A fun discussion

[lucid]

I have one cable modem(with one port only) and two routers. I had originally hoped to set up both routers as completely separate networks. This way, I could connect one computer to the first router, and another one to the second router. I'm sure most of you could see why I would want to do this. It would allow me to perform all sorts of fun testing and breaking.

Right off the bat I don't think I can do it this way because:

A) I don't have a crossover cable to connect the two routers together.

B) I don't have a switch.

So I'm trying to think of the best way to turn one modem and two routers with no switches or crossover cables into two completely separate home networks which can both connect to the internet, and I thought this might make a fun discussion.

Here's how shit's config-ed so far:

- Router1 is connected directly to the cable modem. Gateway address is 192.168.1.1.
- Router2 is connected to a LAN port on Router1. Gateway address is 172.16.1.1

I haven't gotten the two networks completely separate, as on Network1(192.168.1.0) I can see by way of nmap scan that Network2(172.16.1.0) has an IP address of 192.168.1.2 on Network1. Which obviously was going to happen but still kind of funny. I guess that's what I would need a switch for..

I'm assuming that if I got a switch and plugged both routers into it then they would be two completely different networks yes? Another question I just thought of actually:

Currently I have one computer on Network1 and another on Network2. Say, for example, that when I have Router1 directly connected to the modem all computers on the network have an external IP address of 56.39.7.100, and when Router2 is directly connected to the modem all computers have an external IP of 139.24.1.56. If I plugged both routers into a switch would a computer on Network1 have Router1's external IP while a computer on Network2 has Router2's external IP?

[xC]

They will be the same network regardless, one switch -> one network. If you have access to the original modem you can direct traffic from either one as you please. As for the networks having the same subnet, it all depends on router configuration. You can have two routers with the subnet 192.x.x.x as it will reserve addresses as needed. However, for testing purposes it is probably somewhat easier to use two ranges so you're not constantly having to check which target belongs to what router.

Edit: Oh, since the gateway is the same the external will be the same as well. As for the initial problem I don't know what to tell you.

[chapp]

Find a router that supports virtual LAN, that's the best bet

[lucid]

Yeah I suppose that would be a good way. Unfortunately that means I'd have to buy a new router. I'm poor so I don't think that's going to happen anytime soon.

As of right now, I already have two separate networks, both of which are able to access the internet. Last night by the way, I discovered that a computer on Network2(172.16.1.0) can ping devices on Network1(192.168.1.0) but not the other way around. So at least I have partially achieved what I wanted.

Maybe this could turn into a discussion about everyone's home network? This wasn't meant to be another selfish help me thread. How many of you have a lab for testing? Is it an actual physical pentesting lab? Or do you have a virtual lab with the use of Virtualbox or some such virtualization software. I want to know how you guys do your hands on learning and what kind of setups everyone has.

[AnarchyAngel]

if vlan is not an option maybe subnetting is your solution.

[chapp]

I have my router connected to some arbitrary fiber modem provided by my ISP, which I don't trust in any way. Locked it away in a box and I'm expecting that every little bit of data sent goes directly to China!


I have connected two Pi's to my router, one working as my ordinary AP and one as a transparent Tor router AP.


I have my lab on a separate laptop, that is not connected to the internet ever. Here I have a number of different Unix/Linux distro's ready in some different architectures as well as images for Windows XP and 7. All of it is vitualised, although I would prefer to have physical environments for all of it, it's simply too expensive as a private person.


I hope that you get your network sorted out.

[lucid]

I have connected two Pi's to my router, one working as my ordinary AP and one as a transparent Tor router AP.

That's an awesome idea. Why couldn't I think of something like that..

[Snayler]

Last night by the way, I discovered that a computer on Network2(172.16.1.0) can ping devices on Network1(192.168.1.0) but not the other way around. So at least I have partially achieved what I wanted.

That's because Router2 is connected to Router1, so Router2's gateway knows which subnet it's connected to. The other way around isn't working because your Router2 must be using NAT. A way to fix this would be to disable NAT and manually add routes on Router1 for it to know which subnet is behind Router2.

[proxx]

You can probably use the 2 routers in paralell just like you would a switch.
Turn off both DHCP servers on the devices and hook them straight together, just a LAN port.
Than set 2 static adresses and try ping each other being one on both routers.

Ive done that before and it seems to work alright for most devices ive tested thus far.
I suggest you turn on one DHCP server after the test.
A router is just another word for switch with a 'brain' (which often is not really the case.)
As long as you use the internet port  only on one end.
That way that will be the only thing to NAT stuff across other networks.

[lucid]

You can probably use the 2 routers in paralell just like you would a switch.
Turn off both DHCP servers on the devices and hook them straight together, just a LAN port.
Than set 2 static adresses and try ping each other being one on both routers.

Ive done that before and it seems to work alright for most devices ive tested thus far.
I suggest you turn on one DHCP server after the test.
A router is just another word for switch with a 'brain' (which often is not really the case.)
As long as you use the internet port  only on one end.
That way that will be the only thing to NAT stuff across other networks.

