help w/ simplifing home LAN setup (w/ subnets)

[dxpaap]

First, had the network running fine, had the a modem / router / firewall w/ one WinXP system directly connected, also had a Netgear router connected which had one WinXP sytems connected. then had a a 10/100 switch connected to the netgear w/ one W2K system connected. Worked fine, the two system behind the netgear were on the same network (file sharing work) - the system directly connected to the DSL modem /router was on its own network (couldn't file share with other systems as expected but was- tring to figure out how to make that happen - but thats an issue for another time).

Here is what started the big network crash, added a 3rd router/firewall (asking for problems) connected between the DSL router and the Netgear router (wanted thie new high speed gaming router to be my main firewall). Internet connectivety still worked at this point for all PCs.

BUT I wanted the new router to be my DNS and DHCP servers, so I turned these off on the main DSL router hoping to avoid multiple servers running along the string of subnets!

Well everything broke!

SO my quest is to have one subnet, that one PC can hide behind, that the other PC can't access - but use the firewall of the new gaming router (which has a nice feature rich set of access controls) as the main gate in & out of my LAN (that means not using (turning off?) the access controls of the DSL modem / router. Be couse of cabling constraints, still need to have the 10/100 switch in the wiring topology.

Any suggestions on how to make this happen.

thanks

 

[kevnich2]

First, that is the ugliest setup I have yet to see for a home network. Instead of telling us what you need to make this work, how about telling us what your end goal is to have? How many computers do you want to be able to access the internet? I have yet to see a reason for multiple subnets on a home network. If it's due to separate one computer for "testing", there are ways to do that but after you tell us if that's what you want to do. But you definately have more firewall/routers than you need and that's what is screwing everything up. To get it to work properly, take out all but one firewall, on your firewall that you leave in place make sure DNS, DHCP and the firewall are all enabled and then restart your PC's. After that, you tell us how you want things setup?

 

[dxpaap]

Yup, "ugle" is being nice

In fact I did what you suggested, one firewall/router with 3 pc connected through a switch (the switch is transparent for our configuration purposes, right?).

My issue is that the DSL modem was provide by my ISP - verizon (it also is a router / firewall), but its firewall features are limited. I bought a new
D-Link DGL-4300 gaming router that has access much better access control features (auto restrict my teen access...). I'd like this to me my primary (for now, the only firewall). I assume that it needs to also be the only DNS & DHCP server, but when I turned DNS & DHCP function on the verizon DSL device - lan stopped working (guessing the DNS & DHCP functions of the D-Link did not pick up the services?


Question: is it likely that I didn't or can't turn off the router / firewall capabilities of the ISP device (leaving only a dumb DSL modem)?

Back to your orginal question of what I want:

1. use the D-link DGL-4300 as my firewall for all systems
2. create one subnet with one pc (using a second router / firewall)that still constrainted / protected by the D-link firewall, but is protected from the other pc connected to the D-link

 

[kevnich2]

Just to make sure I understand what your trying to setup: DSL Modem/Router/Firewall -> Dlink DGL-4300 ->Ethernet Switch -> Main PC's. Also attached to the ethernet switch would be an extra router/firewall for use with a separate PC on a different subnet? In order for this to work correctly, you would need to disable DHCP, DNS and the firewall on the Verizon DSL Modem. On the Dlink, make sure the firewall, DNS & DHCP is enabled. Lastly, ensure DNS, DHCP and the firewall is enabled on your extra router/firewall and connect the extra router/firewall's WAN/Internet port to another port on either the switch or one of the 4 ethernet port's on the dlink router (it doesn't matter which device). Just be sure you connect the extra router's WAN or internet port. Then connect the separated PC to one of the 4 ethernet ports on the extra router. Keep in mind, you won't be able to access anything but the internet on the separate pc as your larger network will be completely inaccessible.

 

[dxpaap]

thks, yes thats what I want to do. Will play around with.

Only one questions, on the subnet w/ the one pc (behind the 2nd router)- you said it would beable to access internet but no devices on the primary network (behind the 1st router):

Is there a way to allow the single pc to access a print server that is on the primary network?

By the way, really appreciate help everyone has offered to both my posts - links to ezlan.com is very helpful

davep

 

[kevnich2]

Well to be honest, that kind of defeats the purpose of a separate subnet?? Your primary network will be like the internet to the second router and it's purpose is to prevent the internet from accessing that. If you disable the firewall and make sure the subnets can see each other (again, defeats the purpose of a separate subnet). The result you'd get with the setup your wanting is two separate networks, they wouldn't be able to see each other.

--If it's just a print server that your trying to access, you can install a secondary NIC in the print server and connect that to your 2nd firewall/router. That would put the print server on both networks.

 

[dxpaap]

that's not what I was intended (to disable the subnet or 2nd firewall). Want to keep the devices (system A & B & a print server) behind the 1st firewall (which is the firewall to the internet) from accessing anything behind the 2nd firewall (System C and an external hard drive). BUT, I'm not concerned about System C accessing system A or B (specifically I'd like system C to access the print server).

