Page 1 of 2 12 LastLast
Results 1 to 15 of 23
  1. #1
    2 Star Lounger
    Join Date
    Feb 2010
    Location
    Iowa, USA
    Posts
    163
    Thanks
    1
    Thanked 1 Time in 1 Post

    How to provide Internet access but prevent network PC/printer access?

    How can I provide internet access but prevent network PC/printer access?


    In our small office, we have several networked PC’s and printers. Some months ago, it became necessary to provide internet access at a 2nd remote rural location about a half mile from the main office. This internet access must NOT include network access to the main office PC’s and printers. So I ran network cable from a LAN port on the office router to the LAN port on a 2nd router in the remote location (using a modem extender). This arrangement seemed to work well. Using PC’s at the 2nd location, I could access the internet but could NOT see or access the PC’s or printers in the main office. Then I took a laptop that was working in the main office to the 2nd location. I printed a page and accidently selected a printer from the main office, which was still listed as an option. I assumed that a “device not found” error would result, so I was surprised when the page printed correctly on a printer in the main office. How could this be, and what can I do to ensure that PC’s at the 2nd location can NOT access the main office PC’s/printers?

    Thanks in advance for any explanation and suggestions.

  2. #2
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    9,433
    Thanks
    371
    Thanked 1,456 Times in 1,325 Posts
    The laptop was configured for the main office workgroup/domain and you had access to it via the router. As long as computers in the 2nd location are not configured for your workgroup/domain you will not have a problem. You could also turn off the network discovery service on the computers in the 2nd location to make it harder to determine the workgroup name if you are using a workgroup. If you are using a domain ... no worries mate!

    Disclaimer: I'm no network guru but this is my understanding of the situation.
    May the Forces of good computing be with you!

    RG

    PowerShell & VBA Rule!

    My Systems: Desktop Specs
    Laptop Specs

  3. #3
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Without knowing the finer details of your network configuration it's difficult to be sure.

    I assume the router at the remote location uses a different subnet to the main office?

    If you are using static IP's and the router at the remote site was forwarding packets, then the laptop that was taken to the remote site would still have been able to communicate with the printers at the main site even if a separate subnet was established.

    If the router at the remote office is only configured as a switch rather than a router (i.e. there is no separation through subnetting), it will provide no isolation between the two network segments and a small trip up in the workgroup and or network sharing settings will leak data as Retired Geek suggests.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  4. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,164
    Thanks
    47
    Thanked 976 Times in 906 Posts
    Having a cable from the office router to the 2nd office will always provide main office network access unless you segregate the network. You can use a VLAN to do this but it's not simple.

    1. Set a port on the on the main router as VLAN 10. Connect this to the remote router.
    2. Set the internet port on the main router as a trunk.
    3. Set all the remote router ports as VLAN 10.

    All traffic from the remote office will only go to the internet port on the main router, not the rest of the office.

    cheers, Paul

  5. #5
    2 Star Lounger
    Join Date
    Feb 2010
    Location
    Iowa, USA
    Posts
    163
    Thanks
    1
    Thanked 1 Time in 1 Post
    Thanks to all who responded. I'm sorry that I'm not very experienced in setting up networks. It's not clear to me what a subnet is so I suspect it's not present. All I did was plug the cables in.

    I can say, however, that when I select "View Workgroup Computers" (on XP) on a PC at the remote site, no PC from the main site appears, so it's not clear to me how the common workgroup name could be the problem (I AM using workgroups, not domains). Similarly, even when I type the network address (for the main office PC's) in the browser bar at the remote site, the PC at the remote site doesn't find the main office PC's. Is there some other way to make or find a connection from the remote PC to the office PC's?

    I'm also hazy about static IP's, although I suspect this is the case for the networked printers, but I'm not sure how to tell. To set up these printers, all I did was run a utility provided by Canon and everything worked after that.

    In any event, the question that remains for me is how does the PC at the remote site access the home office printers, but cannot apparently even see the home office PC's.

    Thanks for any further thoughts and suggestions.

  6. #6
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,164
    Thanks
    47
    Thanked 976 Times in 906 Posts
    The explanation is rather long - I'll type it up if you like, but it'll take a day or two.
    The bottom line is the main office is not advertising at the remote site because you have two routers, but the networks are still linked and can see each other.

    cheers, Paul

  7. #7
    2 Star Lounger
    Join Date
    Feb 2010
    Location
    Iowa, USA
    Posts
    163
    Thanks
    1
    Thanked 1 Time in 1 Post
    THanks, Paul, for your comments. I really would like to understand what's going on, so if you have time to explain it in the next few days, that would be great. If there is some simple tutorial I can look at, I would be glad to do that too.

    Thanks again.

  8. #8
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    The following is a way to do it using only residential equipment. This will result in the networks being double NATed which will break some advanced internet use such as Port forwards to the internal network and VPN tunnels. All normal internet browsing and email should work with this.

    You will need three routers.


    Internet modem
    v
    v
    Router 1
    v . . . . . . v
    v . . . . . . v
    Rtr 2. . . . Rtr 3
    v . . . . . . . v
    v . . . . . . . v
    Your. . . . . Their
    network . . network


    The WAN (or internet) port on router 1 connects to the modem, The WAN ports of routers 2 and 3 connect to the LAN ports on router 1. I would set the internal (LAN) network address on Router 1 to 10.0.0.1

    I would set the external IP address on router 2 as 10.0.0.2 and the LAN address to the current gateway address you are using on your network.

