mrsmith14
asked on
Public internet on a private network
Hello... I need to make a spot for public internet access on my private network. A waiting room for people to check their email and whatever. Obviously I don't want my private network compromised to do this. I'm looking for a simple method. I've tried using a router and pointing it to my private gateway, but everything appears to be wide open... PLz help
The two firewall in the above diagram will completely islate the waiting room from the private network and vice versa.
Yo can also do this like so:
Internet connection
|||
Waiting rom firewall
|||
Private network firewall
However, that means your private nework has one extra hop to go through to reach the internet, and if you are using SOHO routers, you end up double-NATed.
Also note, I am deliberately avgue about what "internet connection" means. Some cable modems/dsl modems act as bridges, and don't have theior own IP addresses. In that case, each of your firewalls needs to be assigned its own public IP address, OR you have to connect a NAT router to the mode, and everything else has to hang off that. In that case, you end up with something like teh second solution no matter what you do, so you may as well use it.
Other broadband modems get their own IP address, and whatever ios connected on your side of the modem gets a second IP address. The modem is acting as a router in that setup. In that case, you can request multiple IP addresses, and use setup A, with each of the two isolating router/firewalls getting assigned its own public IP address. The only issue thereis that if you have dynamic public IPs, you wll have trouble connecting to the waiting room from the pruvate neywork, even if you setup firewall rules to allow trafic to pass, because the private router will not know the current address of the waiting room router.
Yo can also do this like so:
Internet connection
|||
Waiting rom firewall
|||
Private network firewall
However, that means your private nework has one extra hop to go through to reach the internet, and if you are using SOHO routers, you end up double-NATed.
Also note, I am deliberately avgue about what "internet connection" means. Some cable modems/dsl modems act as bridges, and don't have theior own IP addresses. In that case, each of your firewalls needs to be assigned its own public IP address, OR you have to connect a NAT router to the mode, and everything else has to hang off that. In that case, you end up with something like teh second solution no matter what you do, so you may as well use it.
Other broadband modems get their own IP address, and whatever ios connected on your side of the modem gets a second IP address. The modem is acting as a router in that setup. In that case, you can request multiple IP addresses, and use setup A, with each of the two isolating router/firewalls getting assigned its own public IP address. The only issue thereis that if you have dynamic public IPs, you wll have trouble connecting to the waiting room from the pruvate neywork, even if you setup firewall rules to allow trafic to pass, because the private router will not know the current address of the waiting room router.
ASKER
sounds to me like both scenarios create an extra hop for my private network.... correct?
Another option, depending on what hardware you have, would be to put the public access ports in a separate VLAN with no routes to anything except the Internet. You could also put more restrictive ACLs on this network to limit what kinds of activities are allowed with your Internet access for outside users.
Using the below structure could create one issue, and that is routing is enable between your waiting room network and your private network. Make sure the router you have is capable of doing this, otherwise you can buy 2 cheap linksys type routers and have one for each network assuming that you can more than one device on your internet connection.
Internet connection
|||
|||
-------------------- Broadband router -------------------------
||| |||
||| |||
Private network router/firewall Waiting room router/firewall
or
----------- Internet connection ---------
||| |||
||| |||
-----------LINKSYS--------
||| |||
||| |||
Private network router/firewall Waiting room router/firewall
Internet connection
|||
|||
-------------------- Broadband router -------------------------
||| |||
||| |||
Private network router/firewall Waiting room router/firewall
or
----------- Internet connection ---------
||| |||
||| |||
-----------LINKSYS--------
||| |||
||| |||
Private network router/firewall Waiting room router/firewall
qzzwrs,
> routing is enable between your waiting room network and your private network
What are you talking about?
"Private network router/firewall Waiting room router/firewall "
That's all a Linksys would be anyway.
> routing is enable between your waiting room network and your private network
What are you talking about?
"Private network router/firewall Waiting room router/firewall "
That's all a Linksys would be anyway.
Take a look at this device from D-Link. It might just fit your bill for what you want, and it is not expensive...
http://www.dlink.com/products/?pid=173
http://www.dlink.com/products/?pid=173
MaxQ,
VLAN is a good idea, but if I have judged Mr. Smith properly by his question, if he could deal with VLAN's, he probably would not have to ask this question!
