Connect to PC on WAN Side of Router

Dear Experts,

I want to use a router (Netgear RT314) as a type of firewall inside a LAN.   Basically I want  to separate a less secure section of the LAN from the main part of the LAN.

The way I was thinking of doing it was to connect the main part of the LAN to the LAN port of the router and the less secure part to the Internet port.   I  think this should allow traffic to flow freely from the main part of the LAN to less secure part of the LAN but  block all traffic from the less secure part to the main part. (The router is configured to block all traffic from the Internet side)

I have tried this with my router and it does not seem to work.  I have tested using 2 pc's with addresses 10.0.0.110 and 10.0.0.150 and a subnet of 255.255.255.0.   The PC on the LAN side of the router can not ping the machine on the Internet side.   When I attach them both to the LAN side they can ping each other as expected.   The machine on the LAN side can also ping the router 10.0.0.102 OK.

Appreciate any comments.

Lee.
lnwrightAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wjc7662Commented:
They will first need to be on different subnets  so put machines on one side with address like 10.0.0.x  and the otherside with 10.0.1.x  with subnet mask of 255.255.255.0.  the router will need to be configured as a router and not a gateway, and enable routing protocol RIP version 2. this should allow routing between the 2 subnets
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pjimersonCommented:
I wouldn't recommand exposing ANY part of your LAN to the internet without some sort of firewall/router in between.  You're going to regret it if you do, and quite rapidly.

I'd suggest you put the entire LAN behind your firewall and then configure the two parts of the LAN as two different NT domains.  If you have access to a windows domain controller this should be easy and you could configure the permissions between the two domains however you'd like.  

If you don't have a windows domain controller you can do the following:

Use two different subnets as suggested above each with their own dns server.  configure each machine on the two subnets to resolve dns only with the dns server for that subnet.  Put bogus records into the dns servers incorrectly resolving the dns names for the OTHER subnet's machines.  That way everybody will be able to access the internet  and other machines on their subnet but nobody will be able to see machines on the other subnet.  Any machines that you do want to be able to cross subnets can be configured with a hosts file that correctly resolves any/all of the dns names across the entire network thus enabling it to speak to any machine across the entire network.

I know it's kinda odd but it'll work.  Let me know if you want me to spell out how to configure the hosts file or if you have other questions.  :-)

Good Luck,

pjimerson
0
lnwrightAuthor Commented:
Thanks wjc7662 & pjimerson,

These comments are very helpful.

The less secure part of the LAN is still behind a firewall, it's just that  I want an extra layer of protection for the rest of the network.    I don't have control over the main part of the LAN so I can't change any settings.

Regards,

Lee.


 
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lnwrightAuthor Commented:
I should make one more point.   At this stage and probably permanently there is only 1 pc connected to the less secure part of the LAN.
0
snerkelCommented:
This is the sort of setup you want http://www.tech24.arce.co.uk/networks/natnat.htm

It works a treat, the PCs connected to the red router can see any PC on the yellow router, the PCs on the yellow router can't access those on the red router (except by a VPN tunnel but that is another story)
0
snerkelCommented:
Also see http://www.tech24.arce.co.uk/networks/wireless.htm that is a closer example to your requirement
0
lnwrightAuthor Commented:
OK here is what  I've done.    I assigned a fixed IP of one machine of 10.0.1.150, my RT314 of  10.0.1.102 and another of 10.0.0.103 and another machine 10.0.0.115.   So basically I now have 2 subnets.    On my pc ( on the LAN side of the RT314) I have set the gateway to 10.0.1.102.    In the RT314 I have set up a routing rule that forwards all traffic desitined for 10.0.0.115 to a gateway of 10.0.0.103.      I can now ping both 115 and the router OK.    I can't seem to file share with 115 though.   Even using and IP address.

Appreciate any thoughts.
0
lnwrightAuthor Commented:
Thanks Snerkel,

This is very handy to know.   I tried and it works fine for internet access but it does not seem to allow file sharing.

