Separating LAN from Internet

Gadgetpriest

Novice Member
Joined
Aug 23, 2016
Messages
10
Reaction score
0
Points
27
Location
UK
I am totally new to networking and am totally baffled on how I can go about separating a LAN with network storage from the internet.

I have 2 x NIC's. Both are connected to separate routers/modems. NIC1 wired to first router is connected to the internet, (directly plugged in). NIC2 is not. My NAS storage is connected to the router on NIC 2. The problem is the second router that is not plugged into the internet can still be used to access the internet. Is there a way to make it completely isolated?

Is there an idiots guide anywhere to do this?

Windows 11
 
Separating one network (LAN) from another is what "routers" do. For SOHO routers, (which contain a load of other functions as well as a routing engine,) additional layers of protection are put top of that by the firewall that's built in.

The firewall in SOHO routers usually ships such that no connections are permitted inbound (from anything on the Internet to anything on your LAN - across the WAN-to-LAN path) but all connections are permitted outbound - ie anything on your LAN can initiate connection to anything on the Internet (LAN-to-WAN.) Generally SOHO kit lacks the functionality to prevent any outbound connections.

Are you sure both your "routers" are functioning as routers and you are not using one of them effectively as an ethernet switch..? If you post up a network diagram (it doesn't need to be pretty) and/or tell us the IP addresses of your kit, we should be a able to figure it out.

There's a block diagram of the innards of a typical SOHO router attached to the "Using Two Routers Together" FAQ pinned in this forum.
 
Last edited:
At this point, I question why you even have a second router? It sounds like you could just have a switch with NIC2 and your NAS on it, with the proper IP settings. This would be a set of IP addresses on a subnet completely different from the one NIC1 is on, which is what Bolosun is getting at. As mickevh says, a diagram or sorts would help greatly. Are there more PCs or devices you haven't mentioned?
 
Thank you all for the help so far. As I said I am fairly tech minded but have very little knowledge of networking.
I have now realised that having two Routers means that the PC is trying to deal with them both trying to assign it an IP.
My original thought was that the second one would only serve the NAS's.
My setup is: Router 1. Serves 1 PC and WIFI. It also serves a non managed dumb switch which connects to my 2 x PC's and TV. Originally it also connected to my WD My Cloud drives which as you may probably know are no longer safe to be connected to the internet. They are fairly new and encrypted so it would be a real hassle to buy new NAS's and transfer all the data across so I thought I would put them on a separate network not internet connected.
Both Routers are supplied by my ISP which is BT here in the UK. I initially thought I could plug the WD NAS's directly into the second NIC port on my PC but of course then they would not be assigned an IP so I could not access them. So now I am back to the beginning.
ajohnson30 suggestion seems like the answer but if I get it wrong and set the NAS with an IP I cannot connect to then the only way to regain access would be to reset the NAS and risk losing all my data. Maybe it is time I got a professional in.
 
The mechanism of DHCP, which automates the process of ascribing IP addresses, distributes IP addresses to "network interfaces" (NIC's) not "devices" (DHCP has no concept of "devices.")

A device with multiple NIC's needs multiple IP addresses (one for each NIC) whether it gets them using DHCP or by any other method (such as manually assigning them.)

There are some technologies to bind multiple (physical) NIC's together under a single IP address, but whilst your NAS may support them (it may be called something like Link Aggregation or NIC Teaming) your BT routers certainly don't and both ends of such links need to play nice together.

A DHCP Server (there's one in both your routers) will offer IP addresses to anything that requests one, it does not matter whether the requestor is "directly connected" to any particular device: As long as the request for an IP address can reach a listening DHCP Server, it will respond.

Multiple DHCP Servers on a network is possible, but generally in the SOHO use case it's best to only have one - not least because you really need to know what you are doing with multiple DHCP Servers and you could do with DHCP Servers that are much more customisable that the really basic ones included in a SOHO "router" that are designed to "just work" and offer little if any control.

I fear you may be tying yourself in knots over thinking this. To echo @MaryWhitehouse and others, it might be better to tell us (holistically) what you are trying to achieve and thence we can advise you of best to go about it or even if it's possible with the equipment you have. And a network diagram with some IP address would still be really useful.