    I would set the external IP address on router 3 as 10.0.0.3 and the LAN address to the current gateway address they are using on their network.

    This setup will allow you to use the single IP address from your ISP and split it to two other routers. You will have both your and their network isolated from each other with the firewalls in routers 2 and 3.

    If your ISP will assign two IP addresses on a single connection, you can put a Switch in place of Router 1 and leave the WAN ports on routers 2 and 3 set to obtain an IP automatically. This would eliminate the double NAT issue on your network.

  9. #9
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    I would suspect that today you have it setup with their router plugged directly into your network. The firewall in the router acts somewhat like a one way valve allowing data to flow out but not in. That gives you something like this. (the arrows indicate the direction data can flow freely).

    internet
    ^
    ^
    Your router
    ^
    ^
    Your network
    ^
    Their router
    ^
    ^
    Their network


    As you can see, Their network is not accessible by you but your network can be accessed by them.......
    Last edited by mercyh; 2012-05-18 at 10:07.

  10. #10
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,164
    Thanks
    47
    Thanked 976 Times in 906 Posts
    Nice explanation.

    I would not set the IP on the 2 routers, you won't be able to manage them unless you also set DHCP to the 10 range.
    I would also use a switch instead of router 1 - double NAT could be a world of pain and the extra router doesn't add a benefit in any other way.

    cheers, Paul

  11. #11
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    I would also use a switch instead of router 1
    This recommendation is situational.... (I actually have a network setup this way myself).

    The caveat is that your ISP (Internet Service Provider) can issue two IP addresses on one modem. How their network is setup will determine this.

    I live in rural Kansas, USA and we have several Wireless ISPs that use PPPOE as their connection protocol. The connection is created on the router with a user name and password. (It actually is a type of dialup connection that the router does) In this situation you have to use a router to create the connection and then NAT that connection to the other segments of the network.

    If Pauls suggestion works it is preferable to my suggestion.

    I would not set the IP on the 2 routers, you won't be able to manage them unless you also set DHCP to the 10 range.
    The interesting thing is that you actually CAN manage router 1 from inside the #2 and #3 network. The same reason that currently your network is not isolated also makes router 1 available. You will not see that router if you look at network devices in Windows 7 as it is on a different segment, however if you type the ip of router 1 into a browser it should bring up the management window for it. If the IP of router 1 is the same as routers 2 and 3 this will not work as those routers will not look for that IP outside of their own segments because it already exists there.

    Also, some routers will not work correctly if the same subnet is used on the WAN and LAN interfaces. If the routers are all the same brand, from the factory they will be setup with all the same subnets.

  12. #12
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,164
    Thanks
    47
    Thanked 976 Times in 906 Posts
    If your ISP requires a router that logs into their network you can use that router as a switch by putting it in bridge mode - most routers allow this.

    cheers, Paul

  13. #13
    2 Star Lounger
    Join Date
    Feb 2010
    Location
    Iowa, USA
    Posts
    163
    Thanks
    1
    Thanked 1 Time in 1 Post
    Thanks again for your additional comments. In fact, today I did as an experiment what mercyh said: I went to my remote location, and logged into the router there. Then I found the "Routing Table Entry List" which listed the IP address for the "WAN Gateway". Then I entered this IP address into my browser, and sure enough, the Control Panel for the main office router appeared after I entered the correct router username/password. Then I found the "DHCP Client Table" on the main office router which listed all the PC's in the main office along with their IP address on the main router. But I couldn't figure out how to go further. Is there a way from the remote location to enter the IP address of the main router, and then the IP address of an office PC in order to see/access the shared folders on that PC?

    And more directly relevant to my original question is there an easy way to prevent that from happening? I don't think it's likely to happen since a casual user will not know the router username/password, but I'd still like to prevent it. mercyh mentioned a two router arrangement, although I would like to avoid adding another router. Paul T mentioned VLAN but I have to confess that I did not understand what he said. I think the question is: is there anything I can do to the main office router to ensure that one of the LAN ports is sent directly to the internet and is NOT accessible to/from any device (PC or Printer) attached to any other LAN ports (or connected wirelessly)?

    Thanks again.

  14. #14
    5 Star Lounger
    Join Date
    Dec 2003
    Location
    Burrton, KS, USA
    Posts
    833
    Thanks
    0
    Thanked 2 Times in 2 Posts
    I think the question is: is there anything I can do to the main office router to ensure that one of the LAN ports is sent directly to the internet and is NOT accessible to/from any device (PC or Printer) attached to any other LAN ports (or connected wirelessly)?
    That depends entirely on how advanced your main office router is. Can you give us the brand and model number?

    Many business grade devices allow multiple untrusted ports to be assigned. You won't find this capability on a residential grade device though.......

    The VLAN capabilities that Paul mentions require not only a commercial grade router but also VLAN capable switches and of course someone that knows how to configure them.
    Last edited by mercyh; 2012-05-14 at 23:13.

  15. #15
    2 Star Lounger
    Join Date
    Feb 2010
    Location
    Iowa, USA
    Posts
    163
    Thanks
    1
    Thanked 1 Time in 1 Post
    The main office router is a Cisco/Linksys E1000. I think it is a pretty basic router.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •