Granting one network access to a single subnet on a second network.

[Will.I.Am]

Hi, a brief outline of what I mean here. I suppose technically this could be titled "Granting 2 distinct subnets access to a common third without giving access to each other.

We have our own self contained network infrastructure on a site running various systems, all running off one subnet (192.168.111.x)
The site has its own network, actually part of a wider country wide network of several sites. There has recently been a new access control system installed, all with its own cabling, but linked into the main site switches so the system can be controlled and monitored by the responsible staff on site (through 1 pc with the control software installed) . Each door controller has its own IP so it's not a single IP address used to access the system, but numerous IP addresses to access each door controller.


My question is, is it possible for the self contained 192.168.111.x to have access to the new access control equipment without it connecting to the rest of the main site network?

Obviously the access control equipment would need to be placed on its own subnet, but the main issue I can see is that there could be a conflict between the existing devices on the 192.168.111.x network and devices on the main site network.

I'm a bit of an amateur when it comes to networking but know that 2 subnets can be linked fairly easily by installing a router on each subnet you want linked, but what we really want here is for the pc on the main site that controls the access system to be able to communicate with the access equipment (even if just this pc can access it) and the 192.168.111.x subnet to be allowed to communicate with the access equipment, but that the 192.168.111.x subnet is not linked to the main site network in any other way so that we still have full control over the ip ranges on our own network.

Is this possible or would the devices on the 192.168.111.x network have to be reconfigured to ensure no clashes with the site network?

 

[dave_the_nerd]

Yes, that's possible. Not super-hard. First-year-IT-student router/firewall config stuff. If you don't know how to do it and don't want to learn, you shouldn't have any trouble hiring somebody to do it for you.

Well... except.... you don't have two separate networks with the same subnets, do you? You'd probably need to re-ip one of them. Maybe I'm just reading your post too fast.

 

[Will.I.Am]

We have our own network, with its own infrastructure and switches, and its own ip range that thus far has been totally under our own control.

The site has its own it newtwork, across multiple sites but in reality that's irrelevant.

There has now been installed a new Access Control system that the site needs to access via an ip address (to run the Access Control management software to issue cards and control who has access to what etc).
We also have a piece of management software that monitors all the cctv, fire alarms, intruder alarms etc across site. Currently all this equipment is attached to our own network so we've assigned ip addresses to all the existing equipment on a single subnet (255.255.255.0 192.168.111.x)

So yeah, the subnet we've used is already in use on their network. My question was basically, can the access control system be placed on its own subnet, and then can our subnet and one of the site subnets (the one containing the pc that runs the access control management software) both access the Access Control subnet, without our network (with possible conflicting ips) having a route through to theirs

Basically, if our subnet is subnet 1, the access control is subnet 2, and the site subnet subnet 3, then I want 1 and 3 to have 2 way communication with 2, but not with each other.


I have no intention of doing it myself, the issue is the on site IT have said it's impossible. I wanted a second opinion since my knowledge of networking is limited to what I have had to learn, and I've never needed more than 1 subnet at home. However I know enough to think that this shouldn't be terribly difficult to implement with a few decent routers and the right routing/firewall settings. But I also know enough to realise that I don't know enough to be sure. Which is why I'm asking people with more knowledge.

 

[VirtualLarry]

I don't believe it's possible to route between what are essentially the same subnet on both the local and remote side of a router. This is why some SOHO consumer routers will automagically re-configure themselves to a 10.x.x.x subnet, should they detect the same subnet on both the WAN and LAN.

Edit: Maybe this is possible, using a variant of Carrier Grade NAT?

 

[dave_the_nerd]

My question was basically, can the access control system be placed on its own subnet, and then can our subnet and one of the site subnets (the one containing the pc that runs the access control management software) both access the Access Control subnet, without our network (with possible conflicting ips) having a route through to theirs

Ah. First off, stick the security hardware on its own (holy, inviolate, and forever-separate) subnet and VLAN, because that's what you do with anything security-related.

Simple answer: no. The access control hardware (or some router in between that and you) would need to be aware of two different 192.168.111.x subnets, and typical routing tables will not let you specify two destinations for the same destination network.

Honest answer: You could probably do it with a 1:1 NAT, like VirtualLarry mentioned. This would require setting aside another /24 subnet though. And it's way more complicated than just re-IPing your stuff. Not laziness either, just umpteenth level complexity (which has to be documented and maintained forever) for a stupid-simple problem. Avoiding that kind of thing for the good of the organization is the IT guys' job.