If you loose NAS access because you screw up the IP addressing, don't panic: We can work around it and/or fix it. You should not need to reset your NAS to recover from it. But it won't be easy or pretty.
 
Last edited:
From the sounds of it, the OP is concerned about some of the security issues with older Mycloud devices and wants to disconnect them from the net, but still be able to access them locally.

These issues are documented, but attacks are rare and Mycloud OS 5 overcomes the vulnerability in any case, so a better solution might be to update to the later OS and turn off the Internet connectivity settings on each drive, so they are only locally accessible.
 
Yes this is exactly it. Unfortunately though my unit is only five years old it cannot be updated to OS 5. WD has made them redundant
 
Yes this is exactly it. Unfortunately though my unit is only five years old it cannot be updated to OS 5. WD has made them redundant

Is it possible to 'shuck' (is that the right term) the drive out of the WD into something else? Also it may be possible to fix the WD's IP address and then block any incoming connections. Someone with more modern network knowledge can say if that's safe but I'd do it.
 
There are a couple of ways these hacks normally work. In the case of mycloud for a very quick read the vulnerability appears to be affecting those users that allow access to their files from the internet. If you have this enabled then disable it asap.

The other way is of your device reaches out to the internet and ends up on a compromised site.

In either case your ISP supplied router also has a firewall. By default this won’t allow traffic in from the internet so it will block incoming “attacks”. If you enable the mycloud internet access then the nas will talk to the router often via a system called upnp ( universal plug and play) to ask for the firewall to allow access to the nas. You can often check what rules have been requested. Other services such as online gaming might need upnp but you could always disable it on the router.

With ISP routers though there is sadly limited configuration that you can do but ideally you want to block access to the internet for the nas too. Parental control might be a “fix” in that you effectively set the nas as a child and block access to it.

Would need model numbers etc though of routers.
 
I think I may have figured out your infrastructure: It sounds like you have a client PC with two NIC's in it, one NIC connected to you "main" network and another connected to a second network network that only hosts your NAS...

ISP<-->[WAN]router1{LAN]<--->[NIC1]PC[NIC2]<-->{LAN}router2[LAN]<-->NAS

The "main" network (LAN) is between router1 and your PC's NIC1 (and includes everything else connected to that network) and the "second" network (LAN) is between the PC's NIC2 and your NAS (and anything else connected to that network if there is anything.)

Such a configuration is fine, however you need to ensure there are no IP addressing conflicts for it to work properly.

In IP internetworking (with a small "i") each LAN on the network (called a subnet in IP jargon) must have a different and unique network address. (Incidentally the same is true on the public Internet (with a big"I."))

If both your routers have been obtained from the same ISP, then there's a very good chance they have both shipped using the same IP subnet address for their LAN's - very probably some form of 192.168.X.Y. That will cause problems as the routing in your PC will be screwed up.

The "fix" is pretty simple - you just need to change one of your routers to use a different IP subnet to the other. You could change either router, but it's probably simplest to change the one serving your NAS subnet as there's fewer devices connected to it and so doing will not affect anything on your main subnet.

Note the IP addressing of your "main" subnet - particularly what it's "X" is. Physically disconnect your PC from the main subnet (NIC1 as I've drawn it.) and let NIC2 and your NAS acquired IP addresses from router2 - you might need to reboot them to force a refresh.

Then navigate to the admin screen of router2 using it's LAN IP address - one reason for disconnecting NIC1 whilst we do this is to ensure you don't accidentally reach router1.

Once there, change router2's LAN IP address to a different subnet from that you noted earlier. IE, change the LAN IP address so that the "X" is different to the main subnet. It could be anything between 0-255, but it''s best to make it as "obvious" as possible.

As a worked example, IIRC BT ship their routers pre-configured to use 192168.1.Y. So the "NAS" subnet could be anything from 2-255, (technicaly you could also use 0,) so to pick a number out the air at random I'll choose 55. So router 2 gets it's LAN address changed to 192.168.55.1 (subnet mask 255.255.255.0.) So doing may (should) cause it to change it's DHCP range - but check it just the same. It may then need a reboot to take effect - indeed it's probably a good idea to reboot the router in any case.

