How to provide Internet access but prevent network PC/printer access?

Topic

New Reply

How can I provide internet access but prevent network PC/printer access?

In our small office, we have several networked PC’s and printers. Some months ago, it became necessary to provide internet access at a 2nd remote rural location about a half mile from the main office. This internet access must NOT include network access to the main office PC’s and printers. So I ran network cable from a LAN port on the office router to the LAN port on a 2nd router in the remote location (using a modem extender). This arrangement seemed to work well. Using PC’s at the 2nd location, I could access the internet but could NOT see or access the PC’s or printers in the main office. Then I took a laptop that was working in the main office to the 2nd location. I printed a page and accidently selected a printer from the main office, which was still listed as an option. I assumed that a “device not found” error would result, so I was surprised when the page printed correctly on a printer in the main office. How could this be, and what can I do to ensure that PC’s at the 2nd location can NOT access the main office PC’s/printers?

Thanks in advance for any explanation and suggestions.

Reply | Quote

Replies

The laptop was configured for the main office workgroup/domain and you had access to it via the router. As long as computers in the 2nd location are not configured for your workgroup/domain you will not have a problem. You could also turn off the network discovery service on the computers in the 2nd location to make it harder to determine the workgroup name if you are using a workgroup. If you are using a domain … no worries mate! :cheers:

Disclaimer: I’m no network guru but this is my understanding of the situation.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Without knowing the finer details of your network configuration it’s difficult to be sure.

I assume the router at the remote location uses a different subnet to the main office?

If you are using static IP’s and the router at the remote site was forwarding packets, then the laptop that was taken to the remote site would still have been able to communicate with the printers at the main site even if a separate subnet was established.

If the router at the remote office is only configured as a switch rather than a router (i.e. there is no separation through subnetting), it will provide no isolation between the two network segments and a small trip up in the workgroup and or network sharing settings will leak data as Retired Geek suggests.

Reply | Quote

Having a cable from the office router to the 2nd office will always provide main office network access unless you segregate the network. You can use a VLAN to do this but it’s not simple.

1. Set a port on the on the main router as VLAN 10. Connect this to the remote router.
2. Set the internet port on the main router as a trunk.
3. Set all the remote router ports as VLAN 10.

All traffic from the remote office will only go to the internet port on the main router, not the rest of the office.

cheers, Paul

Reply | Quote

Thanks to all who responded. I’m sorry that I’m not very experienced in setting up networks. It’s not clear to me what a subnet is so I suspect it’s not present. All I did was plug the cables in.

I can say, however, that when I select “View Workgroup Computers” (on XP) on a PC at the remote site, no PC from the main site appears, so it’s not clear to me how the common workgroup name could be the problem (I AM using workgroups, not domains). Similarly, even when I type the network address (for the main office PC’s) in the browser bar at the remote site, the PC at the remote site doesn’t find the main office PC’s. Is there some other way to make or find a connection from the remote PC to the office PC’s?

I’m also hazy about static IP’s, although I suspect this is the case for the networked printers, but I’m not sure how to tell. To set up these printers, all I did was run a utility provided by Canon and everything worked after that.

In any event, the question that remains for me is how does the PC at the remote site access the home office printers, but cannot apparently even see the home office PC’s.

Thanks for any further thoughts and suggestions.

Reply | Quote

The explanation is rather long – I’ll type it up if you like, but it’ll take a day or two.
The bottom line is the main office is not advertising at the remote site because you have two routers, but the networks are still linked and can see each other.

cheers, Paul

Reply | Quote

THanks, Paul, for your comments. I really would like to understand what’s going on, so if you have time to explain it in the next few days, that would be great. If there is some simple tutorial I can look at, I would be glad to do that too.

Thanks again.

Reply | Quote

The following is a way to do it using only residential equipment. This will result in the networks being double NATed which will break some advanced internet use such as Port forwards to the internal network and VPN tunnels. All normal internet browsing and email should work with this.

You will need three routers.

Internet modem
v
v
Router 1
v . . . . . . v
v . . . . . . v
Rtr 2. . . . Rtr 3
v . . . . . . . v
v . . . . . . . v
Your. . . . . Their
network . . network

The WAN (or internet) port on router 1 connects to the modem, The WAN ports of routers 2 and 3 connect to the LAN ports on router 1. I would set the internal (LAN) network address on Router 1 to 10.0.0.1

I would set the external IP address on router 2 as 10.0.0.2 and the LAN address to the current gateway address you are using on your network.

I would set the external IP address on router 3 as 10.0.0.3 and the LAN address to the current gateway address they are using on their network.

