How to provide Internet access but prevent network PC/printer access?

[mercyh]

I think it is a pretty basic router

Yes, that has none of the capabilities we are discussing here.

If you need true segregation you will need to purchase another piece of equipment, either a switch or a router as discussed above. If you do not feel that there is a high risk of your data being compromised, you may be ok the way you are right now. If the second network is on a different subnet then your network, (your network is 192.168.1.X and the second network is 192.168.5.X for example) the firewall on each of your PC's if properly configured will secure them from access from the other network.

[Paul T]

You already have 2 routers so you may be able to run the physical set up suggested by mercyh in post 8.
If your internet connection is via a modem then you can run the 2 routers direct from the modem, or add a cheap switch if you don't have enough ports on the modem.

cheers, Paul

[Rfarmer]

Thanks again to all who responded. I think mercyh is probably correct that security is good enough the way it is now, but I would still like to understand more clearly what is going on.

Specifically, since I CAN in fact access the main office router from the remote location and also see the IP address of each PC in the main office in the main office router tables, is there any way to access the PC’s directly from the remote location? If so, how do I do that? If not, then why not? Is the Windows firewall on each main office PC the only thing that prevents such access?

What started this whole discussion for me was the unexpected ability to access main office printers from the remote location. This is clearly a two-way communication since the printer informs the remote PC of status and also when the printer finishes its job. Is it somehow possible, therefore, for a main office PC to initiate access to a PC or Printer in the remote location? If so, then how? If not, then how do the main office printers return status to a PC in the remote location?

Also, by the way, when I access the remote router at the remote location, the IP address of this router is 192.168.1.1. When I access the router in the main office from the remote location, then the IP Address of the main office router is : 192.168.2.1, which is different. I’m not sure whether or not this is a “subnet” or what it means if it is.

Thanks for any further explanation.

[mercyh]

That is a little like me driving onto your farm, seeing a bin of corn, and asking how it got there. You could give me the short answer that you put it in there with an auger or you could start with working the ground, fertilizing, planting, etc...

Start with this (all eight pages of it)

http://computer.howstuffworks.com/nat.htm

Once you understand that ask your more specific questions.....

PS> I am getting the planter ready to plant soybeans here....

[Rfarmer]

THanks, mercyh, for the tutorial reference. I read it and some others, then tried entering the IP address of an office PC while I was at the remote location. Sure enough, just like the printers, the office PC's shared folders were displayed, so that's not good. AFter further reading, and also your previous comments, it looks like adding another router is the simplest solution for isolating the two local networks, so that's what I'm going to try. I found an old Netgear router in the back room, so I'll be testing with that in the coming days. Thanks again for all the help, and I think I'm done asking questions for now unless I find something unexpected. I do wonder if it makes a difference whether I plug into the WAN port or the LAN port on the remote router, but I can't think of anything else right now.

[mercyh]

I found an old Netgear router in the back room, so I'll be testing with that in the coming days

First try using the router as a switch like Paul suggested.

Plug a computer directly into one of the LAN ports on the old netgear router. Login to the router's administration page and turn of DHCP server. (you do not want this router to assign IP addresses in this case as you want to get them from your ISP)

Once your settings have taken affect, plug the line from the modem into one of the LAN ports on the old router. (That is correct, for this use you will not use this router's WAN port.)

Plug the cables from the WAN ports on your other two routers to LAN ports on this old netgear router.


If that works, you have your networks isolated and no double NAT issues.........

Good luck,

mercyh

[Rfarmer]

Thanks again, mercyh; I hooked everything up as you described; it all worked and the PC's on the different routers couldn't see each other. I was surprised. Then I realized that the phone company had given us a new DSL modem/router a few months ago after the old one quit. The new one has four LAN ports on the back marked "Eth1", "Eth2", etc. I had just hooked my current router to one of these ports and didn't know what the others were for. This had worked fine for months; now, I suspected that the new DSL modem/router was already doing a NAT inside itself to support up to four isolated networks, so I connected my two routers directly to two of these ports, removing the old Netgear router entirely. I hooked one PC to each router, and sure enough everything still worked (in the sense that I could access the internet. I don't know if other things might NOT work.) Furthermore, the two PC's had the same IP address (192.168.0.100) so that proves (I think!!??) that they are not in the same IP address space but in fact on two different networks. Does all of this make sense to you? If so, then I think I understand what's going on, and there does not seem to be any obvious double NAT problem.

Thanks again.

[mercyh]

You are on two different networks with total segregation now. As long as everything works I would not worry about the double NAT issue. If you ever decide to run your own web or email server and need to forward a port to the internet you may have a headache, however, it is likely that their modem is setup as a bridge so you are actually getting a separate PUBLIC ip address for each network.....

Glad you got it working securely the way you wanted and you (and maybe a few of the rest of us) learned a bit more about networking along the way.