Having effected the change, you need to force you NAS and PC (NIC2) to acquire new DHCP leases from the now changed router2 - so probably reboot them again (still disconnected from NIC1.) Once rebooted, check that they now have 192.168.55.Y IP addresses and check you can access your NAS.

Once that's all verified, plug PC NIC1 back in and everything should be sorted.

Alternatively, if both your PC and NAS have gigabit ethernet NIC's or 10/100 NIC's that can do something called auto-MDI/MDI-X (most do these days - it sorts out cable crossing automatically) you could dispense with router2 entirely and cable your NAS direct to your PC's NIC as @ajohnson30 suggested previously. However, in such a configuration, as you now no longer have a DHCP Server on the "second" subnet you will have to manually configure both your NAS and PC (NIC2) with suitable IP addresses. That's easy peasy on a Windows PC, but if your NAS has no capacity to attach a screen and keyboard to "configure" things, you may not be able to manually set it up with (what "in the business" we call) a "static IP address.
 
Last edited:
I think I may have figured out your infrastructure: It sounds like you have a client PC with two NIC's in it, one NIC connected to you "main" network and another connected to a second network network that only hosts your NAS...

ISP<-->[WAN]router1{LAN]<--->[NIC1]PC[NIC2]<-->{LAN}router2[LAN]<-->NAS

The "main" network (LAN) is between router1 and your PC's NIC1 (and includes everything else connected to that network) and the "second" network (LAN) is between the PC's NIC2 and your NAS (and anything else connected to that network if there is anything.)

Such a configuration is fine, however you need to ensure there are no IP addressing conflicts for it to work properly.

In IP internetworking (with a small "i") each LAN on the network (called a subnet in IP jargon) must have a different and unique network address. (Incidentally the same is true on the public Internet (with a big"I."))

If both your routers have been obtained from the same ISP, then there's a very good chance they have both shipped using the same IP subnet address for their LAN's - very probably some form of 192.168.X.Y. That will cause problems as the routing in your PC will be screwed up.

The "fix" is pretty simple - you just need to change one of your routers to use a different IP subnet to the other. You could change either router, but it's probably simplest to change the one serving your NAS subnet as there's fewer devices connected to it and so doing will not affect anything on your main subnet.

Note the IP addressing of your "main" subnet - particularly what it's "X" is. Physically disconnect your PC from the main subnet (NIC1 as I've drawn it.) and let NIC2 and your NAS acquired IP addresses from router2 - you might need to reboot them to force a refresh.

Then navigate to the admin screen of router2 using it's LAN IP address - one reason for disconnecting NIC1 whilst we do this is to ensure you don't accidentally reach router1.

Once there, change router2's LAN IP address to a different subnet from that you noted earlier. IE, change the LAN IP address so that the "X" is different to the main subnet. It could be anything between 0-255, but it''s best to make it as "obvious" as possible.

As a worked example, IIRC BT ship their routers pre-configured to use 192168.1.Y. So the "NAS" subnet could be anything from 2-255, (technicaly you could also use 0,) so to pick a number out the air at random I'll choose 55. So router 2 gets it's LAN address changed to 192.168.55.1 (subnet mask 255.255.255.0.) So doing may (should) cause it to change it's DHCP range - but check it just the same. It may then need a reboot to take effect - indeed it's probably a good idea to reboot the router in any case.

Having effected the change, you need to force you NAS and PC (NIC2) to acquire new DHCP leases from the now changed router2 - so probably reboot them again (still disconnected from NIC1.) Once rebooted, check that they now have 192.168.55.Y IP addresses and check you can access your NAS.

Once that's all verified, plug PC NIC1 back in and everything should be sorted.