This setup will allow you to use the single IP address from your ISP and split it to two other routers. You will have both your and their network isolated from each other with the firewalls in routers 2 and 3.

If your ISP will assign two IP addresses on a single connection, you can put a Switch in place of Router 1 and leave the WAN ports on routers 2 and 3 set to obtain an IP automatically. This would eliminate the double NAT issue on your network.

Reply | Quote

I would suspect that today you have it setup with their router plugged directly into your network. The firewall in the router acts somewhat like a one way valve allowing data to flow out but not in. That gives you something like this. (the arrows indicate the direction data can flow freely).

internet
^
^
Your router
^
^
Your network
^
Their router
^
^
Their network

As you can see, Their network is not accessible by you but your network can be accessed by them…….

Reply | Quote

Nice explanation.

I would not set the IP on the 2 routers, you won’t be able to manage them unless you also set DHCP to the 10 range.
I would also use a switch instead of router 1 – double NAT could be a world of pain and the extra router doesn’t add a benefit in any other way.

cheers, Paul

Reply | Quote

I would also use a switch instead of router 1

This recommendation is situational…. (I actually have a network setup this way myself).

The caveat is that your ISP (Internet Service Provider) can issue two IP addresses on one modem. How their network is setup will determine this.

I live in rural Kansas, USA and we have several Wireless ISPs that use PPPOE as their connection protocol. The connection is created on the router with a user name and password. (It actually is a type of dialup connection that the router does) In this situation you have to use a router to create the connection and then NAT that connection to the other segments of the network.

If Pauls suggestion works it is preferable to my suggestion.

I would not set the IP on the 2 routers, you won’t be able to manage them unless you also set DHCP to the 10 range.

The interesting thing is that you actually CAN manage router 1 from inside the #2 and #3 network. The same reason that currently your network is not isolated also makes router 1 available. You will not see that router if you look at network devices in Windows 7 as it is on a different segment, however if you type the ip of router 1 into a browser it should bring up the management window for it. If the IP of router 1 is the same as routers 2 and 3 this will not work as those routers will not look for that IP outside of their own segments because it already exists there.

Also, some routers will not work correctly if the same subnet is used on the WAN and LAN interfaces. If the routers are all the same brand, from the factory they will be setup with all the same subnets.

Reply | Quote

If your ISP requires a router that logs into their network you can use that router as a switch by putting it in bridge mode – most routers allow this.

cheers, Paul

Reply | Quote

Thanks again for your additional comments. In fact, today I did as an experiment what mercyh said: I went to my remote location, and logged into the router there. Then I found the “Routing Table Entry List” which listed the IP address for the “WAN Gateway”. Then I entered this IP address into my browser, and sure enough, the Control Panel for the main office router appeared after I entered the correct router username/password. Then I found the “DHCP Client Table” on the main office router which listed all the PC’s in the main office along with their IP address on the main router. But I couldn’t figure out how to go further. Is there a way from the remote location to enter the IP address of the main router, and then the IP address of an office PC in order to see/access the shared folders on that PC?

And more directly relevant to my original question is there an easy way to prevent that from happening? I don’t think it’s likely to happen since a casual user will not know the router username/password, but I’d still like to prevent it. mercyh mentioned a two router arrangement, although I would like to avoid adding another router. Paul T mentioned VLAN but I have to confess that I did not understand what he said. I think the question is: is there anything I can do to the main office router to ensure that one of the LAN ports is sent directly to the internet and is NOT accessible to/from any device (PC or Printer) attached to any other LAN ports (or connected wirelessly)?

Thanks again.

Reply | Quote

I think the question is: is there anything I can do to the main office router to ensure that one of the LAN ports is sent directly to the internet and is NOT accessible to/from any device (PC or Printer) attached to any other LAN ports (or connected wirelessly)?

That depends entirely on how advanced your main office router is. Can you give us the brand and model number?

Many business grade devices allow multiple untrusted ports to be assigned. You won’t find this capability on a residential grade device though…….

The VLAN capabilities that Paul mentions require not only a commercial grade router but also VLAN capable switches and of course someone that knows how to configure them.

Reply | Quote

The main office router is a Cisco/Linksys E1000. I think it is a pretty basic router.

Reply | Quote

Thanks again to all who responded. I think mercyh is probably correct that security is good enough the way it is now, but I would still like to understand more clearly what is going on.

Specifically, since I CAN in fact access the main office router from the remote location and also see the IP address of each PC in the main office in the main office router tables, is there any way to access the PC’s directly from the remote location? If so, how do I do that? If not, then why not? Is the Windows firewall on each main office PC the only thing that prevents such access?