VLAN is a good idea, but if I have judged Mr. Smith properly by his question, if he could deal with VLAN's, he probably would not have to ask this question!
mrsmith14,
> sounds to me like both scenarios create an extra hop for my private network.... correct?
Probably, unless your existing broadband connection is able to have two internal routers with separate addresses plug into it. For example, I have a DSL modem that acts as a router, has its own IP, and has abuilt-in four port hub. So I actually have two static IPs sitting here -- one on the modem itself, and one on my firewall. I could purchase an additional static IP, buy a cheap SOHO gateway, and plug it into one of the three free ports on teh DSL modem -- and I would ave two completely separate neyworks taht could not interoperate, sharing a single broadband connection.
On my old DSL modem, the mdem itself had no address, so it was acting as a bridge. If I wanted to add a second firewall, I would have to piggyback one off the other, or I would have to put in an NAT router in front of both of them (which means basically two new routers instead of one). Either way, at least one of the two networks would have an extra hop.
So, it really depends on the broadband device.
> sounds to me like both scenarios create an extra hop for my private network.... correct?
Probably, unless your existing broadband connection is able to have two internal routers with separate addresses plug into it. For example, I have a DSL modem that acts as a router, has its own IP, and has abuilt-in four port hub. So I actually have two static IPs sitting here -- one on the modem itself, and one on my firewall. I could purchase an additional static IP, buy a cheap SOHO gateway, and plug it into one of the three free ports on teh DSL modem -- and I would ave two completely separate neyworks taht could not interoperate, sharing a single broadband connection.
On my old DSL modem, the mdem itself had no address, so it was acting as a bridge. If I wanted to add a second firewall, I would have to piggyback one off the other, or I would have to put in an NAT router in front of both of them (which means basically two new routers instead of one). Either way, at least one of the two networks would have an extra hop.
So, it really depends on the broadband device.
That d-Link device sounds perfect for this!
ASKER
Wow thats a sweet little device. Unfortunately, I don't think they're gonna let me spend 500 on providing one little spot with internet. Actually I'd like to hear a little more on the VLAN idea if ya guys would. I've never really tried anything with them. Today is good day to start tho.
You would have to have a switch that is capable of VLAN's (Virtual LANs), plus a router that can "see" both VLAN's, or have two routers (one per VLAN).
What is your current topology? What kind of hardware do you have? Make/model...especially switches and router..
What is your current topology? What kind of hardware do you have? Make/model...especially switches and router..
ASKER
actually this dsl modem is a pos. It only has one port going out, which goes to my gateway. I know those dsl routers ur talkin about tho... I got a Netopia at another site which rox!!
ASKER
lrmoore,
we have 2 cisco 2950 switches and some other crappy switches... I'm guessing the cisco's would support it, but not tha crapsters. Routers are cheapo netgears. I guess that probably won't be an option if everything has to support a VLAN.
we have 2 cisco 2950 switches and some other crappy switches... I'm guessing the cisco's would support it, but not tha crapsters. Routers are cheapo netgears. I guess that probably won't be an option if everything has to support a VLAN.
ASKER
o and i guess this would be considered a star topology
The C2950's for sure will handle the VLAN's, but without adding another router to the mix, that's not really an option.
The concept is pretty much just like it says. You create a "Virtual LAN" by designating specific ports as a separate VLAN. It separates broadcast domains. This is just like adding a separate physical switch. There is no communication between the vlan's without something that can "see" both of them. Cisco router interface can use trunking and sub-interfaces for each VLAN. Since you don't want the two networks to see each other, the only issue is how do two separate networks now share a single outbound Internet connection...
The concept is pretty much just like it says. You create a "Virtual LAN" by designating specific ports as a separate VLAN. It separates broadcast domains. This is just like adding a separate physical switch. There is no communication between the vlan's without something that can "see" both of them. Cisco router interface can use trunking and sub-interfaces for each VLAN. Since you don't want the two networks to see each other, the only issue is how do two separate networks now share a single outbound Internet connection...
ASKER
So no possibility here without a 5000 dollar Cisco router? Welp i guess scratch that idea.
We'll that D-link is not exactly the cheapest thing in the world at $400 + dollars with a quick lookup on Google. If your a small office I think the 2 router option is best and cheapest if you can have 2 internet connections. If money is not an issue then go with the Dlink. I think the Linksys routers go for about $60 maybe cheaper with rebates and all. So roughly $120 versus $400 is a no brainer.
qwaletee, your right, I just mis-read your post, sorry.
qwaletee, your right, I just mis-read your post, sorry.
