Hi,
Subnet A is the network to the internet and the WLAN. Subnet B is the network secured by eBlocker. I have limited the end devices to the most necessary for the question.
Subnet A 192.168.30.n
RouterA IP 192.168.30.30
RouterB 192.168.30.50
Notebook 192.168.30.80 / Gateway 192.168.30.30
Route 192.168.100.0 - 192.168.30.50
Subnet B 192.168.100.n
RouterB IP 192.168.100.100
eBlocker 192.168.100.20 / Gateway 192.168.100.100
NAS 192.168.100.70 / Gateway 192.168.100.20
The NAS (http-site) can not be accessed from the notebook, although ping and tracert are successful.
If the NAS is deactivated in the eBlocker, this does not change anything - only if the gateway is set to 192.168.100.100 (bypassing the eBlocker), the access works.
Is the access behavior correct ?
Is the access behavior correct ?
Unfortunately, I'm not sure what you are trying to achieve with the segmentation. Maybe you can share your aim more in detail. What's the purpose of network B at all?
Nevertheless, to route between two non routable (private) IP address ranges (to couple the networks), both routers need to be setup with static routes in both ways to work. But this is kind of an awkward setup. 🤔 BTW: I'd wonder if the notebook could reach the NAS as this would be counter the idea of private networks.
I'd rather cascade the routers like Internet<->Router A<->Router B. This forms an "inner" network B without revealing the inner devices to Router A (the Internet/provider router). But of course this depends on you aim.
Anyway I'm happy to point you into the right direction once I understand your required application better.
An additional remark: it's usually not recommended to have a NAS covered by eBlocker as a NAS is normally not contacting any trackers or ad-networks and VPN/Tor for a NAS wouldn't be helpful either.
THX!
@random
thank you very much for your answer.
I also do not want to create unnecessary effort for my request - especially since the eBlocker dutifully does its job, as it should be.
Gladly but still a few additions.
Subnet B is the private home network, with all normal devices.
In subnet A the devices (if needed) for the HomeOffice are managed, because they should run separately from the private home network - like a free guest network.
So far so good. The NAS should be a simplified example here.
In the real use case, only from time to time the home automation server (light or heating), should be reached from subnet B with the company notebook from subnet A. So more a convenience than absolutely necessary.
A route subnet A to subnet B is entered (see above), so I have to see how I enter the return path.
I was only surprised about the different behavior during the deactivation in eBlocker and after the change of the gateway in the device of subnet B.
Addition:
I'd rather cascade the routers like Internet<->Router A<->Router B. This forms an "inner" network B without revealing the inner devices to Router A (the Internet/provider router).
i think that's how i set it up. Router A is also the access to the Internet provider
With the setup @random discussed, it's the idea that devices in B can access devices in A - but not the opposite. So in your case the notebook in A would never get access to the NAS in B by design of network topology!
What you rather did (if you got the routing right) is coupling the two networks (letting the traffic also flow from A->B). Hence the desired security separation is not taking place. It's just two different private IP ranges that can access each other.
From my view such a setup only makes sense, if you are joining two private networks from two companies that have merged for getting access to each other.
The NAS (http-site) can not be accessed from the notebook, although ping and tracert are successful.
Ping (= ICMP packets) is usually always successful as router B will normally answer the ping for all devices in it's network (unless explicitly configured otherwise).
Traceroute (= uses UDP packets) which might be routed if you set a static route for UDP A->B, but HTTP (=TCP) also needs to be routed explicitly as well.
Nevertheless, eBlocker acts a HTTP/HTTPS proxy to all clients that are set to use eBlocker as gateway. The nature of a proxy is that it's a one way route - passing outbound request to the Internet. All clients using the proxy can access all devices behind the gateway using HTTP/HTTPS - but not the opposite way around.
Is the access behavior correct ?
To make a long story short: Yes, eBlocker does what it's suppose to do: being a proxy.
But I fear your network setup is rather "unconventional" and you might want to rethink your topology strategy if enhancing the security is your core idea. I have worked as a security consultant for many years and felt to join the discussion with my background.
Hope this helps. 👍
So in your case the notebook in B would never get access to the NAS in A by design of network topology!
I think A and B are mixed up here. The notebook in A does not get access to the NAS in B.
Hence the desired security separation is not taking place.
The access is also protected by a firewall in router B.
I.e. in this case there is an activation for the notebook in A.
Nevertheless, eBlocker acts a HTTP/HTTPS proxy to all clients that are set to use eBlocker as gateway. The nature of a proxy is that it's a one way route - passing outbound request to the Internet. All clients using the proxy can access all devices behind the gateway using HTTP/HTTPS - but not the opposite way around
These explanations are very helpful for me for the understanding - many thanks for it 🙂 🙂 🙂
you might want to rethink your topology strategy if enhancing the security is your core idea.
The route from A->B is now deleted again and the firewall enable in router B as well.
So the two subnets should be separated again. Or did I miss something ?
I have worked as a security consultant for many years and felt to join the discussion with my background
For me a good lesson. I would like to learn more about such basic connections below the usual "surface settings". Unfortunately, I have searched in vain for it on the Internet so far. Had probably better earlier times visit a few network seminars 🙄
Hope this helps
Yes, it certainly has and I hope that other readers here can also benefit from it times and it not just a single lesson for me. 🤗
Thanks again for your time and your commitment
I think A and B are mixed up here.
Yes, thanks for mentioning this! I've corrected my post above 👍
Thanks again for your time and your commitment
We are happy if you are are happy👌
Thanks for your support and don't hesitate to ask if you need help. Preferably with eBlocker and network setup, of course. 😉