As occasionally announced in the past few days, today I would like to share our experience in building the network infrastructure of our ODL with you. I can well imagine that quite a few ODL operators encounter similar challenges, so hopefully they can find some helpful suggestions here.
Our goal: two private networks sharing the same internet connection
Building up our Open Device Lab's network, we faced an elementary question:
»How can we use our agency's existing internet connection for our devices while simultaneously keeping both networks (for the ODL and the agency) separated and, above all, protected from each other?«
This question can be answered in several ways, some of which demanding various hardware requirements. We considered the following criteria as crucial:
- A reliable isolation of both networks
- An affordable solution, preferably using the existing hardware
- No changes of the IP addresses or subnets
- Two separate Wi-Fi networks for each the agency and the ODL
In practical use, we have two approaches which we want to examine in order to explain our choice:
- Building virtual LANs (VLAN) for the agency and the ODL
- Building separate LANs using multiple routers (hardware)
Option 1: Building »Virtual LANs« (VLANs) for the agency and the Open Device Lab
Separating a network into different VLANs is a very simple, effective and especially hardware-saving way to make networks »invisible« towards each other. All you need is a router or a switch – which however must be VLAN ready.
In a »port-based VLAN« you allocate a VLAN ID to a LAN port on the router / switch. Although all devices connected to this port can communicate with each other, a communication exceeding its allocated VLAN ID is not possible. In our specific case, the agency network could be set to VLAN ID »1«, the ODL network to VLAN ID »2« on the respective ports.
This way both networks would be initially protected from each other. As mentioned before, for this purpose the router or switch must be VLAN compatible, which might especially not be the case with most standard routers (e.g. Telekom Speedport).
In our case we have the additional requirement to obtain two separate wireless networks, since the ODL devices must be connected primarily via WLAN, but we also need an appropriate connection to operate our agency. Although many modern routers are capable of running multiple wireless networks in parallel, however they often lack the possibility to separate these wireless networks from each other using VLANs (according to the LAN Setup). Of course there are devices which support VLAN, but these are extremely pricy and thus not applicable for our purpose.
Another aspect for us against using VLANs is the fact that we would have to use a shared IP address pool for both networks. As mentioned above, we did not want to change anything (or too much) about our existing agency network configuration, since several fairly complex configuration components are involved here (servers, network printers, etc.). Even if our router met all the necessary hardware requirements, we would eventually end up with a mixed network of both agency and ODL devices. All of these devices access the same IP address pool. And since a maximum of 254 IP addresses can be assigned in a class C network (subnet mask 255.255.255.0), this could lead to severe problems sooner or later.
Option 2: Building separate LANs using multiple routers
Since a VLAN network could not be realized with our pre-defined requirements, we decided to try the second approach. Here's a sketch of what the result looks like:
For our setup, we continue using our existing VDSL router (Telekom Speedport W723V, »ROUTER 1« in the sketch) to connect to the internet. Two new routers are added for building separate networks for operating the agency (»ROUTER 2«) and the ODL (»ROUTER 3«). The two networks now share the internet connection and are protected from each other by the router's internal firewalls (see below).
The internet router (ROUTER 1) establishes the internet connection on its WAN port and shares it with all connected devices via LAN. We point out that except the two inner routers no further devices should be connected; a possible Wi-Fi feature of the router should be disabled as well. Additional devices connected to the internet router can be addressed by both underlying networks, which could eventually lead to security problems. This might be interesting at most for e.g. a network printer which shall be accessed from both networks.
Now comes the real »trick« of the whole setup: The routers for the agency and the ODL network (ROUTER 2, ROUTER 3) are each connected to a LAN port on the internet router through their WAN ports, which easily enables their integrated firewalls to guard the network traffic. Both routers obtain their IP addresses either automatically from ROUTER 1 (requires that DHCP is enabled on ROUTER 1), or we assign their IP addresses manually and statically.
With that we already have two independent, separate networks. Although they share the same internet connection on ROUTER 1 we can, however, prevent a direct communication between both networks by adjusting the firewalls' configurations of ROUTER 2 and ROUTER 3.
