?
Solved

Connect to PC on WAN Side of Router

Posted on 2004-11-06
20
Medium Priority
?
339 Views
Last Modified: 2013-11-29
Dear Experts,

I want to use a router (Netgear RT314) as a type of firewall inside a LAN.   Basically I want  to separate a less secure section of the LAN from the main part of the LAN.

The way I was thinking of doing it was to connect the main part of the LAN to the LAN port of the router and the less secure part to the Internet port.   I  think this should allow traffic to flow freely from the main part of the LAN to less secure part of the LAN but  block all traffic from the less secure part to the main part. (The router is configured to block all traffic from the Internet side)

I have tried this with my router and it does not seem to work.  I have tested using 2 pc's with addresses 10.0.0.110 and 10.0.0.150 and a subnet of 255.255.255.0.   The PC on the LAN side of the router can not ping the machine on the Internet side.   When I attach them both to the LAN side they can ping each other as expected.   The machine on the LAN side can also ping the router 10.0.0.102 OK.

Appreciate any comments.

Lee.
0
Comment
Question by:lnwright
  • 7
  • 5
  • 5
  • +2
20 Comments
 
LVL 2

Accepted Solution

by:
wjc7662 earned 1000 total points
ID: 12516088
They will first need to be on different subnets  so put machines on one side with address like 10.0.0.x  and the otherside with 10.0.1.x  with subnet mask of 255.255.255.0.  the router will need to be configured as a router and not a gateway, and enable routing protocol RIP version 2. this should allow routing between the 2 subnets
0
 
LVL 2

Assisted Solution

by:pjimerson
pjimerson earned 400 total points
ID: 12516691
I wouldn't recommand exposing ANY part of your LAN to the internet without some sort of firewall/router in between.  You're going to regret it if you do, and quite rapidly.

I'd suggest you put the entire LAN behind your firewall and then configure the two parts of the LAN as two different NT domains.  If you have access to a windows domain controller this should be easy and you could configure the permissions between the two domains however you'd like.  

If you don't have a windows domain controller you can do the following:

Use two different subnets as suggested above each with their own dns server.  configure each machine on the two subnets to resolve dns only with the dns server for that subnet.  Put bogus records into the dns servers incorrectly resolving the dns names for the OTHER subnet's machines.  That way everybody will be able to access the internet  and other machines on their subnet but nobody will be able to see machines on the other subnet.  Any machines that you do want to be able to cross subnets can be configured with a hosts file that correctly resolves any/all of the dns names across the entire network thus enabling it to speak to any machine across the entire network.

I know it's kinda odd but it'll work.  Let me know if you want me to spell out how to configure the hosts file or if you have other questions.  :-)

Good Luck,

pjimerson
0
 

Author Comment

by:lnwright
ID: 12516761
Thanks wjc7662 & pjimerson,

These comments are very helpful.

The less secure part of the LAN is still behind a firewall, it's just that  I want an extra layer of protection for the rest of the network.    I don't have control over the main part of the LAN so I can't change any settings.

Regards,

Lee.


 
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 

Author Comment

by:lnwright
ID: 12516788
I should make one more point.   At this stage and probably permanently there is only 1 pc connected to the less secure part of the LAN.
0
 
LVL 10

Assisted Solution

by:snerkel
snerkel earned 400 total points
ID: 12516859
This is the sort of setup you want http://www.tech24.arce.co.uk/networks/natnat.htm

It works a treat, the PCs connected to the red router can see any PC on the yellow router, the PCs on the yellow router can't access those on the red router (except by a VPN tunnel but that is another story)
0
 
LVL 10

Expert Comment

by:snerkel
ID: 12516864
Also see http://www.tech24.arce.co.uk/networks/wireless.htm that is a closer example to your requirement
0
 

Author Comment

by:lnwright
ID: 12516916
OK here is what  I've done.    I assigned a fixed IP of one machine of 10.0.1.150, my RT314 of  10.0.1.102 and another of 10.0.0.103 and another machine 10.0.0.115.   So basically I now have 2 subnets.    On my pc ( on the LAN side of the RT314) I have set the gateway to 10.0.1.102.    In the RT314 I have set up a routing rule that forwards all traffic desitined for 10.0.0.115 to a gateway of 10.0.0.103.      I can now ping both 115 and the router OK.    I can't seem to file share with 115 though.   Even using and IP address.

Appreciate any thoughts.
0
 

Author Comment

by:lnwright
ID: 12516968
Thanks Snerkel,

This is very handy to know.   I tried and it works fine for internet access but it does not seem to allow file sharing.

