Hello,

I have a HughesNet (formerly Direcway) satellite modem connected to a Linksys router (with DHCP) connected to 2 PC's (192.168.11.101 and 192.168.11.102).

I would like to add one or more computers that will be able to access the Internet through the satellite modem BUT cannot access the other computers in any way.

I was thinking I could buy another router and plug it into the existing one. It would get assigned ip 192.168.11.103. Then, turn on DHCP on the second router to assign ip's to the computers connected to it (192.168.15.101, 192.168.15.102, etc.)

Am I doing this right? Will this work? Is there a better way to do this?

The solution needs to be something I can setup and forget as I won't be there a lot of the time to troubleshoot. People need to be able to plug in, use the Internet connection, and walk away without using my computers in any way...files, printers, etc.

Thank you in advance for any assistance you can provide,
Joe

All depends on what you mean by not access the other computers, and what form of authentification you are utilizing.

The 2 Exisiting computers, I assume have file sharing between them, and you do no want the 3rd one to have access to those files/ drives correct ?

If correct, question now becomes how do you authenticate file sharing between user 1 and user 2 ?

Login / password ? What OS are they running ?

Simple solution is to password all machines and authenticate file sharing users - hence deny file sharing access to user 3. But allow internet connection.

In short - going with an alternate network is one way but an expensive way sort of speak to do it and it would need to be connected to the Satellite modem to be truly secure effective.

Behind a prime router, pc(s) on the second router can do an easy hack (ip spoofing) to access the other computers - for the second router would have an IP in the same range as the 2 main computers - hence anything behind the second router can spoof to make believe to be part of the prime network since the serving router ( second one) is obtaining it's main IP from the first router/ hence is part of the prime network.

Thanks for the quick reply.

The computers under my control (101 and 102) are running Windows XP Pro SP1 and Windows Server 2003 SP1 Enterprise Edition. My computers are peer to peer (same workgroup). There is no domain or active directory. There is file sharing between 101 and 102. I have renamed the administrator account with a cryptic password. The guest account has been renamed, then disabled. File sharing is done with a common user account (between the 2 PCs) and password. I could review and increase NTFS security on folder shares, etc.

The guest computers could be anything. I have no control over that.

What I meant by not accessing, I would prefer that 101 and 102 did not show up in network neighborhood on the guest PCs so that no one would know that they are there. If they do show up, then security has to be even tighter to keep nosy people out.

So do I need 3 routers? i.e Satellite modem to prime router. Then two routers connected to the prime router. My PCs (101 and 102) connected to one of the routers. Guest PCs are connected to the other router.

Or, do I need some other network appliance?

Joe

I will let other have the opportunity to offer some suggestions - but on a personal note I would stear clear of the hardware solution you are proposing, and utilize the full benefit of windows server 2003 and implement some security in the network.

For some reasons you seem concern about snooping and security, which leads me to ask why have you done such a poor implementation of file sharing considering that you are more then likely vulnerable from an Internet intrusion as it is?

Security = nothing is common , everything is unique and all accesses is authenticated - Winserver very powerfull tool at your disposal to implement drastic security mode - including authentication on a per user per machine per network level.

Last but not the least if nothing suits your concerns - you can always use a Firewall solution and that will hide the 2 pcs from the network....and insert a rule to allow 101 to 102 and vice versa only...

But why spend money on hardware and nightmare when you already have the tools at your disposal ? just need to implement it....

As I said however - let's see what others may have to suggest.

I would agree wit BB there is no sense in spendin more money on equipment when you have the resources to accomplish the task with your current network

If by utilize the full benefits for WS2003, you mean setting up a domain, that is not possible in this situation. The two computers .101 and .102 can only do peer to peer networking.

Guest computers are just that...guests. Think of friends and friends-of-friends stopping by your house to use your Internet connection while you go to the movies. The guest needs to be able to plug in, use the Internet, and leave. All without any intervention by me.

If the computers are hidden in network neighborhood, the guest will not know they exist, what their network names are, etc. and won't even try to hack in. (You can't hack into something if you don't know it exists.)

Security is already in place. The local administrator account name has been changed and a cryptic password set. The guest account name has been changed and then disabled. There is a Windows account and password that is used to log onto the computers and provides file share access. I believe that is all I can do with Windows and NTFS security in a peer to peer environment.

I do not believe that I am exposed to an Internet intrusion. All computers are behind a router with NAT. To my knowledge, no one has cracked NAT. The router does not allow remote administration and has a long, cryptic password. No computer is in the DMZ, VPN, etc. UPnP is off. Also, I do not use the default numbering of 192.168.1.100 to 149. Any computer that does direct Internet access such as browsing, email, etc. runs Symantec AntiVirus. All other computers do not have antivirus software as there is no source for a direct infection. If a virus infects or spreads from the computers where direct Internet access is done, it won't matter because if Symantec AntiVirus didn't stop it there, it won't stop it on the other computers either. Every now and then, I scan the admin shares (C$, etc.) of these computers with the latest virus definitions.

Is the firewall a separate device? Or, is there a firewall/router combination unit? Does the firewall get connected between the router and 101 and 102?