In the following step, the two networks need to be configured. Since the network situation for our agency must, more or less, not be dramatically changed, we simply transferred the existing network configuration (formerly on the Speedport) to the new ROUTER 2 one-to-one. Above all, we continue using the same IP address space (e.g. 192.168.2.x) and also set up the new agency router's Wi-Fi with the same name (SSID).
We set up the new ODL network including Wi-Fi and DHCP, according to the lab's requirements. Actually, it doesn't really matter much which IP address space this network uses, as long as it's different from the two existing networks, in our case:
- ROUTER 1: 192.168.0.x
- ROUTER 2: 192.168.1.x
In order to keep a logical sequence, ROUTER 3 uses 192.168.2.x.
At this point we are already done with our network setup and reached our goal to set up two separate networks isolated from each other. The protection of the networks from each other is realized by the routers' integrated firewalls and therefore works »maintenance free« and reliable. On the surface there were no drastic changes about our agency's network – although we implemented a new router, which however has been configured with the same IP address space as the old one. The Wi-Fi still works with the same name; devices connected to the old Wi-Fi might have to re-authenticate the access once. Our ODL also works with a standalone LAN and Wi-Fi network.
Before / After and specifically used devices
- Telekom Speedport W723V as modem and router in a VDSL connection
- The Speedport managed the IP addresses of the agency's network (192.168.1.x / 255.255.255.0) and applies addresses to new devices via DHCP
- In addition, the built-in wireless function (WPA / WPA2 encryption) was used for the agency's Wi-Fi
- We continue to use the Speedport W723V as a modem and router and use it to connect to the internet through VDSL
- The IP address space managed by the Speedport is changed from 192.168.1.x to 192.168.0.x. This is necessary to ensure we can move our existing IP address space to the new agency router.
- DHCP remains active on the Speedport, but we disable its Wi-Fi option
- For our agency network, we now use a DLINK DIR-615 router.
- The new router now manages the IP address space 192.168.1.x / 255.255.255.0 (which we previously enabled on the Speedport) and serves DHCP server as well.
- In addition, it provides our agency with a WPA / WPA2-encrypted Wi-Fi.
- After some research, we picked the »ASUS RT-N66U N900 Black Diamond« aka »Dark Knight« (not only because of the cool name, obviously) for our ODL. According to reviews, this router has a particularly strong data throughput and enables many multiple simultaneous connections. In addition, it has an impressive wireless transmission power and a stable signal for all devices. In general, however, a simpler router would do as well.
- The ODL router manages the IP address space 192.168.2.x / 255.255.255.0 provides clients with IP addresses via DHCP.
- For now, we decided to use »WEP« encryption for the ODL Wi-Fi.
At this point it's important to point out that, at the current state, the WEP encryption is very (very) unsafe. By »listening« and monitoring the network traffic, it is possible to calculate the password and thus gain access to the network within only a few minutes.
Nevertheless, we chose this encryption method because there are still older devices that can't handle the current WPA / WPA2 standards and thus wouldn't be able to connect to a WPA / WPA2 encrypted WLAN. However, since we have such devices at the ODL to run tests with, we had to use an encryption that works for all devices. We minimize the risk that goes along with this decision by deactivating the ODL Wi-Fi in idle times and merely enabling it when actively running tests. There certainly is a risk that during these times someone gains illegal access to our network, however, the sensitive data of our agency is continuously protected from attacks by our network configuration described above.
- Port forwarding always needs to be double-administered with this network setup. All port forwardings have to be assigned to both the respective sub-network routers (ROUTER 2 or 3) and additionally to the Internet router (ROUTER 1).
- When operating multiple wireless networks, it comes in handy to set hem on different channels (e.g., 1, 5, or 1, 6, 11 in three Wi-Fi networks). Furthermore, all networks should have different names (SSID).
We are aware that our setup is just one out of many possibilities. Based on our requirements, it is a workable solution for us. Should you have any suggestions or corrections, please let us know or simply leave a relevant comment. Of course we are also happy about your feedback. We wish you good luck and fun configuring your setup!