[Solved] Understanding question when using two subnets

7 Posts
3 Users
1 Reactions
55 Views
 Joe
(@joe)
Trusted Member
Joined: 5 Jahren ago
Posts: 36
Topic starter  

Hi,

Subnet A is the network to the internet and the WLAN. Subnet B is the network secured by eBlocker. I have limited the end devices to the most necessary for the question.

Subnet A 192.168.30.n
RouterA IP 192.168.30.30
RouterB 192.168.30.50
Notebook 192.168.30.80 / Gateway 192.168.30.30

Route 192.168.100.0 - 192.168.30.50

Subnet B 192.168.100.n
RouterB IP 192.168.100.100
eBlocker 192.168.100.20 / Gateway 192.168.100.100
NAS 192.168.100.70 / Gateway 192.168.100.20

The NAS (http-site) can not be accessed from the notebook, although ping and tracert are successful.

If the NAS is deactivated in the eBlocker, this does not change anything - only if the gateway is set to 192.168.100.100 (bypassing the eBlocker), the access works.
Is the access behavior correct ?

Client OS
Browser
eBlocker hardware
Client OS version
Browser version
eBlockerOS version

   
ReplyQuote
(@random)
Illustrious Member Admin
Joined: 6 Jahren ago
Posts: 2073
 

Posted by: @joe

Is the access behavior correct ?

Unfortunately, I'm not sure what you are trying to achieve with the segmentation. Maybe you can share your aim more in detail. What's the purpose of network B at all?

Nevertheless, to route between two non routable (private) IP address ranges (to couple the networks), both routers need to be setup with static routes in both ways to work. But this is kind of an awkward setup. 🤔 BTW: I'd wonder if the notebook could reach the NAS as this would be counter the idea of private networks. 

I'd rather cascade the routers like Internet<->Router A<->Router B. This forms an "inner" network B without revealing the inner devices to Router A (the Internet/provider router). But of course this depends on you aim. 

Anyway I'm happy to point you into the right direction once I understand your required application better.

An additional remark: it's usually not recommended to have a NAS covered by eBlocker as a NAS is normally not contacting any trackers or ad-networks and VPN/Tor for a NAS wouldn't be helpful either.

THX! 


   
ReplyQuote
 Joe
(@joe)
Trusted Member
Joined: 5 Jahren ago
Posts: 36
Topic starter  

@random
thank you very much for your answer.
I also do not want to create unnecessary effort for my request - especially since the eBlocker dutifully does its job, as it should be.
Gladly but still a few additions.
Subnet B is the private home network, with all normal devices.
In subnet A the devices (if needed) for the HomeOffice are managed, because they should run separately from the private home network - like a free guest network.
So far so good. The NAS should be a simplified example here.
In the real use case, only from time to time the home automation server (light or heating), should be reached from subnet B with the company notebook from subnet A. So more a convenience than absolutely necessary.
A route subnet A to subnet B is entered (see above), so I have to see how I enter the return path.
I was only surprised about the different behavior during the deactivation in eBlocker and after the change of the gateway in the device of subnet B.


   
ReplyQuote
 Joe
(@joe)
Trusted Member
Joined: 5 Jahren ago
Posts: 36
Topic starter  

Addition:

Posted by: @random

I'd rather cascade the routers like Internet<->Router A<->Router B. This forms an "inner" network B without revealing the inner devices to Router A (the Internet/provider router).

i think that's how i set it up. Router A is also the access to the Internet provider


   
ReplyQuote
(@benne)
Famed Member Admin
Joined: 6 Jahren ago
Posts: 1097
 

@joe

With the setup @random discussed, it's the idea that devices in B can access devices in A - but not the opposite. So in your case the notebook in A would never get access to the NAS in B by design of network topology!

What you rather did (if you got the routing right) is coupling the two networks (letting the traffic also flow from A->B). Hence the desired security separation is not taking place. It's just two different private IP ranges that can access each other.

From my view such a setup only makes sense, if you are joining two private networks from two companies that have merged for getting access to each other.

Posted by: @joe

The NAS (http-site) can not be accessed from the notebook, although ping and tracert are successful.

Ping (= ICMP packets) is usually always successful as router B will normally answer the ping for all devices in it's network (unless explicitly configured otherwise).

Traceroute (= uses UDP packets) which might be routed if you set a static route for UDP A->B, but HTTP (=TCP) also needs to be routed explicitly as well.

Nevertheless, eBlocker acts a HTTP/HTTPS proxy to all clients that are set to use eBlocker as gateway. The nature of a proxy is that it's a one way route - passing outbound request to the Internet. All clients using the proxy can access all devices behind the gateway using HTTP/HTTPS - but not the opposite way around.

Posted by: @joe

Is the access behavior correct ?

To make a long story short: Yes, eBlocker does what it's suppose to do: being a proxy.

But I fear your network setup is rather "unconventional" and you might want to rethink your topology strategy if enhancing the security is your core idea. I have worked as a security consultant for many years and felt to join the discussion with my background.

Hope this helps. 👍


   
Random reacted
ReplyQuote
 Joe
(@joe)
Trusted Member
Joined: 5 Jahren ago
Posts: 36
Topic starter  

Posted by: @benne

So in your case the notebook in B would never get access to the NAS in A by design of network topology!

I think A and B are mixed up here. The notebook in A does not get access to the NAS in B.

Posted by: @benne

Hence the desired security separation is not taking place.

The access is also protected by a firewall in router B.
I.e. in this case there is an activation for the notebook in A.

Posted by: @benne

Nevertheless, eBlocker acts a HTTP/HTTPS proxy to all clients that are set to use eBlocker as gateway. The nature of a proxy is that it's a one way route - passing outbound request to the Internet. All clients using the proxy can access all devices behind the gateway using HTTP/HTTPS - but not the opposite way around

These explanations are very helpful for me for the understanding - many thanks for it 🙂 🙂 🙂 

Posted by: @benne

you might want to rethink your topology strategy if enhancing the security is your core idea.

The route from A->B is now deleted again and the firewall enable in router B as well.
So the two subnets should be separated again. Or did I miss something ?

Posted by: @benne

I have worked as a security consultant for many years and felt to join the discussion with my background

For me a good lesson. I would like to learn more about such basic connections below the usual "surface settings". Unfortunately, I have searched in vain for it on the Internet so far. Had probably better earlier times visit a few network seminars 🙄 

Posted by: @benne

Hope this helps

Yes, it certainly has and I hope that other readers here can also benefit from it times and it not just a single lesson for me. 🤗 

 

@benne @random

Thanks again for your time and your commitment


   
ReplyQuote
(@benne)
Famed Member Admin
Joined: 6 Jahren ago
Posts: 1097
 

@joe 

Posted by: @joe

I think A and B are mixed up here.

Yes, thanks for mentioning this! I've corrected my post above 👍

Posted by: @joe

Thanks again for your time and your commitment

We are happy if you are are happy👌

Thanks for your support and don't hesitate to ask if you need help. Preferably with eBlocker and network setup, of course. 😉

 


   
ReplyQuote

Nach oben scrollen