Skip to main content
Information Security

Return to Revisions

2 of 3
deleted 152 characters in body
Steffen Ullrich
Steffen Ullrich
  • 213.3k
  • 30
  • 423
  • 495

TL;DR: It is a bad idea to place a vulnerable router on the network in the first place. But depending on the actual vulnerability and on the trust one has into other devices in the network it might be possible to at least reduce the impact of the vulnerability.

From my understanding you are proposing the following setup:

 Internet | WAN A ---------- | A | ---------- | | | | LAN A, WiFi A | | WAN B ---------- | B | ---------- | | | | LAN B, WiFi B

Assuming that both routers do NAT from LAN/WiFi to WAN the following observations can be made:

  1. The devices in LAN A and WiFi A are accessible from LAN B and WiFi B, unless an explicit separation is done in router A (which is not even possible with many routers).
  2. The WAN interface of A is accessible from the internet.
  3. The devices in LAN A and WiFi A are not accessible from the internet, unless explicit port forwarding is setup in A.
  4. Because of [3] the WAN interface of B is not accessible from the internet.
  5. Similar to [3] the devices in LAN B and WiFi B can not be accessed from LAN A and WiFi A due to NAT in router B (assuming no port forwarding is setup).

Based on this:

  • If the router can be exploited from the WAN side
    then it would be a bad idea to use it as internet facing A. This way all devices in LAN A and WiFi A might be affected and additionally the internet facing traffic from devices in LAN B and WiFi B could be impacted. Placing such vulnerable router inside as B prevents attacks from the internet but still allows attacks from inside LAN A and WiFi A.
  • If the router can be exploited from the LAN side or WiFi
    (for example by using a CSRF attack run through a browser inside LAN B) then it would be a bad idea to place it as internal router B. This way not only the devices in LAN B and WiFi B are impacted but is would also be possible to attack the devices in LAN A and WiFi A. Making such router instead internet facing a A would still allow attacks from LAN A and WiFi A but no direct attacks against LAN B and WiFi B. But internet facing traffic from B might still be affected by a compromised router A.
Steffen Ullrich
  • 213.3k
  • 30
  • 423
  • 495