Solved

Public internet on a private network

Posted on 2003-11-18
37
741 Views
Last Modified: 2010-04-11
Hello... I need to make a spot for public internet access on my private network.   A waiting room for people to check their email and whatever.  Obviously I don't want my private network compromised to do this.  I'm looking for a simple method.  I've tried using a router and pointing it to my private gateway, but everything appears to be wide open... PLz help
0
Comment
Question by:mrsmith14
  • 12
  • 6
  • 6
  • +4
37 Comments
 
LVL 31

Expert Comment

by:qwaletee
ID: 9773520
Here's how  would set it up

                    Internet connection
                          |||
                          |||
-------------------- Broadband router -------------------------
|||                                                        |||
|||                                                        |||
Private network router/firewall                 Waiting room router/firewall
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9773574
The two firewall in the above diagram will completely islate the waiting room from the private network and vice versa.

Yo can also do this like so:


Internet connection
|||
Waiting rom firewall
|||
Private network firewall

However, that means your private nework has one extra hop to go through to reach the internet, and if you are using SOHO routers, you end up double-NATed.

Also note, I am deliberately avgue about what "internet connection" means.  Some cable modems/dsl modems act as bridges, and don't have theior own IP addresses.  In that case, each of your firewalls needs to be assigned its own public IP address, OR you have to connect a NAT router to the mode, and everything else has to hang off that.  In that case, you end up with something like teh second solution no matter what you do, so you may as well use it.

Other broadband modems get their own IP address, and whatever ios connected on your side of the modem gets a second IP address.  The modem is acting as a router in that setup.  In that case, you can request multiple IP addresses, and use setup A, with each of the two isolating router/firewalls getting assigned its own public IP address.  The only issue thereis that if you have dynamic public IPs, you wll have trouble connecting to the waiting room from the pruvate neywork, even if you setup firewall rules to allow trafic to pass, because the private router will not know the current address of the waiting room router.
0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9773614
sounds to me like both scenarios create an extra hop for my private network.... correct?
0
 
LVL 3

Expert Comment

by:MaxQ
ID: 9773617
Another option, depending on what hardware you have, would be to put the public access ports in a separate VLAN with no routes to anything except the Internet.  You could also put more restrictive ACLs on this network to limit what kinds of activities are allowed with your Internet access for outside users.
0
 

Expert Comment

by:qzzwrs
ID: 9773618
Using the below structure could create one issue, and that is routing is enable between your waiting room network and your private network. Make sure the router you have is capable of doing this, otherwise you can buy 2 cheap linksys type routers and have one for each network assuming that you can more than one device on your internet connection.

                   Internet connection
                          |||
                          |||
-------------------- Broadband router -------------------------
|||                                                        |||
|||                                                        |||
Private network router/firewall                 Waiting room router/firewall

or

                          ----------- Internet connection ---------
                          |||                                              |||
                          |||                                              |||
-----------LINKSYS-------------               -----------LINKSYS-------------
|||                                                        |||
|||                                                        |||
Private network router/firewall                 Waiting room router/firewall
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9773752
qzzwrs,
> routing is enable between your waiting room network and your private network

What are you talking about?  

"Private network router/firewall                 Waiting room router/firewall "

That's all a Linksys would be anyway.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9773758
Take a look at this device from D-Link. It might just fit your bill for what you want, and it is not expensive...

http://www.dlink.com/products/?pid=173

0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9773761
MaxQ,
VLAN is a good idea, but if I have judged Mr. Smith properly by his question, if he could deal with VLAN's, he probably would not have to ask this question!
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9773814
mrsmith14,
> sounds to me like both scenarios create an extra hop for my private network.... correct?

Probably, unless your existing broadband connection is able to have two internal routers with separate addresses plug into it.  For example, I have a DSL modem that acts as a router, has its own IP, and has abuilt-in four port hub.  So I actually have two static IPs sitting here -- one on the modem itself, and one on my firewall.  I could purchase an additional static IP, buy a cheap SOHO gateway, and plug it into one of the three free ports on teh DSL modem -- and I would ave two completely separate neyworks taht could not interoperate, sharing a single broadband connection.

On my old DSL modem, the mdem itself had no address, so it was acting as a bridge.  If I wanted to add a second firewall, I would have to piggyback one off the other, or I would have to put in an NAT router in front of both of them (which means basically two new routers instead of one).  Either way, at least one of the two networks would have an extra hop.

So, it really depends on the broadband device.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9773826
That d-Link device sounds perfect for this!
0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9773833
Wow thats a sweet little device.  Unfortunately, I don't think they're gonna let me spend 500 on providing one little spot with internet.  Actually I'd like to hear a little more on the VLAN idea if ya guys would.  I've never really tried anything with them.  Today is good day to start tho.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9773861
You would have to have a switch that is capable of VLAN's (Virtual LANs), plus a router that can "see" both VLAN's, or have two routers (one per VLAN).
What is your current topology? What kind of hardware do you have? Make/model...especially switches and router..

