Community discussions

 
0120narendra
just joined
Topic Author
Posts: 4
Joined: Fri Sep 20, 2019 11:52 am

Isolated Network

Fri Sep 20, 2019 11:57 am

Hi Sir,
This Side Narendra Singh.
We need to block dhcp pool 1 for dhcp pool 2. Could you help please.
 
User avatar
k6ccc
Member
Member
Posts: 480
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Isolated Network

Sat Sep 21, 2019 1:12 am

You need to give us a better idea of what you are trying to accomplish. Not enough information given.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
0120narendra
just joined
Topic Author
Posts: 4
Joined: Fri Sep 20, 2019 11:52 am

Re: Isolated Network

Sat Sep 21, 2019 11:02 am

Hi Sir,

Actually, we are working for a Co-working Company. So multiple companies are working there together. So they need to separate IP pool Network. They don't want to communicate locally with each other. Due to this, we need to block all the DHCP pool with each other.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Isolated Network

Sat Sep 21, 2019 1:35 pm

You can setup as many DHCP servers and associated pools as you like, but of course they have to be on different networks.
So create a new bridge and move one or more of the ethernet ports from the default bridge to that one, and connect the 2nd company to there.
You should do all config normally done for a local network (brdige, address, port members, DHCP server, pool, firewall rules you need, etc) a second time for this bridge.
The two DHCP servers will not see eachother as they are on a different local network.

(without that network separation it cannot be done!)
 
0120narendra
just joined
Topic Author
Posts: 4
Joined: Fri Sep 20, 2019 11:52 am

Re: Isolated Network

Sat Sep 21, 2019 5:23 pm

Hi Sir,

We have a Two Bridge and 2 ethernet port.
1: Bridge_DHCP and Port ether4 (192.168.1.1/23)
2: Bridge_Pt. And DHCP ether5. (192.168.2.1/25)

But they are communicating with each other.
How can we block communication between these DHCP Network pool?
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Isolated Network

Sat Sep 21, 2019 5:37 pm

Use two firewall rules.
Forward chain, input and output interfaces are these two bridge interfaces (both ways), action is reject.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Isolated Network

Sat Sep 21, 2019 5:48 pm

keep in mind isolation starts form access layer (wired switches and wireless access-points), coordination between wired and wireless infrastructure, i suggest separate SSID for each network on wireless infrastructure and correspondent VLAN in wired infrastructure for each network, then you map your isolated ip address range and dhcp services on your router to the respective VLAN/network
 
mkx
Forum Guru
Forum Guru
Posts: 3223
Joined: Thu Mar 03, 2016 10:23 pm

Re: Isolated Network

Sat Sep 21, 2019 6:19 pm

In adition to the two posts above, beware that subnet 192.168.1.0/23 actually contains 192.168.2.0/25 (192.168.1.0/23 are all IP addresses from 192.168.1.0 to 192.168.2.255 while 192.168.2.1/25 are IP addresses from 192.168.2.0 to 192.168.2.127).
BR,
Metod
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Isolated Network

Sat Sep 21, 2019 6:44 pm

In adition to the two posts above, beware that subnet 192.168.1.0/23 actually contains 192.168.2.0/25 (192.168.1.0/23 are all IP addresses from 192.168.1.0 to 192.168.2.255 while 192.168.2.1/25 are IP addresses from 192.168.2.0 to 192.168.2.127).
No, that is not correct. 192.168.1.1/23 is network 192.168.0.0/23 with gateway 192.168.1.1. It does not contain 192.168.2.0/25.
But it looks like the poster has very little knowledge, so their may be other mistakes (like a pool that includes 192.168.1.1).
 
anav
Forum Guru
Forum Guru
Posts: 3131
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Isolated Network

Sat Sep 21, 2019 7:24 pm

One approach......
VLAN managment - 99 (for the person(s) managing the router). Interface = Bridge-Shared
VLAN AA - Company A Interface = Bridge-Shared
VLAN BB - Company B Interface = Bridge-Shared
VLAN CC - Company C Interface = Bridge-Shared
VLAN DD - Company D Interface = Bridge-Shared

Bridge = Bridge-Shared Only need to create the name and apply ingress filtering when all vlans and associated settings have been created. Safe mode is your friend.

DHCP Server interface= VLAN99 Address Pool = managmentpool
DHCP Server interface=VLANAA Address Pool = AApool
DHCP Server interface=VLANBB Address Pool= BBpool
DHCP Server interface=VLANCC Address Pool= CCpool
DHCP Server interface=VLANDD Address Pool=DDpool

NETWORK VLAN 99 address & gateway assignment
NETWORK VLAN AA etc.
NETWORK VLAN BB
NETWORK VLAN CC
NETWORK VLAN DD

IP Pool VLAN 99 Ip pool range assignement - must match network settings
IP POOL VLAN AA etc..
IP POOL VLAN BB
IP POOL VLAN CC
IP POOL VLAN DD

Assign INGRESS parameters for Bridge/vlans AND EGRESS appropriately via Bridge (Port) selections.
Assign EGRESS parameters for Bridge/vlans appropriately via Bridge (VLAN) selections

FIREWALL RULES.
Standard input rules apply\
Allow management VLAN to router
Allow DNS for company VLANS to router if required
Drop all else as last rule.

Standard forward rules apply\
Allow management VLAN access to internet- if necessary
Allow all company VLANS access to internet - as required
allow management VLAN to all company VLANs
Drop all else (last rule).

*** Create Company VLAN Interface List.

All Companies are separated at layer2 by virtue of VLAN structure
All Companies are separated at layer 3 by the Drop all FW rule.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3223
Joined: Thu Mar 03, 2016 10:23 pm

Re: Isolated Network

Sun Sep 22, 2019 12:02 pm

No, that is not correct.
Right :blush:
BR,
Metod

Who is online

Users browsing this forum: Majestic-12 [Bot], MSN [Bot] and 21 guests