Restrict user access on external router port

Posted on 2008-09-30
Last Modified: 2012-06-22
Hello all!!!

I have a small problem.  Linksys Router with 4 ports.  I have an existing 10.x.x.x network.  The gateway for my existing network is

i want to add a router into my network and provide customers internet access.  They will be on the LAN side of the router.  My network on the WAN side of the router.  I can make their network any number scheme.  Here is the router ip setup as of right now.  
ip address:
subnet mask:
dns 1:  dns server on my network


dhcp enabled
dhcp scope: -

Everything is working fine.  I can get to the internet.  BUT HERE IS THE PROBLEM:
I CAN PING AND ACCESS EVERYTHING IN MY LOCAL NETWORK (10.x.x.x) from the LAN side of router!?!?!

How do I keep internet access to users on the lan side of the router and block them from accessing the WAN side of the router but still provide internet?  I have to install this system in like 4 hours.  ANY HELP WOULD DO!

Thanks all for your time and efforts in advance.
Question by:stirider
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2

Accepted Solution

stirider earned 0 total points
ID: 22603658
also to add the gateway is an existing router in my network.  

Assisted Solution

mredfelix earned 300 total points
ID: 22603815

i think you need 3 routers for what you want to do

one that connects to the internet and sits in a iprange with the other two routers and the other two routers is one for your Lan and the other for your customer lan.

i.e main router WAN -isp dynamic LAn-
your LAN - Wan LAN- ..............
Customer LAn -Wan LAn-

Author Comment

ID: 22604487
so you are saying i need another router?  I have access to another router.  Will this prevent users from seeing the local 10.x.x.x network?  I will give it a try.  Going to the office right now.  Any special settings or just set the WAN / LAN parameters?  My main ISP LAN is on the 10.x.x.x network.  I cannot change my local LAN ip scheme.  Can you clarify a little more your idea?  Thanks!
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Expert Comment

ID: 22604578
well there are several ways off restricting access via vlans....but you said u needed it in 4 hours.

this will stop anything getting to that network.

there are no special settings.

my idea is you have one router which connects to the internet in that network will be two other routers connected via crossover (just like an isp would have) Each off these other routers would then  be the gateways tour customer lan and your lan....


Assisted Solution

dkarpekin earned 200 total points
ID: 22604876
It is not really clear , what you trying to do...
If you need totaly seperate networks, for new "customers", then additional router will do ,as long you have WAN IP from ISP, available to use with "second" router.
Or separate them by  VLAN's- they can use same structure, same network, existing router.
For VLAN's you need "managed" switch.
Some kind of diagram will be helpfull, the way you connected to ISP now.
What WAN IP set , ISP is providing for you?- DHCP, static IP's and how many if so?
This info you can get by looking in linksys router see in what state WAN interface is.
Get "managed" switch , supporting VLAN's pobably the easiest way to do .
Something like this
genral info

Some example VLAN usage you canfind on EE, Cisco web or many others.............

Author Comment

ID: 22605221
I have managed witches on my LAN.  Trying to stay away from VLANs if I can.  I found a netgear vpn firewall.  I have used that as my third router.  I have created a rule for any LAN to not be able to access the 10.x.x.x range of addresses.  what services would i need to block if i dont want customers accessing web based cameras, routers, switches, etc.  http port 80?  what else?

Firewall:  WAN

Linksys Router:  WAN

The firewall does dhcp, so do i even need the router?  

Expert Comment

ID: 22605351
"stay away from VLANs if I can"? this most usefull in your case right now.
Looks like you have everything you need, but having connection diagram will be much more helpfull.
And why you saiyng "WAN" and "LAN" kind of strange and confusing, those naming should be opposite.
You probably need dedicte IP block to new users, let call them "guest" depend how many IP's you'llneed for them -total give them 256 IP and put interface in other VLAN then you currently using, just make sure "trunk" is only on router-swith link, not anywhere else, and you should be all set.

Author Comment

ID: 22605521
well i eliminated the router and have just the firewall in place.  Blocked ping and http for all 10.x.x.x addresses so LAN cannot access them.  Seems to be working fine.  I will split the points.  thanks guys!

Expert Comment

ID: 22605756
hey just block all ports and allow the ports you need i.e port 80 and port 25 is the easier.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Telepresence on backup 3 59
Cisco 3560 switches not seeing VTP V3 12 85
looking for a program or router to monitor internet connection 4 100
Failover for DMVPN 3 33
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question