Best approach to segregate 2 network connections on 1 PC?

[mapleLC]

Where would you handle keeping the 2 connections separated?

My home network is comprised of 3 LAN ranges.  2 are normal, just separating my home stuff from lab stuff.  The third is a "DMZ" network with a VPN only connection that is available on a network switch, meaning anything that plugs into that switch gets a DHCP address and access to the internet is VPN only.

The problem is crossover, this is an area of networking I don't understand.  It seems like a router thing, but is it firewall, routes, NAT?

I'd like to have a second NIC on a PC that is tied back to my lab's LAN, but can access the DMZ resources.  The requirement is that nothing on that DMZ network can bleed over to my lab's LAN.  I am not sure what the best place to configure this on my network is.

Anyone have a suggestion?  Let me know what other detail I can provide.

[ejeffrey]

Drawing a diagram really helps, both to get things straight in your own mind, and to ask others for help.

It's definitely possible to add a second NIC to your PC and connect it to multiple subnet.  However, I generally prefer not to do this.  It's much better IMHO to have each "client" device live only on a single subnet, and use the firewall / router rules to implement access control.

NAT is generally for your main internet connection only.  Assuming you have a standard home internet connection with a single public IPv4 address, you will need to NAT any outgoing traffic at your internet router, but you shouldn't need to use address translation within your local setup.  Each of your 3 subnets should have their own unique address range, chosen from any of the various local address options, and access control set by firewall rules on your router.  The way you set this up depends on what router you are using. 

[mapleLC]

Drawing a diagram really helps, both to get things straight in your own mind, and to ask others for help.

This is a close AS IS.  The DMZ is on an island w temporarily access via a direct cable wired to 2nd NIC on my desktop.

It's definitely possible to add a second NIC to your PC and connect it to multiple subnet.  However, I generally prefer not to do this.  It's much better IMHO to have each "client" device live only on a single subnet, and use the firewall / router rules to implement access control.

I should connect the 2 routers together directly (as in diagram) then use the routers in conjunction for the access to the DMZ, right?  From dealing w these guys over the years but never setting any of it up with them, this is more or less how I remember the best practice.  I should cascade the connections using firewall rules, and allow network access to the DMZ via that new link.

I love this answer because I couldn't pick a weaker skill than RouterOS and routers in general.

NAT is generally for your main internet connection only.  Assuming you have a standard home internet connection with a single public IPv4 address, you will need to NAT any outgoing traffic at your internet router, but you shouldn't need to use address translation within your local setup.  Each of your 3 subnets should have their own unique address range, chosen from any of the various local address options, and access control set by firewall rules on your router.  The way you set this up depends on what router you are using.

When you can ping you have NAT, when you can resolve you have DNS, I think it goes like that.

Each subnet has a range: 2 are 10 dots and the DMZ is 176.16 dot. I don't don't do anything incoming, just 80/443.

Both routers are Mikrotik/RouterOS.  Winbox is a pretty fantastic tool, but boy could put a wizard or two in the software for the little guy.  Just basic internet was a 2 day ordeal.

[mapleLC]

I'm testing this idea as a setup, what are the flaws?

I have proxmox setup on a machine with 2 network cards. Apache Guacamole is installed, and it has access to the 3 separate LANs, but they are never actually joined.  There ARE 2 NICs joined on a physical machine, but they are never networked together (?).

I'm not sure the logic works:

Apache Guacamole is like remote desktop in a browser, but can do much more, like SSH.

The NICs never interact with each other on the virtual machine. The 2 NICs are there to establish connections only, and the connections are not only remote, they are segregated from each other as you are simply "viewing" the virtual machine on a segregated network via HTML5 and a browser.

With this setup I can access any machine from my desktop while it remains strictly on it's 10.x LAN with no connection to the 176.x network.

The last thing left is file sharing.  I poked a share in the DMZ using SAMBA, and it works.

For the moment, here is an example of what this can do:

Via a browser, I can access a remote machine on my DMZ which I use specifically for email.  My email and any potential risks stay in the DMZ, and I can selectively pull or push attachments via a file share.  I can also drag and drop, but have not flushed that out as it seems a browser crash waiting to happen. The benefit of this is I never interact with email behind my LAN anymore, it never leaves the DMZ, so if I need to click a link, or finish a signup, or anything, its always in a VPN environment segregated from my network.

Edit: I guess I failed to put forward a thesis on my this approach is better than doing it at the router.  The router is a hacking target and provides easy tractability of the network. Using 2 segregated NICs, the connection between the networks is obscure because not even the router being probed knows about the other network unless it appears in ARP somehow.

[nctnico]

Where would you handle keeping the 2 connections separated?

My home network is comprised of 3 LAN ranges.  2 are normal, just separating my home stuff from lab stuff.  The third is a "DMZ" network with a VPN only connection that is available on a network switch, meaning anything that plugs into that switch gets a DHCP address and access to the internet is VPN only.

The problem is crossover, this is an area of networking I don't understand.  It seems like a router thing, but is it firewall, routes, NAT?

I'd like to have a second NIC on a PC that is tied back to my lab's LAN, but can access the DMZ resources.  The requirement is that nothing on that DMZ network can bleed over to my lab's LAN.  I am not sure what the best place to configure this on my network is.

Anyone have a suggestion?  Let me know what other detail I can provide.

The solution is as simple as you think: add an extra network card in the PC and you are done. The only things to be aware of is to configure the default gateway for the network card that has the IP range from your internet router and make sure the IP ranges don't overlap. If the IP ranges overlap, then your computer doesn't know where to send network traffic to.

[mapleLC]

Where would you handle keeping the 2 connections separated?

My home network is comprised of 3 LAN ranges.  2 are normal, just separating my home stuff from lab stuff.  The third is a "DMZ" network with a VPN only connection that is available on a network switch, meaning anything that plugs into that switch gets a DHCP address and access to the internet is VPN only.

The problem is crossover, this is an area of networking I don't understand.  It seems like a router thing, but is it firewall, routes, NAT?

I'd like to have a second NIC on a PC that is tied back to my lab's LAN, but can access the DMZ resources.  The requirement is that nothing on that DMZ network can bleed over to my lab's LAN.  I am not sure what the best place to configure this on my network is.

Anyone have a suggestion?  Let me know what other detail I can provide.

The solution is as simple as you think: add an extra network card in the PC and you are done. The only things to be aware of is to configure the default gateway for the network card that has the IP range from your internet router and make sure the IP ranges don't overlap. If the IP ranges overlap, then your computer doesn't know where to send network traffic to.

But both have routes to the internet.  That's the problem.  So would leaving off the default gateway in the network interface eliminate the route and force the VPN?