The quick and easy (mostly just changing around stuff you control, so nobody else can be in your way) way is to re-IP the subnet(s) you control, including putting the access control hardware on its own LAN, so it meshes with the rest of your clients. Then, gin up a few dead simple routing/firewall rules to allow the security hardware to talk to both networks, but prevent those networks from talking to each other. Done.

The more complex part is getting both organizations to agree to this, sign off on liability waivers, etc., allowing one company to access assets that are owned by the other, determining who's responsible for what, and probably some other legal issues I'm not even thinking of.

I wanted a second opinion since my knowledge of networking is limited to what I have had to learn, and I've never needed more than 1 subnet at home. However I know enough to think that this shouldn't be terribly difficult to implement with a few decent routers and the right routing/firewall settings. But I also know enough to realise that I don't know enough to be sure. Which is why I'm asking people with more knowledge.

**chuckle**

 

[Will.I.Am]

Ah. First off, stick the security hardware on its own (holy, inviolate, and forever-separate) subnet and VLAN, because that's what you do with anything security-related.

Simple answer: no. The access control hardware (or some router in between that and you) would need to be aware of two different 192.168.111.x subnets, and typical routing tables will not let you specify two destinations for the same destination network.

Honest answer: You could probably do it with a 1:1 NAT, like VirtualLarry mentioned. This would require setting aside another /24 subnet though. And it's way more complicated than just re-IPing your stuff. Not laziness either, just umpteenth level complexity (which has to be documented and maintained forever) for a stupid-simple problem. Avoiding that kind of thing for the good of the organization is the IT guys' job.

re-iping our stuff would involve re-iping hundreds of devices across different sites (they don't talk to each other, but whatever final solution is found will need to be implemented across multiple sites) , and changing their references in several different pieces of software that communicate with them, which will be probably a week's work at least. I may still be the easiest way to get both networks communicating with the access control, but what's the harm in assessing other possible solutions? Setting aside another subnet solely for the access control would involve re-iping maybe 30 or 40 devices. As for what would be involved on the routing etc, that's why I asked the question.

The quick and easy (mostly just changing around stuff you control, so nobody else can be in your way) way is to re-IP the subnet(s) you control, including putting the access control hardware on its own LAN, so it meshes with the rest of your clients. Then, gin up a few dead simple routing/firewall rules to allow the security hardware to talk to both networks, but prevent those networks from talking to each other. Done.

If by "its own network" you mean its own physical infrastructure, that isn't a simple undertaking either. It isn't a single building, it's multiple buildings spread across a (roughly) 1500 acre site.
We've got our fibre infrastructure, the site has their fibre infrastructure. The access control equipment has to be on one or the other. As I said above, re-iping our stuff isn't really an option.

The more complex part is getting both organizations to agree to this, sign off on liability waivers, etc., allowing one company to access assets that are owned by the other, determining who's responsible for what, and probably some other legal issues I'm not even thinking of.

Yeah, it's a fustercluck. The easiest solution is to give them a dedicated pc to run the access control management software but that's too radical.

**chuckle**

Bet you're a real hoot at parties.

I don't believe it's possible to route between what are essentially the same subnet on both the local and remote side of a router. This is why some SOHO consumer routers will automagically re-configure themselves to a 10.x.x.x subnet, should they detect the same subnet on both the WAN and LAN.

Edit: Maybe this is possible, using a variant of Carrier Grade NAT?

The access control system really only needs to be accessed by 2 subnets - ours, and one of theirs. It doesn't need to have a route to or be aware of the 192.168.111.x subnet on THEIR network, only the subnet containing the access control pc. I know it would be impossible if it needed direct communication with the same subnet on 2 different networks, but it doesn't so thought it may be possible with the right setup. the wan ip on both sides will be on different subnets, they only thing I wasn't sure of is whether we could stop packets destined for 192.168.111.x from going through their router and only being able to go through ours.

 

[dave_the_nerd]

The access control system really only needs to be accessed by 2 subnets - ours, and one of theirs. It doesn't need to have a route to or be aware of the 192.168.111.x subnet on THEIR network, only the subnet containing the access control pc. I know it would be impossible if it needed direct communication with the same subnet on 2 different networks, but it doesn't so thought it may be possible with the right setup. the wan ip on both sides will be on different subnets, they only thing I wasn't sure of is whether we could stop packets destined for 192.168.111.x from going through their router and only being able to go through ours.

If they only need to be accessing your stuff from a single PC on their side, why not use a VPN so they can "dial in" to your network?

And I _AM_ a hoot at parties.