If you already have a firewall, and can add another interface, then you shouldn't necessarily encounter another hop in the config (although really, who cares about another hop unless the machine intserting another hop is utterly crappy, or you are running at DS3 speeds or higher). All you would have to do is put the public access machines in a DMZ using the new/additional interface on your firewall, and all is well.
Internet
||
||
router/firewall==public net [DMZ]
||
||
private net
DMZ security (from the perspective of the private net) is handled exactly like internet security (with regard to inbound connections), and outbound DMZ connections get to use the internet connection on the firewall.
Cheers,
-Jon
Internet
||
||
router/firewall==public net [DMZ]
||
||
private net
DMZ security (from the perspective of the private net) is handled exactly like internet security (with regard to inbound connections), and outbound DMZ connections get to use the internet connection on the firewall.
Cheers,
-Jon
>dmz
yup - xp with firewall enabled and all patched up - NO services running
yup - xp with firewall enabled and all patched up - NO services running
ASKER
Well I'm thinking I may just end up paying for a second public ip then
why? the net effect is the same.
HA!
HA!
>>dmz
>yup - xp with firewall enabled and all patched up - NO services running
Ummm, no. XP is not a firewall, period (when will people understand that?). Even if it weren't horribly insecure, the performance issues alone are enough to disqualify it from consideration.
mrsmith - I'm not sure how obtaining an extra IP will help - care to explain your thoughts here? BTW, what firewall do you have (or are is your netgear router currently doing that for you?) Also, can you provide a current diagram of your network (similar to previous posts my others above)?
Cheers,
-Jon
>yup - xp with firewall enabled and all patched up - NO services running
Ummm, no. XP is not a firewall, period (when will people understand that?). Even if it weren't horribly insecure, the performance issues alone are enough to disqualify it from consideration.
mrsmith - I'm not sure how obtaining an extra IP will help - care to explain your thoughts here? BTW, what firewall do you have (or are is your netgear router currently doing that for you?) Also, can you provide a current diagram of your network (similar to previous posts my others above)?
Cheers,
-Jon
ASKER
dsl modem(from 1982)
|
D-link router
|
Cisco 2950's and other crapsters
Im not understanding why this won't work
dsl modem(from 1982)
|
Cheapo switch
_____________________|____
| |
Dlink(Private network) Public #1 New Router(public)Public #2
|
D-link router
|
Cisco 2950's and other crapsters
Im not understanding why this won't work
dsl modem(from 1982)
|
Cheapo switch
_____________________|____
| |
Dlink(Private network) Public #1 New Router(public)Public #2
The public machine is expendable.
The XP firewall is not Nobel Prize material, but having the thing in the DMZ, turning off all services and keeping it patched up with a decent virus scanner on it, creating a standard non admin user account with a decent password an auto admin login for guests (not the guest account ),and renaming the administrator account is safer than 90% of the home computers on the net and a lot of corporate machines. Build it, burn a ghost image to a CD and if it get's tagged, so what? Ghost over the thing, apply the new patches.
The XP firewall is not Nobel Prize material, but having the thing in the DMZ, turning off all services and keeping it patched up with a decent virus scanner on it, creating a standard non admin user account with a decent password an auto admin login for guests (not the guest account ),and renaming the administrator account is safer than 90% of the home computers on the net and a lot of corporate machines. Build it, burn a ghost image to a CD and if it get's tagged, so what? Ghost over the thing, apply the new patches.
ASKER
Ok we can stop talking about WinXP right now. There is no terminal here. This is just a spot for users to quickly connect their laptops.
DMZ
ASKER
OK we can stop talking about the DMZ port, as there is none
ASKER
o wait... crappy netgear router has one... hmmm
Does it actually have a physical DMZ interface, or just an entry for a DMZ 'host' ?
good point, you need a REAL dmz, something like a dlink dfl80 or 300
low end cable routers just make an inside host a nice target
low end cable routers just make an inside host a nice target
ASKER
grrrr... yup its a "wannabe" DMZ not a real one
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I was the first to post a most viable solution, just because it wasn't in the budget makes it no less of a viable solution as the question was posted.
Internet connection
|||
|||
-------------------- Broadband router -------------------------
||| |||
||| |||
Private network router/firewall Waiting room router/firewall