Solved

Restrict access to LAN via Firewall/Router

Posted on 2006-07-22
5
419 Views
Last Modified: 2012-06-22
I have a D-Link adsl modem/router connected to an 8 port switch.
I then have my LAN PC's also connected to the switch and these acquire IP settings from the D-Link router (range 192.168.1.0).
I also have a Netgear FWAG114 Prosafe Wireless Firewall/Router connected to the switch via its WAN port.
Machines which connect to the FWSA114 only do so via wireless and are allocated IP settings by the FWAG114 (range 10.0.0.0)

My wireless machines are able to access the internet via the FWAG114 with no problems at all. However, at present if I type \\192.168.1.# into a RUN command wireless clients on the FWAG114 are able to access the LAN clients on the Dlink router (they do have to enter a username and password but as most of the LAN clients don't have passwords on the administrator account this is not secure and easily worked out by those with a little knowledge). I don't want the wireless clients on the 10.0.0.0 range to be able to access LAN clients on the 192.168.1.0 range connected directly to the Dlink router.

I know that we could set up passwords etc on all the LAN client machines but we would rather restrict access via the firewall as users could easily remove passwords or create new accounts and shares - they are not on a domain and they do not want us to restrict their use of their own machines. Essentially the hotel are offering free internet access via their own broadband connection but need to make sure clients can't access the office machines.
0
Comment
Question by:barnesm6
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 20

Expert Comment

by:calvinetter
ID: 17165244
On the FWAG114, create the following rules in this order:
- allow wireless clients on the 10.0.0.x network to access the D-Link router's internal IP address (192.168.1.1 ?)
- deny wireless clients on the 10.0.0.x network to access the entire 192.168.1.x network
- allow wireless clients to access everything else (ie, allow 10.0.0.x to access "ANY" IP address)

The rules are processed in "top down" fashion, so if your rules appear as above, your wireless clients will be able to access the Internet, send traffic through the D-Link router, but not access the remainder of the 192.168.1.x network.

cheers
0
 
LVL 1

Author Comment

by:barnesm6
ID: 17169673
That's what I want to achieve but I can't see how to configure this in the router. Under the rules section you have to specify ports that you want/don't want clients to access, I don't see anywhere where I can specify the above.
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 250 total points
ID: 17172665
If you don't have the manual handy, you can download it here:  ftp://downloads.netgear.com/files/fwag114_ref_manual.pdf
  See pg 5-7 for an example of an outbound rule.  If you have problems, give a shout, but it's pretty self-explanatory.  

The "Service" would be set to "any", the "LAN users" sections just leave as "any" in all 3 rules you create, in the "WAN users" boxes the "start" section is the lowest IP in the range you want to allow/deny, the "finish" input boxes are for the highest IP in the range.

cheers
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Line cards, Supervisor, Control plane 7 61
BGP Code 12 60
BGP Network restrictions 6 54
Linksys e2500 wireless router - should I upgrade 6 59
While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question