Alternatively, if both your PC and NAS have gigabit ethernet NIC's or 10/100 NIC's that can do something called auto-MDI/MDI-X (most do these days - it sorts out cable crossing automatically) you could dispense with router2 entirely and cable your NAS direct to your PC's NIC as @ajohnson30 suggested previously. However, in such a configuration, as you now no longer have a DHCP Server on the "second" subnet you will have to manually configure both your NAS and PC (NIC2) with suitable IP addresses. That's easy peasy on a Windows PC, but if your NAS has no capacity to attach a screen and keyboard to "configure" things, you may not be able to manually set it up with (what "in the business" we call) a "static IP address.
I think I understand this. Thanks for such a clear explanation.
My present setup is:
NIC1 - Router 1 - internet 192.168.1.254 255.255.255.0
Unplug disconnect this and plug in router 2 to NIC2
set the second router to 192.168.55.1 255.255.255.0
reboot everything with NIC1 unplugged
plug in NIC1
And hopefully it should all work.

I'll let you know thanks again.
 
There are a couple of ways these hacks normally work. In the case of mycloud for a very quick read the vulnerability appears to be affecting those users that allow access to their files from the internet. If you have this enabled then disable it asap.

The other way is of your device reaches out to the internet and ends up on a compromised site.

In either case your ISP supplied router also has a firewall. By default this won’t allow traffic in from the internet so it will block incoming “attacks”. If you enable the mycloud internet access then the nas will talk to the router often via a system called upnp ( universal plug and play) to ask for the firewall to allow access to the nas. You can often check what rules have been requested. Other services such as online gaming might need upnp but you could always disable it on the router.

With ISP routers though there is sadly limited configuration that you can do but ideally you want to block access to the internet for the nas too. Parental control might be a “fix” in that you effectively set the nas as a child and block access to it.

Would need model numbers etc though of routers.
Thank you. One of the vulnerabilities as I understand it is that somehow they are able to hijack the firmware update connection to the NAS and as it is proprietary hardware there is no way of installing any other.
 
I think I understand this. Thanks for such a clear explanation.
My present setup is:
NIC1 - Router 1 - internet 192.168.1.254 255.255.255.0
Unplug disconnect this and plug in router 2 to NIC2
set the second router to 192.168.55.1 255.255.255.0
reboot everything with NIC1 unplugged
plug in NIC1
And hopefully it should all work.

I'll let you know thanks again.

That sounds about right.

There's a couple of other ways to achieve the same result, but this process probably involves the least amount of fiddling with IP address settings and should get you there fastest.

Incidentally, once it's working, I'd visit the DHCP Leases on router2 and tick the box for the lease of your NAS that says "always give this device the same IP address" or words to that effect. With such a small subnet, it's highly unlikely the NAS would ever get assigned a different IP address, but for the amount of effort required to tick the option, it's worth it for peace of mind.
 
You dont need the second router, its not serving any purpose

Windows has (had) a horrible default setting when it came to devices with multiple NICs; it enabled IP routing between the NICS.

If you really want to use the second router, check that its DHCP server can set the pool to 192.168.55.0, otherwise tbh I'd use 192.168.2.0/24. I'd also disable the wifi. And don't forget to both apply and save the settings.

You mentioned that the NAS no longer receives updates, but you are concerned that a firmware update connection might be hijacked.
If it no longer receives updates, then what is there to hijack?
You can block the URL or IP address of the update site on the router - or indeed, prevent any traffic from the NAS exiting the router's WAN interface.
 
Generally SOHO kit lacks the functionality to prevent any outbound connections.

So it's worth checking to see if the router can block outbound. My Post Office router can - I blocked my Sony TV when I first got it as there was quite a bit of snooping going on that I wanted to stop.
 
So it's worth checking to see if the router can block outbound. My Post Office router can - I blocked my Sony TV when I first got it as there was quite a bit of snooping going on that I wanted to stop.
The lack of control is most common in ISP supplied routers. I know VM, BT and Sky (which between them have 75% of the market) have very limited controls. Its understandable, they don't want uninformed users causing themselves problems by fiddling and generating support calls.
 

The latest video from AVForums

Is 4K Blu-ray Worth It?
Subscribe to our YouTube channel
Back
Top Bottom