subnet 192.168.0.*

    This means you have no NAT isolation from any of the other 253 systems attached to

    Normally we get a public address like assigned to our first device
    and the NAT creates lan addresses like 192,168,0.* and DHCP gives us the ISP gateway like; Any attempt to make a direct attack *must* be able to perform Nat Traversal , which is not trivial.

    With your IP on the same subnet as the gateway, Nat Traversal is not required
    and your Sole protection to a direct attack is your Firewall

    Online Banking:
    The SSL Encryption is end-to-end, ie: the bank website to your wife's Macintosh.
    A sniffer on the 192.168.0.* subnet
    • will see every url accessed
    • will see every email sent
    • will not see SSL Encrypted data sent to the bank

    btw: your PC and Linux systems are equally exposed. Your big issue is to be sure
    that anytime you enter a password (eg email login) that the connection uses
    TLS or SSL
  7. Odyssey

    Odyssey TS Rookie Topic Starter Posts: 23

    I was assuming that the ip # is that of the converter box (on the outside wall of my home). If I run, I get an ip address beginning with a 2 digit number which I have assumed is that of my ISP. Am I off base here?

    BTW, for the switch test, I got a normal ping response from the first router, but when I substituted the second router, I got:

    unknown host

    There are lots of cables dangling around here and I think I had it wired right for the second, but if it doesn't sound right, I can try it again.
  8. Odyssey

    Odyssey TS Rookie Topic Starter Posts: 23

    jobeard, just tried to pm you but I am a few posts shy of the 45 needed to be able to pm. If you can pm me, please send an email address to which I can send you the results of an ifconfig from my linux computer. (Too much info for a public post) Thanks.
  9. Odyssey

    Odyssey TS Rookie Topic Starter Posts: 23

    I now realize that I was confused about your post. From memory, (notoriously unreliable) every time I run ipconfig at the office, the ip address shown is always a private address, just as in my computer at home, but the dns server (and maybe the DHCP server?) is a non-private address. In my mind, I "transposed" the ip address reference given in your comments with "dns server".

    The dns server address in the previous post was "DNS Servers . . . :" and this is a private address. So what I want to understand is why in this instance is a private address showing up as the dns server address?

    Thanks for any clarification.
  10. jobeard

    jobeard TS Ambassador Posts: 11,173   +989

    No that is what I really expected to see from the ipconfig,
    so now I'm confused as to you're wired :confused:

    For a DSL Connection, we get a phone line (at the wall plate) --> (ip)modem+router
    For a Cable setup, we get Coax cable -> (ip)Modem -->Router
    In both cases, (ip) is a public address.

    Can you report the make/model of the box that connects directly to the cable coming from the wall please.

    What kind of connection is made at the wall plate (RJ45 Ethernet vs RJ323 phone cable)?

    Can you get me the first four lines from (run->cmd) and enter
  11. jobeard

    jobeard TS Ambassador Posts: 11,173   +989

    That's easy ... the gateway address and dns address is that of the router. Basically your system makes a DNS request (on port 53) to the router, which knows enough to forward it out to the ISP -- very common setup.
  12. Odyssey

    Odyssey TS Rookie Topic Starter Posts: 23

    The setup is as follows:

    Ethernet cable from wall plate (RJ45) to D-Link Dl-604

    Ethernet cable from D-Link to Dell Powerconnect 3024 24 port switch

    Ethernet cable from switch to computer

    Here is tracert (with first two sets of number changed to protect the innocent):


    Tracing route to []
    over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms
    2 12 ms 8 ms 7 ms [97-9.196.2]
    3 7 ms 7 ms 7 ms [97-9.191.26]
    4 14 ms 15 ms 15 ms

    Hope this helps
  13. jobeard

    jobeard TS Ambassador Posts: 11,173   +989

    (1) is from your router and the ISP gateway should be at (2)-- a public address

    Now then, the issue is the input to the DI-604. Where and what is the device to which it is connected at the other end?? That has to be a modem/router and that makes me question #2 and #4 entries. Whoever has access to that device has
    control over your subnet.

    #4 is
  14. Odyssey

    Odyssey TS Rookie Topic Starter Posts: 23

    This is a fibre optics connection. Does that matter? The forward device on the other end of my D-link ethernet cable is the converter box on the outside wall of the house. I suppose it is roughly equivalent to a modem, but in this case it converts the optical signal to digital.

    You said #2 and 4 (verizon). Did you mean 2 and 3? This is my ISP of course, but what about the tracert return gives rise to alarm? Isn't this what we are supposed to see on a tracert, i.e, from the router to the ISP, and onward? I am surely missing something here.

    Or was the "alarm" caused by the ipconfig results which I guess I don't understand. I think I had just assumed that ipconfig showed only stuff in the private network and that another command, such as tracert is needed to see "outside".
  15. jobeard

    jobeard TS Ambassador Posts: 11,173   +989

    I have a good friend with FiOS and the connection comes into the home and connects
    to a F.O. modem+router.

    Let's assume that your F.O. modem+router are enclosed in a box outside the home.
    That becomes the equivalent of a Cable Modem setup and comments in post 6 above do not apply.
    (I have seen setups where the ISP did have multiple customers on the same subnet :bad idea: )

    >> Does that matter?
    Not in your case :)
    as you doctored the first two digits of the results for privacy, I could not verify who owned those IP addresses. #4 was verifiable.
    If the ISP address really was the 192.x.x.1, then the tracert would shown a transition to a public IP. All systems on the 192.x.x.* subnet would have been an exposure to your security. That is now put to bed and NOT an issue :)
    you have that ALL correct.

    By connecting a system directly to the wall plate, I was attempting to discover what was on the network. Rather goofy that the address on that line ended in x.105, but that can be insignificant as yours appears to be.

    I think (& hope) we're done here.

    best wishes
  16. Odyssey

    Odyssey TS Rookie Topic Starter Posts: 23


    Many thanks for your tireless support here. It is much appreciated and has been extremely informative. My wheels turn slowly at my age, but I think I have had my horizons expanded.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...