Segmenting (?) a LAN?

  • Thread starter Thread starter gglave
  • Start date Start date
G

gglave

Hi Everyone,

I look after a small LAN on for a small rural resort. They've got a
handful of computers plugged into a Linksys BEFSR41
(http://tinyurl.com/a99bl) router for network & internet connectivity.

I'm looking for some way to set things up so that if this resort
"shares" its internet connection with a few neighbours they can't "see"
the other computers on the LAN, nor can the neighbours see each other's
computers. The computers at the resort should still be able to see
each other.

Can anyone recommend a (hopefully inexpensive) piece of hardware to
accomplish this? I know I could probably research some kind of a Linux
box to manage the traffic, but I'd prefer to have some kind of small
dedicated piece of equipment that doesn't risk a hard disk failure,
power supply failure etc. as I'm six hours away and the folks at the
resort are computer illiterate.

Thanks in advance.

Cheers,
Geoff Glave
Vancouver, Canada
 
Hi Everyone,

I look after a small LAN on for a small rural resort. They've got a
handful of computers plugged into a Linksys BEFSR41
(http://tinyurl.com/a99bl) router for network & internet connectivity.

I'm looking for some way to set things up so that if this resort
"shares" its internet connection with a few neighbours they can't "see"
the other computers on the LAN, nor can the neighbours see each other's
computers. The computers at the resort should still be able to see
each other.

Can anyone recommend a (hopefully inexpensive) piece of hardware to
accomplish this? I know I could probably research some kind of a Linux
box to manage the traffic, but I'd prefer to have some kind of small
dedicated piece of equipment that doesn't risk a hard disk failure,
power supply failure etc. as I'm six hours away and the folks at the
resort are computer illiterate.

Thanks in advance.

Cheers,
Geoff Glave
Vancouver, Canada
Click to expand...

How will the neighbors connect to the network at the resort? Will they
dial-in or do they live close enough that Wi-Fi might work?

Networks can be isolated by using multiple routers, i.e., the resort
computers would all connect to the LAN side of one router. The WAN side of
that router and the neighbors would connect to the LAN side of another
router. The WAN side of that router connects to the Internet source. This
will isolate the resort from the neighbors and, by setting appropriate
firewall rules, isolate the neighbors from one and other, but that doesn't
solve the problem of connecting the neighbors to "their" router.

Disclaimer: I am not a networking expert and I'm sure there are other
better solutions. Hopefully, someone with more knowledge will chime in.
 
You need a LAN Router (which is not a NAT Device) to sit betwen the network
segments. The router then uses ACLs to only allow normal web traffic to
pass across it (http, https, ftp). Microsoft Networking does not run on "web
protocols" so they won't "see" each other.

You are almost worried about nothing anyway. The different systems are not
the same workgroup and not the same Domain so they don't have permissions to
each others "stuff" anyway,...so "seeing" or not "seeing" is pretty much
irrelevant. If they are using a workgroup model then those don't work
properly over subnets anyway.

Even Domain browsing doesn't work over subnets without *everyone* using a
WINS Server so that each subnet would have its own Master Browser that would
sends list updates to the Domain Master Browser. And then once all that
finally worked,..absolutely nothing useful would happen until the Share &
NTFS permissions were set on the resources.

So to make a long story short,...even if you *wanted* them to "see" each
other and work together you would have a lot of work ahead of you and a
bunch of hoops to jump through. So worrying about them seeing each other in
this situation really isn't much to get very excited about.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
 
Many of the newer Linksys devices support "Access Point Isolation" mode,
where each port in the router and/or each wireless connection believes and
sees itself as the only computer available on the network, blocking browsing
and pinging and such.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Just to muddle things up, if you're just going to share Internet, you can
get any ole' broadband router. Whether it's wireless or not, just plug the
WAN side into the current LAN. The only thing is to be sure the two routers
are on different IP networks (subnets). That will "double NAT" the folks
behind the second router and keep them from being able to browse or connect
to computers on the resort's network. Like ALL free public Internet access,
it's the users choice whether or not to connect to it. They'll have to be
responsible for their own security.

....kurt
 
Just to muddle things up, if you're just going to share Internet, you can
get any ole' broadband router. Whether it's wireless or not, just plug
the
WAN side into the current LAN

Research has shown this seems like the easiest solution. If I
configure things correctly, router "B" (for the neighbours) should get
its IP in the 192.168.1.x range from router "A". I can then configure
router "B" to dole out 192.168.100.x IPs (or whatever).

My only question is does this create a risk whereby a user on the
192.169.100.x subnet could manually change their IP to a 192.168.1.x IP
and then be able to "see" the PCs or subnet A? I assume not...?

Cheers,
Geoff Glave
Vancouver, Canada
 
Simple, cheap, and a fairly clean method.
I like it.
Have to make sure I supposed that you don't end up with two of these boxes
that force the use of 192.168.0.*. I thought some of those devices didn't
give you a choice, maybe it is not as common with newer ones.
 
Have to make sure I supposed that you don't end up with two of these boxes
that force the use of 192.168.0.*. I thought some of those devices didn't
give you a choice, maybe it is not as common with newer ones.
Click to expand...

Yes - This is a concern, but I may be able to mix-and-match brands to
get around this. For example, I'm pretty sure the Linksys at the
resort is doling out 192.168.1.* whereas a netgear I have in my junk
box doles out 192.168.0.* and I think my friend's D-Link doles out
dot-one-hundreds. I think :)

Cheers,
Geoff Glave
Vancouver, Canada
 
The newer Linksys routers are fully-configurable for starting address,
active range, netmask, etc. I think they have always been but I can't say
for sure.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
No security issue. Manually changing the IP address behind the second router
will just kill their Internet access.

....kurt
 
Most newer SOHOs will let you configure the LAN to be on any network,
limited to a /24 or smaller subnet mask. Some more expensive ones will let
you config anything you want, but will limit the number of concurrent
sessions.

...kurt
 
Back
Top