What started this whole discussion for me was the unexpected ability to access main office printers from the remote location. This is clearly a two-way communication since the printer informs the remote PC of status and also when the printer finishes its job. Is it somehow possible, therefore, for a main office PC to initiate access to a PC or Printer in the remote location? If so, then how? If not, then how do the main office printers return status to a PC in the remote location?

Also, by the way, when I access the remote router at the remote location, the IP address of this router is 192.168.1.1. When I access the router in the main office from the remote location, then the IP Address of the main office router is : 192.168.2.1, which is different. I’m not sure whether or not this is a “subnet” or what it means if it is.

Thanks for any further explanation.

Reply | Quote

That is a little like me driving onto your farm, seeing a bin of corn, and asking how it got there. You could give me the short answer that you put it in there with an auger or you could start with working the ground, fertilizing, planting, etc…:^_^:

Start with this (all eight pages of it)

http://computer.howstuffworks.com/nat.htm

Once you understand that :o: ask your more specific questions…..

PS> I am getting the planter ready to plant soybeans here….

Reply | Quote

THanks, mercyh, for the tutorial reference. I read it and some others, then tried entering the IP address of an office PC while I was at the remote location. Sure enough, just like the printers, the office PC’s shared folders were displayed, so that’s not good. AFter further reading, and also your previous comments, it looks like adding another router is the simplest solution for isolating the two local networks, so that’s what I’m going to try. I found an old Netgear router in the back room, so I’ll be testing with that in the coming days. Thanks again for all the help, and I think I’m done asking questions for now unless I find something unexpected. I do wonder if it makes a difference whether I plug into the WAN port or the LAN port on the remote router, but I can’t think of anything else right now.

Reply | Quote

I found an old Netgear router in the back room, so I’ll be testing with that in the coming days

First try using the router as a switch like Paul suggested.

Plug a computer directly into one of the LAN ports on the old netgear router. Login to the router’s administration page and turn of DHCP server. (you do not want this router to assign IP addresses in this case as you want to get them from your ISP)

Once your settings have taken affect, plug the line from the modem into one of the LAN ports on the old router. (That is correct, for this use you will not use this router’s WAN port.)

Plug the cables from the WAN ports on your other two routers to LAN ports on this old netgear router.

If that works, you have your networks isolated and no double NAT issues………

Good luck,

mercyh

Reply | Quote

Thanks again, mercyh; I hooked everything up as you described; it all worked and the PC’s on the different routers couldn’t see each other. I was surprised. Then I realized that the phone company had given us a new DSL modem/router a few months ago after the old one quit. The new one has four LAN ports on the back marked “Eth1”, “Eth2”, etc. I had just hooked my current router to one of these ports and didn’t know what the others were for. This had worked fine for months; now, I suspected that the new DSL modem/router was already doing a NAT inside itself to support up to four isolated networks, so I connected my two routers directly to two of these ports, removing the old Netgear router entirely. I hooked one PC to each router, and sure enough everything still worked (in the sense that I could access the internet. I don’t know if other things might NOT work.) Furthermore, the two PC’s had the same IP address (192.168.0.100) so that proves (I think!!??) that they are not in the same IP address space but in fact on two different networks. Does all of this make sense to you? If so, then I think I understand what’s going on, and there does not seem to be any obvious double NAT problem.

Thanks again.

Reply | Quote

You are on two different networks with total segregation now. As long as everything works I would not worry about the double NAT issue. If you ever decide to run your own web or email server and need to forward a port to the internet you may have a headache, however, it is likely that their modem is setup as a bridge so you are actually getting a separate PUBLIC ip address for each network…..

Glad you got it working securely the way you wanted and you (and maybe a few of the rest of us) learned a bit more about networking along the way.

Reply | Quote

I think it is a pretty basic router

Yes, that has none of the capabilities we are discussing here.

If you need true segregation you will need to purchase another piece of equipment, either a switch or a router as discussed above. If you do not feel that there is a high risk of your data being compromised, you may be ok the way you are right now. If the second network is on a different subnet then your network, (your network is 192.168.1.X and the second network is 192.168.5.X for example) the firewall on each of your PC’s if properly configured will secure them from access from the other network.

Reply | Quote

You already have 2 routers so you may be able to run the physical set up suggested by mercyh in post 8.
If your internet connection is via a modem then you can run the 2 routers direct from the modem, or add a cheap switch if you don’t have enough ports on the modem.

cheers, Paul

Reply | Quote