Overview

This tutorial describes how to configure your home routers to setup a secure network for your computers.  Following the steps in this tutorial, you will be able to create router sub-networks sharing a single internet connection, but that can be completely isolated from each other.  Having isolated sub-networks can be useful for a number of applications:

• You are hosting a website from a home computer, and you want to keep the web server machine isolated from your other computers in case it gets hacked.

• You have a home or small office where you want to have a ‘public’ network and a ‘private’ network.

• You want to isolate your home WiFi from your wired network to ensure that your wired computers can not be seen in case your WiFi is compromised by a ‘man in the middle’ style attack.

This tutorial is intended for people with minimal knowledge of computer networks, firewalls, or routers.  The only prerequisite skill required is that you are able to log into your router’s configuration page with a web browser.  The steps in this tutorial will lead you through the few changes required to get things setup.

In this tutorial, you will learn:

• How to wire two home routers together to create a single isolated sub-network.

• How to wire three home routers together to create two isolated sub networks.

• How to configure the router settings and sub-network addresses.

• How to set a specific local network address for your computers using either DHCP reservations at your router or static IP address configured at the computers.

Router Setup

There are a number of ways to create safe isolated sub-networks using multiple routers.  The following section describes two common methods.  How to use two routers together for a single isolated sub-network, and how to use three routers together to create two isolated sub-networks. Which setup you choose will depend on your requirements. If you need anything more sophisticated than this, you are reading the wrong tutorial.

Two Routers, One Isolated Sub-Network

With two separate routers, you can create a single isolated sub-network where computers on the ‘public’ and ‘private’ side share the same internet connection.  The setup would look like this:

To setup this network:

1. Connect the cable from your internet modem into the WAN port of Router_1.

Note: you may have a combined internet modem and router in a single device. In this case, the Internet to router WAN is hardwired inside the box, and you have only the LAN ports on the outside of the device.

2. Connect a cable from a LAN port of Router_1 to the WAN port of Router_2.

3. Connect a computer to a LAN cable plugged into Router_1, and login to the settings page using a web browser.  This is usually accomplished by typing “http://10.0.0.1” into a web browser. Different routers will have different factory default addresses (192.168.1.1 is another common one), consult your manual if you can not connect.

4. Find the settings page that shows the connected devices and their addresses. Find the Router_2 device and write down its address, which will be something like 10.0.0.xxx or 192.168.1.xxx.

5. Disconnect from Router_1 and connect your computer to a LAN cable plugged into Router_2.  Use your web browser to open the configuration page of Router_2, and login to change the settings.

6. Find the page that has the “Local Area Network” (LAN) settings on it.  On this page, change the IP address of the router to what you want to use for your subnet.  In this example, Router_2 was configured with an IP address of 192.168.2.1 to make it obviously different from the network of Router_1 which is using 10.0.0.x addresses.

7. Find the setting called “DHCP Server” (it is usually in the same place as the LAN settings).  Make sure that this is enabled.

8. Save the router settings and exit.

 You have now created an isolated subnetwork that can share a single internet connection.  In this network:

• Router_1 will get an internet address from your internet service provider.

• Router_1 will have a local area network (LAN) address which is 10.0.0.1 in this example.

• Router_1 will do DHCP serving (assign addresses) to all devices connected to its local area network (all the orange devices)

• Router_2 will have two addresses.  It will have an address on the LAN of Router_1 (10.0.0.2 in this example).  It will also have a different address as the DHCP server of the subnet LAN it creates (192.168.2.1 in this example)

In this network, you can expect the following behavior:

• All connected devices can access the internet

• Any device in Network_1 (orange) can ping any other Network_1 device, including being able to ping Router_2 at 10.0.0.2.

• Any device in Network_2 (purple) can see any other Network_2 device. Network 2 devices can also see Network 1 devices.

• Network_1 devices can not see Network_2 devices.

• For example:

  • Computer A could ping Router_1 at 10.0.0.1, and could ping computer B at 10.0.0.11.

  • Computer A could ping Router_2 at 10.0.0.2, but it could not ping Router_2 at 192.168.2.1.

  • Computer A could not ping Computer F

  • Computer F could ping computer A at 10.0.0.10.