 

[Will.I.Am]

Vpn is a possibility but ideally the management software would be able to run all the time to monitor the logs etc.

Don't think it's happening now anyway, we're just going to add in some additional equipment to the other systems that are connected to our network to monitor and control the access control without directly connecting to it. Not very elegant but it'll accomplish the same thing, and it's still a lot easier than Re-iping all of our stuff

 

[sdifox]

Put Access Control Sysytem in its own subnet, setup two vpn pipes, one to their subnet, one to yours. It can be permanent.

Multiple site you would use spoke hub config. one box in its own subnet runs the server and each site establish vpn to it.

 

[Will.I.Am]

Does a permanent vpn not then route all traffic through the vpn, meaning whichever machine is connected to the vpn won't be able to communicate with the rest of the devices on its own subnet?

 

[sdifox]

Does a permanent vpn not then route all traffic through the vpn, meaning whichever machine is connected to the vpn won't be able to communicate with the rest of the devices on its own subnet?

I thought your locks and system are on their own subnet? just virtual dektop or vpn to the box when you need to access it. that box can mantain multiple vpn connections simultaneously. You just need to have a planned out routing table on that box.

I hate networked equipment vendors that assume they own the network.

 

[Will.I.Am]

That's the issue. Both of the other networks really need permanent access to the access control equipment. If they only needed momentary access the vpn would be ideal.

I think my question has been answered anyway, there's no simple way to do it without making sure our ip range fits in with theirs. Thanks for the input everyone.

 

[sdifox]

That's the issue. Both of the other networks really need permanent access to the access control equipment. If they only needed momentary access the vpn would be ideal.

I think my question has been answered anyway, there's no simple way to do it without making sure our ip range fits in with theirs. Thanks for the input everyone.

Nothing stops you from establishing permanent vpn link to the access control system. Like I said, hub and spoke vpn setup with the acs as the hub. Just put yur locks on a subnet or vlan and ensure routing is done correctly. IE no connection between the vpns at the hub.

Even if you are running two instances of acs andalt need the acs to talk to each other, tou can still setup hub and spoke vpn just for the acs to talk to each other while still maintaining local access to the acs.

I know I am giving network engineers heart attack

 

[Will.I.Am]

I understand it could be done that way to give access to the access control subnet from both the other subnets, but I've only ever really had experience with vpns with the one I've set up at home, ie I connect to the vpn with my phone and I am on my home network and no longer communicating with the other devices on the local network I am attached to.

A similar setup here would allow whatever is connected to the access control vpn to communicate with it, but would then prevent the attached device from communicating with its own network, no?

Unless the router(s) in the access control subnet can be set up to route all packets originating from and destined for the other subnets back to another router on the other subnets?
That still seems to me like it could cause issues if the ip range of our network conflicts with anything on their network since it could stop anything on their subnet from communicating with those ip addresses on their side?

 

[sdifox]

I understand it could be done that way to give access to the access control subnet from both the other subnets, but I've only ever really had experience with vpns with the one I've set up at home, ie I connect to the vpn with my phone and I am on my home network and no longer communicating with the other devices on the local network I am attached to.

A similar setup here would allow whatever is connected to the access control vpn to communicate with it, but would then prevent the attached device from communicating with its own network, no?

Unless the router(s) in the access control subnet can be set up to route all packets originating from and destined for the other subnets back to another router on the other subnets?
That still seems to me like it could cause issues if the ip range of our network conflicts with anything on their network since it could stop anything on their subnet from communicating with those ip addresses on their side?

No on ms server you can have multiple active vpn links and you can isolate those links so they don't see each other.

Similar to this post, the problem he is describing is the behaviour you want

https://social.technet.microsoft.co...ow-server-2008-r2-and-rras?forum=winserverNIS

 

[Will.I.Am]

It's almost what I want, but none of his subnets can see each other. I need 1 & 3 to see 2 but not each other.

Perhaps vpns could be the answer though. The access control management pc will actually need access to 4 different sites spread across the country, which is why it was put on to their network in the first place (all their sites are linked, their own network spans all their premises) but perhaps with a vpn we could use their high speed link to link our networks together, and move the access control over on to our network infrastructure?

IE, on each of their 4 sites, we have a router with its WAN on their network with an IP on a dedicated subnet of their choosing, and on the LAN side we have our equipment. The LAN sides are only accessible via a VPN to prevent any devices on their network from having communications with our equipment (which should remove any issues with ip conflicts as long as all of OUR stuff is individually addressed) and have those 4 routers in their own VPN. With the correct routing all of our equipment could communicate across the 4 sites via the VPN, we could provide them a PC on our network to run the access control software (or they could maybe even dial in to the VPN from their network anyway?)

