Trying to seperate networks by using different subnet masks

I have a client who is using internet access supplied by another tenant in their building. I'm trying to keep their networks hidden from one another. I have achieved this with other clients in the past by keeping them in the same scope to attach to the internet gateway router but putting them in different subnets. Right now my client cannot see any computers on the other tenants network or even ping them which is what I want. However the other tenant who is sharing their internet can find computers on our networkand they can ping us. The tenant sharing the internet is in the 192.168.0.1 scope with subnet mask 255.255.255.0. My client is in the same scope with a 255.255.0.0 subnet mask. Without any additional hardware how do I lock down this network as not to be seen.

 thanks
microaideincAsked:
Who is Participating?
 
Fatal_ExceptionConnect With a Mentor Systems EngineerCommented:
Well, you should really fix this at the router..  using different subnets will never stop anyone from accessing them if the routers have routes in their routing table...  What kind of router are you using?  If a Cisco router with switch that supports VLANs, then yes you can stop the traffic, but since you are using a shared access, I think you probably are not going to invest in such expensive equipment..  

Here is a suggestion:  Setup the main router attached to the WAN (internet), and connect a switchport to another router - WAN port, going to each subnet...    Since the WAN port will not allow incoming traffic, you effectively stop the other clients access, unless you open a port...

WAN <--> Modem/Router <--> (WAN Port) Router (Switch Ports)<--> Router2<--> Clients in Subnet 1
                                                                                           |
                                                                                    Router 3 <--> Clients in Subnet 2

You can put as many Routers as you have Switchports and nothing downstream will be able to see anything past the WAN port on the next door router...   and you don't need expensive equipment.. Linksys Routers will do just fine..
                                                                                   
0
 
mkurtzhalsCommented:
What are the default gateways on the PCs.  If they are going to the same router then the router has a route in its table routing the two networks together.  That is where I would start.
0
 
thur6165Commented:
You need to split them up like this.

192.168.0.0  255.255.255.0  <--subnet one
192.168.1.0  255.255.255.0  <-- subnet two

The way you have it one scope includes the other, but not the other way around.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Here2HelpCommented:
Hey.

I'm assuming your network clients are XP.

To just simple ' Hide' your clients from view just simply turn on the Windows XP Firewall and disable pinging .
(Go to Start> Run> 'Firewall.cpl")
Go onto the 'Advanced' Tab and under ICMP click the 'Settings' Button and make sure all boxes are unchecked.

If you're using another firewall please state which one and i'll giv you further help.
0
 
zephyr_hex (Megan)DeveloperCommented:
thur6165 has it right.
you want the same subnet mask, with different subnets.

if one subnet mask is 255.255.0.0 and the other is 255.255.255.0, but you are using the same subnet, you are not dividing the subnets.  one subnet includes the other.

you want to actually divide your subnets.
0
 
zephyr_hex (Megan)DeveloperCommented:
i posted before seeing Fatal's suggestion.  it reminded me that if you do 2 different subnets (with the same subnet mask), you will want to create a rule in the firewall that prevents the traffic from crossing from one subnet to the other.

using additional routers (as Fatal has shown) would achieve the same thing.
0
 
Fatal_ExceptionSystems EngineerCommented:
:)   as long as you have a router between subnets, and no 'rules' to dissallow the packets from going from one to another, then you cannot stop traffic...  I outlined an easy way to prevent this using consumer grade routers...   I agree that you might need some explanation on how subnetting works, the correct way to use subnets, along with proper creation of subnets..  The WAN ports effectively stop anyone 'reaching' beyond their own subnet..  

I think the big problem you have here is using one consumer grade router, which will not allow you to use port filtering to stop the traffic...  Anyone connecting to one of the switchports, regardless of the subnet they are on will be able to access another subnet if the route is in place..
0
 
ComplyCommented:
Do you have the access rights to the router. Since its not yours I assume the owner would not want to give that out.
0
 
Fatal_ExceptionSystems EngineerCommented:
I still think we need to know more about the hardware that is being used here, for a start...  Router make and model, switches, etc....  If they are just consumer grade Linksys, Netgear, etc., then access rights really don't matter..  he will need to install additional devices to do what needs to be done..
0
 
microaideincAuthor Commented:
I think Fatal's suggestion is my best bet and I think I might already have what I need in place as far as hardware. The person sharing the internet has a combo dsl mode/router with 4 switchports. I already have a network connection running from one of those ports to a switchport on a Linksys wireless router in my clients office which is giving wireless access to their laptops. There is also a 8 port switch attached to my Linksys Router for all the wired network computers. So if I plug the network connection from the business sharing their internet in my WAN port instead of one of the switchports in my Linksys router is that all I need to do. And will I still have internet connectivity?
0
 
Fatal_ExceptionSystems EngineerCommented:
Correct...  unless you specifically forward a port on the Linksys to your internal network, then no one will be able to 'see' your LAN..  this is the same configuration I suggest to those that want to hide their subnet in Internet Cafes...  easy to do, and much less expensive that purchasing switches (CISCO) that allow for port filtering..

FE
0
 
Fatal_ExceptionSystems EngineerCommented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.