Lee.
0
 
LVL 41

Assisted Solution

by:stevenlewis
stevenlewis earned 200 total points
ID: 12517191
try from a prompt
net use * \\<ip address>\share name
where <ip address> is the ip of the machine on the other side of the router
and share name is the share name you have assigned the share
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 12517219
you may need to open some ports (if you are trying to reach one of the machines on the LAN from the outside)
http://www.nacs.uci.edu/security/netbios.html
0
 
LVL 10

Expert Comment

by:snerkel
ID: 12517220
or go to run in the start menu and type

\\192.168.8.30


replacing 192.168.8.30 with the IP of the machine you want to connect to.

Obviously you can only do this from your side of the router, anyone outside your router won't be able to do this to yours
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 12517222
Note: that kind of defeats the purpose of a firewall LOL
0
 

Author Comment

by:lnwright
ID: 12518568
Thanks,

snerkel,

I have tried using the IP address for the file share  eg \\192.168.0.1 but that doesn't work

stevenlewis,

I don't think you really understand the question.    I don't want to connect from the WAN side  to the LAN side.   I want to only connect from the LAN side to the WAN side.    Effectively I do want it to act a firewall but I still want traffic to flow from the LAN to the WAN


Regards,



Lee.

0
 
LVL 10

Expert Comment

by:snerkel
ID: 12519107
It should work, it may atke a few seconds. Things to check

Your LAN must be using an IP range different from the WAN one you are trying to connect to, I assume that you are using 10.x.x.x from your original post, and the WAN side is 192.168.x.x

Other thing to check is if PC with shares has a software firewall, this may be blocking your access attempts.

Try connecting to the WAN network and make sure you can access the share (if you haven't already done this)

I have the same setup as you and can connect to any share on the WAN side of my router.

Other thought is you are using \\192.168.0.1 is this definately the IP address of the machine you want to connect to, can you ping it ?
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 12519621
I do understand, you want to connect from inside the LAN to the other side of the router
net use* \\<ip address> should work, unless there is something like zone alarm, or XP's built in firewall is blocking access. Assuming file sharing is active on the target machine, and NetBIOS over tcp is enqabled
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 12519628
as a test, move it to the LAN side of the router, assign a correct ip, and see if you can access the shares then. If so, then move it back tot he WAN side and test
0
 
LVL 2

Expert Comment

by:pjimerson
ID: 12531817
Hi,

I had a similar problem once.  I had 2 machines with 2 network cards each on them.  1 wireless and 1 wired NIC each  using IP addresses from 192.168.1.x for the wired NICs and 192.168.0.x for the wireless cards.  I couldn't share files at all between the two machines until I changed the wired NICs to use IPs in the range 10.10.10.x after that filesharing was easy to set up.

The way I see it the difference addresses between subnets needed to be MORE different in order for windows file sharing to work.  You may want to try putting one of your subnets on 10.0.0.x and the other one on 192.168.0.x or something like that.  

Oh, and one other thought, do you have netbios installed as a network protocol?  or anything other than tcp/ip?  If so this may be the problem.....netbios, IPX/SPX and some other protocols are not-routable protocols, meaning they don't propagate past a router or bridge.  Sometimes, even if you have tcp/ip installed another protocol can somehow leap ahead of tcp/ip as the default protocol (usually you have to have a network device in place that's broadcasting in this protocol for this to happen).  If you don't have any other protocols installed of course this can't happen, but you don't necessarily need to have any other protocol other than tcp/ip anyway because windows 2000 and xp come with a tcp/ip netbios helper service which provides netbios functionality from within tcp/ip.  Seeing as how you can't seem to get netbios functionality beyond your router I thought this might be the issue.  

Good Luck,

PJimerson
0
 

Author Comment

by:lnwright
ID: 12543492
Thankyou all experts,

There have been some very good comments.  I managed to get it to work.   I have posted how I did it here in a word document:

www.contactshare.com/ee in the hope that others may find it helpful.

Regards,


Lee.
0
 
LVL 10

Expert Comment

by:snerkel
ID: 12549264
Your instructions say that 10.0.0.1 is on a different subnet to 10.0.1.1 this may cause confusion as when 10.x.x.x is used the standard subnet mask of 255.0.0.0 actually makes them on the same subnet (255.0.0.0 is the default Windows uses unless told different).

You would be better, or at least for the example it would be better to use 192.168.0.1 and 192.168.1.1 as these would normally be on different subnets, eg the standard is a subnet mask of 255.255.255.0
0
 

Author Comment

by:lnwright
ID: 12549481
Thanks Snerkel,

Yes I see what you mean.     I will see about amending it to make it clearer.


Regards,

Lee.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question