1

I have a SMB (small-to-medium-business) router (router x) that my workstations run off of in my small business. I wanted to offer my customers wireless internet while they wait for service so I installed an extra wireless router (router y) laying around at home. I plugged router y into router x so router x with IPs on the 10.0.0.0 network are assigned to all the workstations and router y. So for example router y has IP 10.0.0.128 assigned by router x by DHCP. When a user connects wirelessly to router y they are assigned an IP by DHCP on router y off the 192.168.0.0/24 network.

My question is: will anyone connected to my router y on the 192.168.0.0/24 network be able to tunnel their way into my 10.0.0.0/24 network through router y?

This is a very similar question but the only difference perhaps is that it's a wifi AP and not another router. Attaching hotspot to existing network - can it be secured?

Improve this question

1 Answer 1

Reset to default
4

Yes, they can.

Based on network topology, your protected network should be connected as far away from the Internet as possible. By allowing router Y to be directly connected to router X, all the wireless clients need to do would be to run a trace route, and then they will find out that they are actually connected to your corporate network.

You can try to remedy this by reversing the position of X and Y in the network, so that the wireless clients are connected to the outermost network whilst your business network is in the innermost layer, eg.

Internet -> Router Y (wireless) -> Router X (business)

Or, you can keep the same configuration that you mentioned, but place router Y in the DMZ of router X. The DMZ should limit the wireless clients on router Y from connecting to the business network of router X.

Improve this answer
2
  • So I tried running the traceroute and didn't see the the outer router. So back to associations described in the question, wirelessly connected to router y. But when I traceroute, I don't see the hop through router x, which should be the 10.0.0.0 network. Commented Sep 20, 2013 at 20:11
  • @gh0st: there are routers and network devices that block traceroute packets from returning to the initiating device. However, there are other means of determining the topology of the network, eg. a Nmap ping scan of the entire 10.0.0.0/24 subnet. Commented Oct 7, 2013 at 15:04

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.