0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9773869
actually this dsl modem is a pos.  It only has one port going out, which goes to my gateway.  I know those dsl routers ur talkin about tho... I got a Netopia at another site which rox!!
0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9773899
lrmoore,

we have 2 cisco 2950 switches and some other crappy switches... I'm guessing the cisco's would support it, but not tha crapsters.  Routers are cheapo netgears.  I guess that probably won't be an option if everything has to support a VLAN.
0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9773914
o and i guess this would be considered a star topology
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9773947
The C2950's for sure will handle the VLAN's, but without adding another router to the mix, that's not really an option.
The concept is pretty much just like it says. You create a "Virtual LAN" by designating specific ports as a separate VLAN. It separates broadcast domains. This is just like adding a separate physical switch. There is no communication between the vlan's without something that can "see" both of them. Cisco router interface can use trunking and sub-interfaces for each VLAN. Since you don't want the two networks to see each other, the only issue is how do two separate networks now share a single outbound Internet connection...
0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9774017
So no possibility here without a 5000 dollar Cisco router?  Welp i guess scratch that idea.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Expert Comment

by:qzzwrs
ID: 9774348
We'll that D-link is not exactly the cheapest thing in the world at $400 + dollars with a quick lookup on Google. If your a small office I think the 2 router option is best and cheapest if you can have 2 internet connections. If money is not an issue then go with the Dlink. I think the Linksys routers go for about $60 maybe cheaper with rebates and all. So roughly $120 versus $400 is a no brainer.

qwaletee, your right, I just mis-read your post, sorry.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9774659
If you already have a firewall, and can add another interface, then you shouldn't necessarily encounter another hop in the config (although really, who cares about another hop unless the machine intserting another hop is utterly crappy, or you are running at DS3 speeds or higher).  All you would have to do is put the public access machines in a DMZ using the new/additional interface on your firewall, and all is well.

      Internet
           ||
           ||
    router/firewall==public net [DMZ]
           ||
           ||
      private net


DMZ security (from the perspective of the private net) is handled exactly like internet security (with regard to inbound connections), and outbound DMZ connections get to use the internet connection on the firewall.

Cheers,
-Jon

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9774998
>dmz
yup - xp with firewall enabled and all patched up - NO services running
0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9775041
Well I'm thinking I may just end up paying for a second public ip then
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9775268
why? the net effect is the same.
HA!
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 9776756
>>dmz
>yup - xp with firewall enabled and all patched up - NO services running

Ummm, no.  XP is not a firewall, period (when will people understand that?).  Even if it weren't horribly insecure, the performance issues alone are enough to disqualify it from consideration.

mrsmith - I'm not sure how obtaining an extra IP will help - care to explain your thoughts here?  BTW, what firewall do you have (or are is your netgear router currently doing that for you?)  Also, can you provide a current diagram of your network (similar to previous posts my others above)?

Cheers,
-Jon

0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9779487
                              dsl modem(from 1982)
                                             |
                                      D-link router
                                             |
                                   Cisco 2950's and other crapsters

Im not understanding why this won't work

                                dsl modem(from 1982)
                                              |
                                      Cheapo switch
           _____________________|________________________
           |                                                                              |
    Dlink(Private network) Public #1                     New Router(public)Public #2
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9779789
The public machine is expendable.
The XP firewall is not Nobel Prize material, but having the thing in the DMZ, turning off all services and keeping it patched up with a decent virus scanner on it, creating a standard non admin user account with a decent password an auto admin login for guests (not the guest account ),and  renaming the administrator account  is safer than 90% of the home computers on the net and a lot of corporate machines. Build it, burn a ghost image to a CD and if it get's tagged, so what? Ghost over the thing, apply the new patches.
0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9779840
Ok we can stop talking about WinXP right now.  There is no terminal here.  This is just a spot for users to quickly connect their laptops.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9779878
DMZ
0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9779917
OK we can stop talking about the DMZ port, as there is none
0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9779958
o wait... crappy netgear router has one... hmmm
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9780658
Does it actually have a physical DMZ interface, or just an entry for a DMZ 'host' ?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9780791
good point, you need a REAL dmz, something like a dlink dfl80 or 300

low end cable routers just make an inside host a nice target
0
 
LVL 1

Author Comment

by:mrsmith14
ID: 9781326
grrrr... yup its a "wannabe" DMZ not a real one
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 63 total points
ID: 9781478
mrsmith - your idea should work, ie:

>Im not understanding why this won't work
>
>                                dsl modem(from 1982)
>                                                |
>                                      Cheapo switch
>           _____________________|________________________
>           |                                                                              |
>    Dlink(Private network) Public #1                     New Router(public)Public #2

Didn't realize your budget allowed for another router (and IP).  You could save on the cost of an IP if you bought a router with two distinct ethernet interfaces (no, not a router with a built-in hub) was all I was thinking.

Chicagoan says:

>The public machine is expendable

LOL!  Try saying that at your next job interview, and see where it gets you.  For most folks who rely upon internet access, the public machine is not at all expandable, since who want to waste a couple hours restoring the thing when it gets hacked - for most people, that equals lots of lost business waiting for the thing to be repaired.  Also, most folks want their internet access to be as fast as possible, and for that reason alone anyone with a brain avoids using mickeysoft products to provide transit.

Cheers,
-Jon
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 62 total points
ID: 9781654
but that's not the question anymore ;-)
He just needs a post with DHCP, and I don't want Tom, Dick or Jon plugging their laptops into my network, so the question is do I give them a firewall or not? If not, he go with another address and drop a switch on the outside.
If he does, he'll have to buy hardware.

As far as the public machine being expendable, there are no confidentiality or data integrity issues for the enterprise as, so in that sense it's expendable. Guests might leave their credit card numbers in the cache and their passwords in the cookies, but hey, it's not OUR data!  The only issue to OUR enterprise is availability, and a machine with no services running is pretty safe from passive compromise. Compromises that come from user initiated connections such as web pages, downloads and mail aren't mitigated by nat routers anyway, you need stateful inspection for that. Patches, sensible permissions, antivirus and possibly a soft firewall are about all you can do aside from educating users, and we all know where that gets you (just surf the cache).
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12348460
I was the first to post a most viable solution, just because it wasn't in the budget makes it no less of a viable solution as the question was posted.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now