Link to home
Start Free TrialLog in
Avatar of Kevin Staley
Kevin StaleyFlag for United States of America

asked on

Linksys E1000 to create subnet

I have a LAN (10.1.4.x  / 255.255.252.0  and gateway of 10.1.4.100). I would like to connect a wireless router so that visitors can access the Internet but not the rest of our LAN. I picked up a Linksys E1000 in hopes of doing this. I configured its WAN port (10.1.4.235 / 255.255.255.0 and gateway of 10.1.4.100). I configured the router's IP as 192.168.100.1 / 255.255.255.0 and enabled the DHCP server on it with 192.168.100.101-150 as the IP range for clients. With NAT enabled I am able to get on the Internet, however I can ping all the IP addresses in the 10.1.4.x and 10.1.5.x. ranges on our LAN, something I do not want to be able to do from this device. I tried RIP and Static routing (created a route as follows: Destination LAN IP: 10.1.4.0 / 255.255.255.0 and gateway of 10.1.4.100 - I also tried a gateway of 192.168.1.100 but it would not accept it), but could not reach anything beyond the 10.1.4.235 address (the IP I assigned to the WAN). Any ideas?
Avatar of giltjr
giltjr
Flag of United States of America image
With your current setup you can't block/stop the traffic.

Do you have a real router on the 10.1.4.0/22 subnet?  If so which one.
Avatar of Kevin Staley
Kevin Staley
Flag of United States of America image

ASKER

Yes, it is a Cisco 1841.
Avatar of giltjr
giltjr
Flag of United States of America image
O.K.  There are a couple of ways to do this.  The easiest, at least in my mind, is to setup a few ACL's on the 1841.

One that specifically permits 10.1.4.235 to communicate with 10.1.4.100.
Then one that specifically denies 10.1.4.235 from communicating with 10.1.4.0/mask 255.255.252.0.
The one that permits 10.1.4.235 to talk to anything.

The ACL's must be in that order.
Avatar of Kevin Staley
Kevin Staley
Flag of United States of America image

ASKER

Thanks for that recommendation. Our 1841 is managed by our ISP (although that does not mean we could not ask them to add/config these ACL's) so I may try another approach first. We do have HP Procurve switches (3500yl and 2510G) that I was thinking perhaps I could config the port I will connect the E1000 (I will not use the WAN port on the E1000) into to only have access to the port the gateway (10.1.4.100) is in. Do you think that would work?
Avatar of giltjr
giltjr
Flag of United States of America image
I'm not really familiar with HP Procurve's.  If they support L3 filtering, then you can do the same thing as I suggested with the 1841.
Avatar of Kevin Staley
Kevin Staley
Flag of United States of America image

ASKER

Thanks. I will check with HP and post an update here.
ASKER CERTIFIED SOLUTION
Avatar of bgoering
bgoering
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Kevin Staley
Kevin Staley
Flag of United States of America image

ASKER

What I ended up doing was to turn on "source port filtering" on our HP 3500yl switch. I was able to "drop" all ports (except the one for our premise router - the Cisco1841) which prevents the port with the E1000 from passing traffic to/through them. I then configured the WAN port on the E1000 with an IP local to our LAN subnet and used DHCP on the E1000 to create a 192.168.100.x subnet. Works great! Thanks for the suggestions, they put me on the right track.