Some routers allow you to set up a VPN direct on the router don't they? Or are they only good for running one with a small number of devices?
Taken across the 4 sites there would be maybe 400-500 devices

 

[sdifox]

It's almost what I want, but none of his subnets can see each other. I need 1 & 3 to see 2 but not each other.

Perhaps vpns could be the answer though. The access control management pc will actually need access to 4 different sites spread across the country, which is why it was put on to their network in the first place (all their sites are linked, their own network spans all their premises) but perhaps with a vpn we could use their high speed link to link our networks together, and move the access control over on to our network infrastructure?

IE, on each of their 4 sites, we have a router with its WAN on their network with an IP on a dedicated subnet of their choosing, and on the LAN side we have our equipment. The LAN sides are only accessible via a VPN to prevent any devices on their network from having communications with our equipment (which should remove any issues with ip conflicts as long as all of OUR stuff is individually addressed) and have those 4 routers in their own VPN. With the correct routing all of our equipment could communicate across the 4 sites via the VPN, we could provide them a PC on our network to run the access control software (or they could maybe even dial in to the VPN from their network anyway?)

Some routers allow you to set up a VPN direct on the router don't they? Or are they only good for running one with a small number of devices?
Taken across the 4 sites there would be maybe 400-500 devices

Just tell your network admin team what you need and they'll take care of it.

Unless you are it

 

[Will.I.Am]

The network admin didn't think there was a solution. I want to offer them one.

 

[JackMDS]

The network admin didn't think there was a solution. I want to offer them one.

Many years ago before the Internet and the like we use to get visits in our University Research Labs (we were busy in developing the foundation to what turned years after into the Medical MRI). The Visitors were fpeople that "Invented" New theories and scientific solutions, and wanted to share (and sometimes check if they can cash on them)..

Most of the "claimers" did not really generated something new and did not really knew what they were talking about.

Surprisingly some of them did developed some High Level staff that showed that they have a stroke of Genius.

However, the Invention usually did Not contribute anything since they were not aware that it was already developed decades ago (typically it was complex mathematical/physical equations.),

It showed that the "Inventor had a potential, but with lacking in education and main stream knowledge the only thing we could do for them is helping them into Science Schools (if they inclined to).

In other words if One is Not are already top of the line in his field an Online forums will Not Ignite his/her genius.

 

[Will.I.Am]

Internet forums are great for mutual back slapping etc but I think they also do a good job at assisting lateral thinking and new ideas if I'm honest.

Luckily it doesn't take a genius (or a stroke of one) to do that.

 

[sdifox]

The network admin didn't think there was a solution. I want to offer them one.

Think of the hub as subnet two.

 

[kalmquist]

Restating the problem: Subnet A is a subnet of the site network. Subnet B is your current private network. Subnet C is a new network that you are going to set up and connect the access control equipment to. You are able to arrange for these three subnets to have differnt IP addresses. However, subnets A and B may be part of larger networks which contain overlapping network addresses.

You want both hosts on both subnet A and subnet B to be able to communicate with hosts on subnet C, but want to avoid enabling any other communications.

First step is to buy a router with three ports. Connect port A to the site network, port B to your exiting private network, and port C to subnet C.

Routers normally set up their routing tables by listening to advertisements from other routers. You have to configure the router to provide less connectivity than it would by default.

- Only allow traffic for subnet A to be routed via port A.
- Only allow traffic for subnet B to be routed via port B.
- Reject all packets from port A that are not sent from a host on subnet A to a host on subnet C.
- Reject all packets from port B that are not sent from a host on subnet B to a host on subnet C.
- Advertise on port A that the router forwards packets to subnet C only. Do the same for port B.
- Advertise on port C that the router forwards packets to subnets A and B, or just adverise that the routers forwards packets everywhere.

The first rule is necessary because otherwise traffic for subnet B could be routed out of port A and sent to a different subnet with the same IP address range as subnet B. The second rule is included for symmetry and is not strictly speaking necessary.

The next two rules ensure that the router doesn't pass packets between subnet B and the site network. The rule after than ensures that the router won't confuse other routers by claiming to forward packets between the two.

The last rule is for completeness, and is probably what the router will do automatically.

I'm not familiar enough with the current state of the market to suggest a particular router. This is a pretty straightforward configuration, but some routers may not support it. You could accomplish the same thing with a pair of two port routers, which might be less expensive.