My question is there is a way for the 1st firewall to allow system C to access all or a specifically defined device in its subnet? Since we know the IP and MAC addresses of all of the devices - is there an exception table / filter to allow this?

 

[kevnich2]

Just out of curiousity but what reason do you have for not wanting to access anything being System C?

 

[johnos]

what you are doing sounds like you are over complicating things and if you do end up getting it going.....just imagine the troubleshooting you would have to do when somethign went wrong later

why dont you keep all of the computers on the same subnet and (i think this would work...alltho i havent done anything like this in a long time, so i may be wrong) and set up PC A and B along with the print server on the one workgroup, and PC C on another workgroup and then restrict access through windows using software.......we had something like that at one stage where (we have Modem and Router along with PC a in one room, with a network connection into the other room that hooks up to a netgear switch which then connects to PC B and C and 2 laser printers shared through PC B)
PC A could access the net, and both PC B and C along with the printers and it was under the workgroup office 1 for example, while PCs B and C where under the workgroup office2 or something like that. both B and C could access the net, then printers and each other, but could not access PC A.
PC B and C could see that PC A was sitting there in the other office....but they could not access it.....in the end i think i set up an FTP server (The server was blocked from access from outside of our local network on the router and under the settings i bound it to the local netwrok as well, just to be safe) on PC A to get around this so that i could access a folder.

could you not do something like that....its much more simple to set up and if something goes wrong alot easier to trouble shoot and fix and makes it easier to change the way your network is setup later on.

and no i cant remember how exactly to do it, i just no that we had it for a while and now we dont.........thats about all i can remember

anyway good luck with whichever road you choose

 

[nweaver]

Originally posted by: johnos
what you are doing sounds like you are over complicating things and if you do end up getting it going.....just imagine the troubleshooting you would have to do when somethign went wrong later

why dont you keep all of the computers on the same subnet and (i think this would work...alltho i havent done anything like this in a long time, so i may be wrong) and set up PC A and B along with the print server on the one workgroup, and PC C on another workgroup and then restrict access through windows using software.......we had something like that at one stage where (we have Modem and Router along with PC a in one room, with a network connection into the other room that hooks up to a netgear switch which then connects to PC B and C and 2 laser printers shared through PC B)
PC A could access the net, and both PC B and C along with the printers and it was under the workgroup office 1 for example, while PCs B and C where under the workgroup office2 or something like that. both B and C could access the net, then printers and each other, but could not access PC A.
PC B and C could see that PC A was sitting there in the other office....but they could not access it.....in the end i think i set up an FTP server (The server was blocked from access from outside of our local network on the router and under the settings i bound it to the local netwrok as well, just to be safe) on PC A to get around this so that i could access a folder.

could you not do something like that....its much more simple to set up and if something goes wrong alot easier to trouble shoot and fix and makes it easier to change the way your network is setup later on.

and no i cant remember how exactly to do it, i just no that we had it for a while and now we dont.........thats about all i can remember

anyway good luck with whichever road you choose

changing workgroups does nothing for security, you realize that, correct?

Not that the over complication spiel was off, I think someone is overthinking this. For a home network, I would just lock down PC C with GPO's, S/W firewall settings, and standard security.

 

[kevnich2]

I agree with nweaver, this is more complicated than it needs to be. If the only reason you want separate subnets is for security reasons, simply lock down the machines you don't want the other(s) to access through either a firewall or standard XP passwords. For example, if the other two machines are used for kids and machine C is your's, put a password on your account on computer C and then make sure your private data is in your my document's folder. That way only your account can access your my documents folder. Plus, when things go wrong (they always do at some point), it'll make things easier to fix.

 

[dxpaap]

Good advice, was hoping that having two firewalls/routers (to establish a subnet) wouldn't be all that complicated. As nweaver deduced, the system on the subnet is my pc with financial, resume.... and other sensitive data. The other PC are teenager systems, not that I'm concerned that they will intentually (or even have the interest) in access my data - but they run all types of stuff, PTP gaming applications like "Steam" and file sharing software - which I am very concerned about (interms of impact on my system). If they trash their systems, its a learning opprotuinity for them to rebuild

Anyway, keeping everything on the same net but using software firewalls and acct passwords maybe the easiest - but since I have the extra router sitting around was hoping to use it to increase security - without turning it into a major hassel.

thanks

by the way, was able to turn off the firewall & DNS / DHCP server capabilies of the Verizon provided DSL modem and stick my NetGear gaming router (with great firewall / access control features) behind the DSL modem to serve as the promary router. finally something worked

 

[kevnich2]

Good job, that means your verizon modem is essentially just a DSL modem now. I'd recommend just putting passwords on your PC to keep your data safe. That's what they are designed for anyway. As long as Windows XP and your drive is NTFS, it'll do the job nicely