SoI would hook up one router's WAN port to the modem and then connect the other router to the first using the LAN ports on BOTH devices? Would this be a good way to create a minimal pentesting network? I am thinking I want to simulate hacking into one network from another.

[proxx]

SoI would hook up one router's WAN port to the modem and then connect the other router to the first using the LAN ports on BOTH devices? Would this be a good way to create a minimal pentesting network? I am thinking I want to simulate hacking into one network from another.

Minimal yes , it all depends how you want to simulate it.
This way you have just have local access which makes things a little easier.
Its becomes one big LAN.

Otherwise I suggest you put it behind a NAT and firewall the connection (only allow couple ports in) most consumer stuff does that anyway.

Im not being very clear, must be the booze from yesterday.

[lucid]

I'm necroing this shit because it's still relevant and because fuck The
Man. Anyway, I just bought a switch the other day after much delay.
Still determined to create some form of rudimentary physical testing lab
despite the fact that it can mostly be done virtually and you all are naysayers. Here's a screen:

http://i.imgur.com/OsfeNSE.jpg

Nice right? It's managed. Supports vLAN, spanning tree, trunking, jumbo frames, as well as other features I'm too lazy to mention. The plan for the moment is to hook up the switch to my main
router(obviously), then connect another router to port 1 of the switch
and hopefully make it so they are two separate networks. Whether
I do this by vlan or subnetting or whatever is yet to be discovered, but
will probably be going the vlan route. If it works as planned then I'll
have my main network(172.16.1.0) and then the second
router(192.168.1.0). I chose that number instead of something like
172.16.2.0 just to avoid confusion due to similarities. In the end I'm
hoping to be able to ping one network from the other interchangeably. As
of right now I can't.

[proxx]

I'm necroing this shit because it's still relevant and because fuck The
Man. Anyway, I just bought a switch the other day after much delay.
Still determined to create some form of rudimentary physical testing lab
despite the fact that it can mostly be done virtually and you all are naysayers. Here's a screen:

http://i.imgur.com/OsfeNSE.jpg

Nice right? It's managed. Supports vLAN, spanning tree, trunking, jumbo frames, as well as other features I'm too lazy to mention. The plan for the moment is to hook up the switch to my main
router(obviously), then connect another router to port 1 of the switch
and hopefully make it so they are two separate networks. Whether
I do this by vlan or subnetting or whatever is yet to be discovered, but
will probably be going the vlan route. If it works as planned then I'll
have my main network(172.16.1.0) and then the second
router(192.168.1.0). I chose that number instead of something like
172.16.2.0 just to avoid confusion due to similarities. In the end I'm
hoping to be able to ping one network from the other interchangeably. As
of right now I can't.

You got yourself an excellent switch sir.
I would also suggest using VLAN's if you want to split it.
When you want to intercommunicate with these networks some device must act like a router, be it a pc or some shitty comsumer router like device.
Would look something like this:
route 192.168.1.0 255.255.255.0  172.16.1.254 (that could be the gateway)


If you want to simulate a more realistic internet like scenario I suggest you just work with port forwardings etc.
However having routes as mentioned above is very common practise, especially in larger networks.

[lucid]

route 192.168.1.0 255.255.255.0  172.16.1.254 (that could be the gateway).

This confuses me a little. I'm not even exactly sure how to elaborate, although I'm quite exhausted. Which device are you saying 172.16.1.254 would belong too.

I'll also look into achieving what I want with port forwarding.

EDIT: Sorry proxx, sometimes I have a hard time understanding your explanations. Are you saying that router A would be the first address you posted, and router B could be the last?

[proxx]

This confuses me a little. I'm not even exactly sure how to elaborate, although I'm quite exhausted. Which device are you saying 172.16.1.254 would belong too.

I'll also look into achieving what I want with port forwarding.

EDIT: Sorry proxx, sometimes I have a hard time understanding your explanations. Are you saying that router A would be the first address you posted, and router B could be the last?

No problem ,sometimes my sentences are a bit off.

When you want to intercommunicate with these networks some device must act like a router, be it a pc or some shitty comsumer router like device.

What I mean is that when you have 2 vlan's both with some IP range one must consider a method to reach network_A  from network_B and visa versa.
So one way to achive this is to have a machine running on both networks.
This machine acts a hop to the other network, we call this a gateway.
A router can act as such (I prefer a linux/bsd box to be able to control this to greater extend to say some shitty firmware).
There is a choice between mainly 2 methods , thats either a gateway as mentioned above or through NAT.

Perhaps I am saying things that are way to obvious and are already clear.

*offtopic*
Personally I don't like NAT at all,  it is a hack designed to solve a problem that was created in the first place.
Instead of solving things we created a new problem, the current firewalling mechanism relies to great extend on NAT to do its job.
It is proven effective and as far as I see it we will do the exact same thing over again on IPv6.
We should have plenty and I mean alot of IP's why not assign one to each machine and go from there.
Only challange is still controlling traffic flows on which we rely so much.
I am actually looking forward moving to v6 , but it will probably be the same design all over.