Lee.
0
stevenlewisCommented:
try from a prompt
net use * \\<ip address>\share name
where <ip address> is the ip of the machine on the other side of the router
and share name is the share name you have assigned the share
0
stevenlewisCommented:
you may need to open some ports (if you are trying to reach one of the machines on the LAN from the outside)
http://www.nacs.uci.edu/security/netbios.html
0
snerkelCommented:
or go to run in the start menu and type

\\192.168.8.30


replacing 192.168.8.30 with the IP of the machine you want to connect to.

Obviously you can only do this from your side of the router, anyone outside your router won't be able to do this to yours
0
stevenlewisCommented:
Note: that kind of defeats the purpose of a firewall LOL
0
lnwrightAuthor Commented:
Thanks,

snerkel,

I have tried using the IP address for the file share  eg \\192.168.0.1 but that doesn't work

stevenlewis,

I don't think you really understand the question.    I don't want to connect from the WAN side  to the LAN side.   I want to only connect from the LAN side to the WAN side.    Effectively I do want it to act a firewall but I still want traffic to flow from the LAN to the WAN


Regards,



Lee.

0
snerkelCommented:
It should work, it may atke a few seconds. Things to check

Your LAN must be using an IP range different from the WAN one you are trying to connect to, I assume that you are using 10.x.x.x from your original post, and the WAN side is 192.168.x.x

Other thing to check is if PC with shares has a software firewall, this may be blocking your access attempts.

Try connecting to the WAN network and make sure you can access the share (if you haven't already done this)

I have the same setup as you and can connect to any share on the WAN side of my router.

Other thought is you are using \\192.168.0.1 is this definately the IP address of the machine you want to connect to, can you ping it ?
0
stevenlewisCommented:
I do understand, you want to connect from inside the LAN to the other side of the router
net use* \\<ip address> should work, unless there is something like zone alarm, or XP's built in firewall is blocking access. Assuming file sharing is active on the target machine, and NetBIOS over tcp is enqabled
0
stevenlewisCommented:
as a test, move it to the LAN side of the router, assign a correct ip, and see if you can access the shares then. If so, then move it back tot he WAN side and test
0
pjimersonCommented:
Hi,

I had a similar problem once.  I had 2 machines with 2 network cards each on them.  1 wireless and 1 wired NIC each  using IP addresses from 192.168.1.x for the wired NICs and 192.168.0.x for the wireless cards.  I couldn't share files at all between the two machines until I changed the wired NICs to use IPs in the range 10.10.10.x after that filesharing was easy to set up.

The way I see it the difference addresses between subnets needed to be MORE different in order for windows file sharing to work.  You may want to try putting one of your subnets on 10.0.0.x and the other one on 192.168.0.x or something like that.  

Oh, and one other thought, do you have netbios installed as a network protocol?  or anything other than tcp/ip?  If so this may be the problem.....netbios, IPX/SPX and some other protocols are not-routable protocols, meaning they don't propagate past a router or bridge.  Sometimes, even if you have tcp/ip installed another protocol can somehow leap ahead of tcp/ip as the default protocol (usually you have to have a network device in place that's broadcasting in this protocol for this to happen).  If you don't have any other protocols installed of course this can't happen, but you don't necessarily need to have any other protocol other than tcp/ip anyway because windows 2000 and xp come with a tcp/ip netbios helper service which provides netbios functionality from within tcp/ip.  Seeing as how you can't seem to get netbios functionality beyond your router I thought this might be the issue.  

Good Luck,

PJimerson
0
lnwrightAuthor Commented:
Thankyou all experts,

There have been some very good comments.  I managed to get it to work.   I have posted how I did it here in a word document:

www.contactshare.com/ee in the hope that others may find it helpful.

Regards,


Lee.
0
snerkelCommented:
Your instructions say that 10.0.0.1 is on a different subnet to 10.0.1.1 this may cause confusion as when 10.x.x.x is used the standard subnet mask of 255.0.0.0 actually makes them on the same subnet (255.0.0.0 is the default Windows uses unless told different).

You would be better, or at least for the example it would be better to use 192.168.0.1 and 192.168.1.1 as these would normally be on different subnets, eg the standard is a subnet mask of 255.255.255.0
0
lnwrightAuthor Commented:
Thanks Snerkel,

Yes I see what you mean.     I will see about amending it to make it clearer.


Regards,

Lee.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.