Need to isolate WIN ME machines on network

[dentrouge]

Hi,

We have several WIN XP machines on a LAN in our office, with a connection to a DSL modem via a Linksys WRT54G router. We now want to set up several old Win ME machines in a public area. These old machines need to be able to access the network, but need to be cut off from any access to the XP machines in the office. There is no real security on ME systems and it would seem that setting up two subnets might do the trick. One subnet for the office machines, the other for the Win ME machines. All the ME machines are using wireless, while the office machines are all wired.

My questions are: Can this be done with our existing WRT54G? How else might it be done? Is there some other idea that would do the job here?

Thanks in advance.

 

[dentrouge]

Hi, There's an error in my description. I meant to say, "These old machines need to be able to access the Internet,...."

Sorry about that.

 

[InlineFive]

If you flash your WRT54G with say Thibor, DD-WRT or Alchemy you can create VLANs. Maybe I'm an idiot but I never actually got VLANs to work. Plus it is only effective if you are branching off into managed switches.

 

[bluestrobe]

With third party firmware it is possible. I would go the two different subnets as I can see VLANS on Windows ME can be a pain. I would suggest a better router too.

 

[skyking]

A second router can also accomplish your goal.

internet>router 1>win ME machines>router 2 connected as a client to router1> the xp machines

 

[RebateMonger]

To add to skyking's suggestion:

A second router in series with the original Linksys router will keep the WinME machines from reaching the XP machines.

Attach the WAN port of the second router into one of the Linksys LAN ports. Attach all the XP computers to the LAN ports of the second router (using an added switch if necessary).

Attach all the WinME computers to the LAN ports of the Linksys router (using an added switch if necessary).

The WinME machines will be able to access the Internet, but not the XP computers.
The XP machines will be able to access the Internet and the WinME machines.

 

[JackMDS]

This page was wirtten for Wireless, but the same principle would server your setting, Network Segregation - Adding security to Wireless Network (or to any peer to peer Network).

:sun:

 

[mchammer]

I am I wrong in saying that you could enable the software firewall on the XP machines in no exceptions mode to achieve what you want?

 

[Goosemaster]

just create rules on the rotuer to deny all traffic to the machiens but acceptable traffic. Do the ole' dual router trick too (sicne it is cheap) if you want

 

[dentrouge]

Thanks to eveyone who responded to my posting. I see that a shielded subnetwork using a second router is what we should eventually have. Thank you for pointing out how to do that. I don?t know that I would trust myself to set up rules within the single router to carry this out.

Shortly after I posted the message, it occurred to me that I could make use of the software firewalls on the office computers in the meantime. I can?t use the ?no exceptions? option, as was suggested, since we need to let the office computers talk to each other, to carry out the backups, even if there were no other needs. So I used the McAfee and Norton firewalls to block out the IP addresses of the old machines.

However, I still have a question.🙂 The IP addresses of all the machines are assigned by the router, and they seem fairly stable. But there must be come conditions under which the IP addresses might change. In order to feel safe with the firewall blocking, I would need to know what those conditions might be and how the router assigns addresses. We have a WRT54G I would be grateful for any explanations about this.

Thanks again for the great responses. They?re very much appreciated.

 

[RebateMonger]

DHCP-provided IP addresses can definitely change.

Set the WinME computers to Static IP addresses if you want to be sure what their IP's are. Or, have your router provide Reserved IP addresses for those ME computers (if DHCP Reservation is available on your router, which I don't think it is).

When setting Static IP addresses, use IP addresses outside of your DHCP Scope so you can't have any IP address conflicts.

 

[JackMDS]

Originally posted by: RebateMonger Or, have your router provide Reserved IP addresses for those ME computers (if DHCP Reservation is available on your router, which I don't think it is)..

Nope, as is the WRT54G has No IP reservation.

It does with 3rd party firmware; it is referred t to as Static DHCP (nice oxymoron) 😉 ,

http://www.thibor.co.uk/#features

 

[Goosemaster]

Originally posted by: JackMDS

Originally posted by: RebateMonger Or, have your router provide Reserved IP addresses for those ME computers (if DHCP Reservation is available on your router, which I don't think it is)..

Nope, as is the WRT54G has No IP reservation.

It does with 3rd party firmware; it is referred t to as Static DHCP (nice oxymoron) 😉 ,

http://www.thibor.co.uk/#features

I hate that term. One of my coworkers got lazy once and wanted to setup printers using static dhcp or ip reservation and I was telling him that static was quicker and easier to document.

 

[dentrouge]

OK, thanks. I'll go try assigning IP addresses for the ME machines the next time I get in there. But I seem to recall from when I was setting up the network, that manually assigned IP addresses didn't seem to work with the DSL modem/router setup we have. That would be nice if they did. Perhaps I was assigning them incorrectly before, although without the modem, they worked fine.

If I assign the IP addresses outside the normal scope of the automatic assignments, wouldn't there be a problem in their being recognized?

 

[JackMDS]

It would be recognized as long as it within the same subnet.

I.e. DHCP 192.168.1.10 to 192.1.20 you can use other free IP number that are 192.168.1.x (first three groups the same).