Maximum PC

Lately I've been repairing a fair number of PCs, and some of them it's just hardware related, but often times it's something software related (virus, malware, spyware, popups, etc).

Anyway, I have my own home network of about 5 computers on a single router (2 are wireless, and the other 3 are wired). Now what I'm looking to do is create a second network that is completely seperated from my primary home network (for the times when I need to download AV updates or whatever for PC's I'm reparing). I want to try to find a way that so if the computer I'm working on is infected, it doesn't infect my other PCs.

I have Norton 360 on all of my computers (actually it's the comcast version, but pretty much is the same as the retail product minus the online backup services). So I have that protection. But is there a way that I connect two routers together so that I can use one to create a seperate network from my home network for repairing PCs. And also so that I can minimize the risk of infecting my personal computers while fixing another person's PC?

I know it can be done, but don't know if I can create two seperate networks so that both can access the Internet, but not eachother. I also do not want a virus to be able to jump from one to the other network either. So I guess I'd like to make the network that I'm using to repair PCs "unaware" of the network/router that my home PCs are on.

Suggestions?? I think I have all of the needed cables (crossover cables, straight-through cables, etc) and two routers.

There are several ways.

My way would be to have 3 routers. One router (primary) would be connected to the internet and the other 2 routers (secondary) connected to it. Each of the other routers would have different IP strings. Select which one you want to be clean and the other dirty.

Routing would be through one of the secondary routers through the primary router then through your cable or DSL modem to the internet.

Get the picture?

Hope this helps.

well ok, but what about the "dirty" router being plugged into the "clean" router. Would the dirty router be able to detect the "clean" router and infect/access it?

Or is there a way that I can split the connection at the modem (ie, use a switch and then the two routers into the switch (one on a seperate port on switch). Both routers will need to run DHCP either way, and the way you describe, this could be a problem. Because wouldn't I have to turn off DHCP on the first router (that the other two routers plug into), thus making it act like a switch?

Actually, doing the three-router 'tree', you'd still want to have DHCP enabled on it (for its LAN connections), in order to dole out addresses to the other routers. Comcast (like most residential ISPs) tends to not take too kindly to a user putting multiple devices on their network.


Back to your question.... some people do this by daisy-chaining two routers. Sequence goes modem -> 'dirty' (AKA 'guest') router -> 'clean' (AKA 'private') router. This keeps your stuff behind the 'clean' router - anything connected to the first one (dirty) can't see anything behind the second one (clean), as they're separated by that router's firewall.
But! It's a PITA to get anything more complicated than basic internet (web & email) working behind that setup. Game? good luck. Game on Xbox Live? more good luck.

There's a better (read: easier, more secure) way. Got some, ah, obsolete PC hardware laying around? Use it - install Smoothwall Express on that, and use it as your network firewall.
Put your stuff on the Green network, and use the Purple network for the PCs you're working on. Purple is isolated (one-way - Green can see Purple; Purple cannot see Green) at the iptables level.
If you still need wireless, either configure your existing router to run in AP-Only mode (and hang that off of the LAN), or get a wireless AP.

yes, this is sort of what I'm looking for... a way so the computers on the "dirty" router can't see the computers on the "clean" router, but that both routers can still have access to the Internet. Will the firewall on the "clean" router really filter out traffic from the "dirty" router, because I thought that a router can detect any devices (including other routers) plugged into any of it's LAN ports. Or is there a way that you can set up the "clean" router to disregard any traffic from the "Dirty" router's other LAN ports and only accept packets from the WAN connection

And when I'm fixing computers, I never use the wireless, except for my own personal laptop when I'm surfing the web. So basically any other PC is connected by wire.

I guess my who ideal comes down to this: Can a router become infected to a point where it could infect other machine connected to it (wired or wireless)? I know that viruses can travel through a whole network pretty easily, so that's my biggest concern--infecting my good computers while trying to fix someone's infected computer.

Lately I've just be using two seperate routers--when I need to fix a computer, I plug in my generic router (which has no computers plugged into it except for the computer I'm fixing)... and then when I'm done, I go back to using my "good" router that has all of my stuff connected to it. Only problem is that it gets to be a pain some times (switching back and forth between the two because I have to disconnect the wires and reconnect them). I 'm just looking for an easier, and hopefully safe solution.

Could adding a few NICs to an older PC, and turning an older PC (that has AV/Firewall software on it) maybe be a safer route rather than trying to chain multiple routers together (since you'd theoretically have another layer of virus protection between your good computers and the router with the "dirty" computers connected to it)?

That would be a Smoothwall.


(BTW: I can't say that I've ever heard of a router getting infected. A virus would have to be written specifically for that router's firmware, for one... (Windows cooties can only infect, well, Windows.))

HI, can anyone help. I also have the same need (1 internet conection and need 2 separate networks)
The main/privet router is a Lynksys/VPN RV042 the second/public router is a Verizon MI424WR. The privet router needs to be connected to the modem with a fix IP to have outside VPN access to the network, so my only option is to connect the public router to a LAN port of the main/privet router. Problem, anyone on the public router can see all computers on the main router. I changed the subnet mask of the public router network end, but the public router can still see the main network. Any ideas?

What I've found I had to do was just use the guest network on my router for fixing PCs and such. I guess as long as you have good AV software, you shouldn't have to worry. And from what I can see, with guest networks, they cannot access your primary network. I'm not sure if your specific router supports a guest network but I would look into it.

For now, this type of set up suites my needs. The other alternative is to get a second cable/DSL modem and essentially run two internet connections, but that's dependent on if your provider will allow it and you want to pay extra for it (if you even can do it). For example, I think with comcast, I can have a second modem connected to my cable line, but I think I have to pay something like $5 extra per month (not including the modem cost/rental) for another IP address. Verizon/Frontier I don't think allows this though. Comcast I'm pretty sure does, last I checked (which was about a year ago or so).

Actually you can just do this with 2 normal routers without a guest network however that too is a good option as well. The setup would look like this.
______
ISP
--------
|
| <- wan/internet port
_________
ROUTER-1 ("Public" , runs DHCP, subnet 192.168.5.x)
-------------
| < - normal switch port
|
| <- wan/internet port (set to dhcp)
________
ROUTER-2 ("Private" , runs DHCP , subnet 192.168.10.x)
-----------

This way traffic from the public network can hit the internet as well as can the private network. Also the private network can talk to the public one freely but not the other way around.