Another idea:
Is there a way to turn off broadcasting? Perhaps, I could turn off broadcasting, assign a permanent IP address to the .101 and .102 computers (outside the routers DHCP address range to avoid conflicts), add a hosts file entry that associates JOEPC to 192.168.11.101 (for example) so that .101 and .102 can find each other for file sharing. But without broadcasting their network names, .101 and .102 would not show up in network neighborhood. Would they? Would something like that work?

Thanks,
Joe

I think a way (the best way?) to accomplish this is by setting up vlans on your router.

What model Linksys router are you using? Login to the router and see if you have an area to configure vlans. I don't think you will if you are still using the Linksys provided firmware, but I'm not really sure since I don't have the default firmware on mine anymore so I can't check.

If the options are not there, and you have the right model, you could upgrade the firmware to a modified, third-party firmware like dd-wrt. (http://www.dd-wrt.com/dd-wrtv2/index.php)

Doing this will give you access to many features normally not found on inexpensive routers.

From a cisco doc: (http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xcvlan.htm)


VLANs allow logical network topologies to overlay the physical switched infrastructure such that any arbitrary collection of LAN ports can be combined into an autonomous user group or community of interest.

VLANs also improve security by isolating groups. High-security users can be grouped into a VLAN, possible on the same physical segment, and no users outside that VLAN can communicate with them.


So, you put your private machines on one vlan (one group of ports on the router, say port 1 and 2) and the guest machines on another vlan (another group of ports on the same router, say 3 and 4).

The next challenge is to determine how to do this. I'm still looking for a write-up on it. This post (http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&p=41412#41412)is getting close to what we need. We also need to know what model router you have to see if the firmware is upgradeable or not.

I'm very interested in seeing this work. I have multiple computers on my home lan with a modified linksys router, so I can test here when I get a window of opportunity.

What ever happend to just going into your configuration and selecting, go the networking option and clicj off file and printer sharing?

I dont know if this is limited to a PPPOE or whatever it's called though...

What ever happend to just going into your configuration and selecting, go the networking option and clicj off file and printer sharing?

I dont know if this is limited to a PPPOE or whatever it's called though...

If I turn off file and printer sharing, won't that prevent sharing files between my PCs (i.e. .101 and .102)?

Ideally, I want my PC's to share but I don't want guest PC's to be able to see my computers in network neighborhood, be able to communicate with them, etc. Otherwise, in my opinion, it's an invitation to hack in.

Joe

I think a way (the best way?) to accomplish this is by setting up vlans on your router.

What model Linksys router are you using? Login to the router and see if you have an area to configure vlans. I don't think you will if you are still using the Linksys provided firmware, but I'm not really sure since I don't have the default firmware on mine anymore so I can't check.

If the options are not there, and you have the right model, you could upgrade the firmware to a modified, third-party firmware like dd-wrt. (http://www.dd-wrt.com/dd-wrtv2/index.php)

Doing this will give you access to many features normally not found on inexpensive routers.

From a cisco doc: (http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xcvlan.htm)



So, you put your private machines on one vlan (one group of ports on the router, say port 1 and 2) and the guest machines on another vlan (another group of ports on the same router, say 3 and 4).

The next challenge is to determine how to do this. I'm still looking for a write-up on it. This post (http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&p=41412#41412)is getting close to what we need. We also need to know what model router you have to see if the firmware is upgradeable or not.

I'm very interested in seeing this work. I have multiple computers on my home lan with a modified linksys router, so I can test here when I get a window of opportunity.


Thanks, sodface.

It sounds to me that VLANs will solve my problem. I have to investigate that...even if I have to buy a new router that supports VLANS.

I currently own:
Linksys BEFSR41
Linksys WRT54G

I'm getting into powerline Ethernet at one location and am looking at:
Corinex AV200 Powerline Router
(The AV200 is for consolidation reasons. I don't need it to do powerline Ethernet.)

Thanks,
Joe

Any update on this joeWI?

Any update on this joeWI?

1. I've installed the Corinex AV200 Powerline Ethernet to get Internet access in adjacent buildings. That gives me anywhere from 17Mbps to 40Mbps, depending on the building but it beats burying wires.

2. I didn't find a firmware upgrade for the Linksys WRT54G that added VLAN's. Perhaps I wasn't looking in the right location or understanding what the offerings were.

3. Managed switches to define the VLANS turned out to be more expensive than I thought.

4. I'm currently looking at Netgear ProSafe WG102 (Newegg $126.99). From what I understand in the manual, it lets you create 8 different SSIDs. There is a setting called "Wireless Client Security Separation" which means "the associated wireless clients will not be able to communicate with each other. This feature is intended for hotspots and other public access situations." Sounds perfect to me. And from what I understand, either router (Linksys WRT54G or BEFSR41) will work as it is a Netgear access point feature, not anything the router needs to know about. Of course, that does not protect my computers from people coming through the Powerline Ethernet. I may simply have to live with that or change my computers to use a wireless connection on a separate SSID.

That's it for now. If I discover anything else, I'll add another reply.
Joe

2. I didn't find a firmware upgrade for the Linksys WRT54G that added VLAN's. Perhaps I wasn't looking in the right location or understanding what the offerings were.http://www.dd-wrt.com/dd-wrtv2/index.php?link=downloads

I and my buddy run this.....I love it.....0 issues and I use PPPoE Authentication with a Dynamic IP DSL package.