Solved

Restrict user access on external router port

Posted on 2008-09-30
9
447 Views
Last Modified: 2012-06-22
Hello all!!!

I have a small problem.  Linksys Router with 4 ports.  I have an existing 10.x.x.x network.  The gateway for my existing network is 10.0.0.2

i want to add a router into my network and provide customers internet access.  They will be on the LAN side of the router.  My network on the WAN side of the router.  I can make their network any number scheme.  Here is the router ip setup as of right now.  
WAN
ip address: 10.0.6.1
subnet mask:  255.255.0.0
gateway:  10.0.0.2
dns 1:  dns server on my network

LAN
192.168.1.1
255.255.255.0

dhcp enabled
dhcp scope: 192.168.1.100 - 192.168.1.150

Everything is working fine.  I can get to the internet.  BUT HERE IS THE PROBLEM:
I CAN PING AND ACCESS EVERYTHING IN MY LOCAL NETWORK (10.x.x.x) from the LAN side of router!?!?!

How do I keep internet access to users on the lan side of the router and block them from accessing the WAN side of the router but still provide internet?  I have to install this system in like 4 hours.  ANY HELP WOULD DO!

Thanks all for your time and efforts in advance.
0
Comment
Question by:stirider
  • 4
  • 3
  • 2
9 Comments
 

Accepted Solution

by:
stirider earned 0 total points
ID: 22603658
also to add the 10.0.0.2 gateway is an existing router in my network.  
0
 
LVL 5

Assisted Solution

by:mredfelix
mredfelix earned 300 total points
ID: 22603815
hi

i think you need 3 routers for what you want to do

one that connects to the internet and sits in a iprange with the other two routers and the other two routers is one for your Lan and the other for your customer lan.

i.e main router WAN -isp dynamic LAn- 192.168.0.1 255.255.255.252
your LAN - Wan 192.168.0.2 255.255.255.252 LAN- 10.0.6.2 ..............
Customer LAn -Wan 192.168.0.3 255.255.255.252 LAn-192.168.1.1
0
 

Author Comment

by:stirider
ID: 22604487
so you are saying i need another router?  I have access to another router.  Will this prevent users from seeing the local 10.x.x.x network?  I will give it a try.  Going to the office right now.  Any special settings or just set the WAN / LAN parameters?  My main ISP LAN is on the 10.x.x.x network.  I cannot change my local LAN ip scheme.  Can you clarify a little more your idea?  Thanks!
0
 
LVL 5

Expert Comment

by:mredfelix
ID: 22604578
well there are several ways off restricting access via vlans....but you said u needed it in 4 hours.

this will stop anything getting to that network.

there are no special settings.

my idea is you have one router which connects to the internet in that network will be two other routers connected via crossover (just like an isp would have) Each off these other routers would then  be the gateways tour customer lan and your lan....





0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 7

Assisted Solution

by:dkarpekin
dkarpekin earned 200 total points
ID: 22604876
It is not really clear , what you trying to do...
If you need totaly seperate networks, for new "customers", then additional router will do ,as long you have WAN IP from ISP, available to use with "second" router.
Or separate them by  VLAN's- they can use same structure, same 10.0.0.0 network, existing router.
For VLAN's you need "managed" switch.
Some kind of diagram will be helpfull, the way you connected to ISP now.
What WAN IP set , ISP is providing for you?- DHCP, static IP's and how many if so?
This info you can get by looking in linksys router see in what state WAN interface is.
Get "managed" switch , supporting VLAN's pobably the easiest way to do .
Something like this
http://netgear.com/Products/Switches/FullyManaged10_100_1000Switches/GSM7212.aspx
genral info
http://netgear.com/Solutions/BusinessSolutions/MainOffice.aspx

Some example VLAN usage you canfind on EE, Cisco web or many others.............

http://www.tomax7.com/mcse/vlan_made_easy.htm
0
 

Author Comment

by:stirider
ID: 22605221
I have managed witches on my LAN.  Trying to stay away from VLANs if I can.  I found a netgear vpn firewall.  I have used that as my third router.  I have created a rule for any LAN to not be able to access the 10.x.x.x range of addresses.  what services would i need to block if i dont want customers accessing web based cameras, routers, switches, etc.  http port 80?  what else?

ISP WAN:10.0.0.2
Firewall:  WAN 10.0.6.1
                SM: 255.255.0.0
                Gateway:  10.0.0.2
               LAN 70.10.0.1
                SM:  255.255.255.0

Linksys Router:  WAN 70.10.0.2
                            SM:  255.255.255.0
                    Gateway:  70.10.0.1

                          LAN  192.168.1.1
                           SM:  255.255.255.0
The firewall does dhcp, so do i even need the router?  
Thanks!
0
 
LVL 7

Expert Comment

by:dkarpekin
ID: 22605351
"stay away from VLANs if I can"? this most usefull in your case right now.
Looks like you have everything you need, but having connection diagram will be much more helpfull.
And why you saiyng "WAN 10.0.6.1" and "LAN 70.10.0.1" kind of strange and confusing, those naming should be opposite.
You probably need dedicte IP block to new users, let call them "guest" depend how many IP's you'llneed for them
10.0.50.0-10.0.50.255 -total give them 256 IP and put interface in other VLAN then you currently using, just make sure "trunk" is only on router-swith link, not anywhere else, and you should be all set.
0
 

Author Comment

by:stirider
ID: 22605521
well i eliminated the router and have just the firewall in place.  Blocked ping and http for all 10.x.x.x addresses so LAN cannot access them.  Seems to be working fine.  I will split the points.  thanks guys!
0
 
LVL 5

Expert Comment

by:mredfelix
ID: 22605756
hey just block all ports and allow the ports you need i.e port 80 and port 25 is the easier.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now