  • Computer F could ping computer G at 192.168.2.11

  • Computer F could ping Router 2 at either 192.168.2.1 or at 10.0.0.2.

  • Computer F could ping Router 1 at 10.0.0.1

You can now place your ‘private’ computers on Network_2, and allow for ‘public’ connections on Network_1.  If you do need to access private side computers from the public side, you should read the last section of this document about assigning static IP addresses, and then you should read our next tutorial about setting up port forwarding through the router firewall.

Three Routers for Two Isolated Sub Networks

If you need to make sure that computers from either sub-network can not connect to each other, you will need to setup a three router ‘Y’ configuration.

To setup this network:

1. Connect the cable from your internet modem into the WAN port of Router_1.

Note: you may have a combined internet modem and router in a single device. In this case, the Internet to router WAN is hardwired inside the box, and you have only the LAN ports on the outside of the device.

2. Connect cables from the LAN ports of Router_1 to the WAN ports of Router_2 and Router_3.

3. Connect a computer to a LAN cable plugged into Router_1, and login to the settings page using a web browser.  This is usually accomplished by typing “http://10.0.0.1” into a web browser. Different routers will have different factory default addresses (192.168.1.1 is another common one), consult your manual if you can not connect.

4. Find the settings page that shows the connected devices and their addresses. Find the Router_2  and Router_3 devices and write down their addresses, which will be something like 10.0.0.xxx or 192.168.1.xxx.

5. Disconnect from Router_1 and connect your computer to a LAN cable plugged into Router_2.  Use your web browser to open the configuration page of Router_2, and login to change the settings.

6. Find the page that has the “Local Area Network” (LAN) settings on it.  On this page, change the IP address of the router to what you want to use for your subnet.  In this example, Router_2 was configured with an IP address of 192.168.1.1.

7. Find the setting called “DHCP Server“ (it is usually in the same place as the LAN settings).  Make sure that this is enabled.

9. Save the router settings and exit.

10. Repeat steps 5 through 6 for Router_3, making sure to assign it a different IP address than used for Router_2.  In this example, Router_3 was configured to be at 192.168.2.1.

You have now created two isolated sub-networks sharing a single internet connection.  In this network:

• Router_1 will get an internet address from your internet service provider.

• Router_1 will have a local area network (LAN) address which is 10.0.0.1 in this example.

• Router 1 will do DHCP serving (assign addresses) on the 10.0.0.x network to Router_2 and Router_3.

• Router_2 will have two addresses.  It will have an address on the LAN of Router_1 (10.0.0.2 in this example).  It will also have a different address as the DHCP server of the subnet LAN it creates (192.168.1.1 in this example)

• Router_3 will have two addresses.  It will have an address on the LAN of Router_1 (10.0.0.3 in this example).  It will also have a different address as the DHCP server of the subnet LAN it creates (192.168.2.1 in this example)

In this network, you can expect the following behavior:

• All connected devices can access the internet

• Any Network_2 device (green) can see any other device on Network_2.  Devices on Network_2 can also ping Router_1 at 10.0.0.1 and Router_3 at 10.0.0.3.

• Any Network_3 device (blue) can see any other Network_3 device, and can also ping Router_1 and Router_2 at their 10.0.0.x address.

• Network_2 devices can not see Network_3 devices.

• For example:

  • Computer A could ping computer B and C, and it could ping Router_2 at 192.168.1.1.  It could also ping Router_1 at 10.0.0.1, Router_2 at 10.0.0.2, and Router 3 at 10.0.0.3.

  • Computer D could ping Computer E, F and G, and it could ping Router_3 at 192.168.2.1.  It could also ping Router_1 at 10.0.0.1, Router_2 at 10.0.0.2, and Router_3 at 10.0.0.3.

  • Computer A could not ping Computer D

You can now open up servers exposed to the internet on Network_2, and place your home computers on Network_3.  This will keep your home computers isolated in case your internet exposed servers were compromised.

The next step will be to forward ports from your router to open up your servers to the internet.  You will probably also want to be able to administer the Network_2 computers from from one or more of your Network_3 computers. If this is the case, you should read our next tutorial about firewall and port forwarding.

References and Additional Reading

• IP Addressing and Subnetting for New Users

• Discussion thread about Modem and Router Setup