Solved

Trying to seperate networks by using different subnet masks

Posted on 2007-04-11
14
223 Views
Last Modified: 2010-03-18
I have a client who is using internet access supplied by another tenant in their building. I'm trying to keep their networks hidden from one another. I have achieved this with other clients in the past by keeping them in the same scope to attach to the internet gateway router but putting them in different subnets. Right now my client cannot see any computers on the other tenants network or even ping them which is what I want. However the other tenant who is sharing their internet can find computers on our networkand they can ping us. The tenant sharing the internet is in the 192.168.0.1 scope with subnet mask 255.255.255.0. My client is in the same scope with a 255.255.0.0 subnet mask. Without any additional hardware how do I lock down this network as not to be seen.

 thanks
0
Comment
Question by:microaideinc
14 Comments
 
LVL 2

Expert Comment

by:mkurtzhals
Comment Utility
What are the default gateways on the PCs.  If they are going to the same router then the router has a route in its table routing the two networks together.  That is where I would start.
0
 
LVL 8

Expert Comment

by:thur6165
Comment Utility
You need to split them up like this.

192.168.0.0  255.255.255.0  <--subnet one
192.168.1.0  255.255.255.0  <-- subnet two

The way you have it one scope includes the other, but not the other way around.
0
 
LVL 8

Expert Comment

by:Here2Help
Comment Utility
Hey.

I'm assuming your network clients are XP.

To just simple ' Hide' your clients from view just simply turn on the Windows XP Firewall and disable pinging .
(Go to Start> Run> 'Firewall.cpl")
Go onto the 'Advanced' Tab and under ICMP click the 'Settings' Button and make sure all boxes are unchecked.

If you're using another firewall please state which one and i'll giv you further help.
0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 500 total points
Comment Utility
Well, you should really fix this at the router..  using different subnets will never stop anyone from accessing them if the routers have routes in their routing table...  What kind of router are you using?  If a Cisco router with switch that supports VLANs, then yes you can stop the traffic, but since you are using a shared access, I think you probably are not going to invest in such expensive equipment..  

Here is a suggestion:  Setup the main router attached to the WAN (internet), and connect a switchport to another router - WAN port, going to each subnet...    Since the WAN port will not allow incoming traffic, you effectively stop the other clients access, unless you open a port...

WAN <--> Modem/Router <--> (WAN Port) Router (Switch Ports)<--> Router2<--> Clients in Subnet 1
                                                                                           |
                                                                                    Router 3 <--> Clients in Subnet 2

You can put as many Routers as you have Switchports and nothing downstream will be able to see anything past the WAN port on the next door router...   and you don't need expensive equipment.. Linksys Routers will do just fine..
                                                                                   
0
 
LVL 42

Expert Comment

by:zephyr_hex
Comment Utility
thur6165 has it right.
you want the same subnet mask, with different subnets.

if one subnet mask is 255.255.0.0 and the other is 255.255.255.0, but you are using the same subnet, you are not dividing the subnets.  one subnet includes the other.

you want to actually divide your subnets.
0
 
LVL 42

Expert Comment

by:zephyr_hex
Comment Utility
i posted before seeing Fatal's suggestion.  it reminded me that if you do 2 different subnets (with the same subnet mask), you will want to create a rule in the firewall that prevents the traffic from crossing from one subnet to the other.

using additional routers (as Fatal has shown) would achieve the same thing.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
:)   as long as you have a router between subnets, and no 'rules' to dissallow the packets from going from one to another, then you cannot stop traffic...  I outlined an easy way to prevent this using consumer grade routers...   I agree that you might need some explanation on how subnetting works, the correct way to use subnets, along with proper creation of subnets..  The WAN ports effectively stop anyone 'reaching' beyond their own subnet..  

I think the big problem you have here is using one consumer grade router, which will not allow you to use port filtering to stop the traffic...  Anyone connecting to one of the switchports, regardless of the subnet they are on will be able to access another subnet if the route is in place..
0
 
LVL 3

Expert Comment

by:Comply
Comment Utility
Do you have the access rights to the router. Since its not yours I assume the owner would not want to give that out.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
I still think we need to know more about the hardware that is being used here, for a start...  Router make and model, switches, etc....  If they are just consumer grade Linksys, Netgear, etc., then access rights really don't matter..  he will need to install additional devices to do what needs to be done..
0
 

Author Comment

by:microaideinc
Comment Utility
I think Fatal's suggestion is my best bet and I think I might already have what I need in place as far as hardware. The person sharing the internet has a combo dsl mode/router with 4 switchports. I already have a network connection running from one of those ports to a switchport on a Linksys wireless router in my clients office which is giving wireless access to their laptops. There is also a 8 port switch attached to my Linksys Router for all the wired network computers. So if I plug the network connection from the business sharing their internet in my WAN port instead of one of the switchports in my Linksys router is that all I need to do. And will I still have internet connectivity?
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Correct...  unless you specifically forward a port on the Linksys to your internal network, then no one will be able to 'see' your LAN..  this is the same configuration I suggest to those that want to hide their subnet in Internet Cafes...  easy to do, and much less expensive that purchasing switches (CISCO) that allow for port filtering..

FE
0
 
LVL 40

Expert Comment

by:Fatal_Exception
Comment Utility
Thanks!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Resolve DNS query failed errors for Exchange
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now