Linksys E1000 to create subnet

Kevin Staley
Kevin Staley used Ask the Experts™
on
I have a LAN (10.1.4.x  / 255.255.252.0  and gateway of 10.1.4.100). I would like to connect a wireless router so that visitors can access the Internet but not the rest of our LAN. I picked up a Linksys E1000 in hopes of doing this. I configured its WAN port (10.1.4.235 / 255.255.255.0 and gateway of 10.1.4.100). I configured the router's IP as 192.168.100.1 / 255.255.255.0 and enabled the DHCP server on it with 192.168.100.101-150 as the IP range for clients. With NAT enabled I am able to get on the Internet, however I can ping all the IP addresses in the 10.1.4.x and 10.1.5.x. ranges on our LAN, something I do not want to be able to do from this device. I tried RIP and Static routing (created a route as follows: Destination LAN IP: 10.1.4.0 / 255.255.255.0 and gateway of 10.1.4.100 - I also tried a gateway of 192.168.1.100 but it would not accept it), but could not reach anything beyond the 10.1.4.235 address (the IP I assigned to the WAN). Any ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

Commented:
With your current setup you can't block/stop the traffic.

Do you have a real router on the 10.1.4.0/22 subnet?  If so which one.
Kevin StaleyMIS Administrator

Author

Commented:
Yes, it is a Cisco 1841.
Top Expert 2014

Commented:
O.K.  There are a couple of ways to do this.  The easiest, at least in my mind, is to setup a few ACL's on the 1841.

One that specifically permits 10.1.4.235 to communicate with 10.1.4.100.
Then one that specifically denies 10.1.4.235 from communicating with 10.1.4.0/mask 255.255.252.0.
The one that permits 10.1.4.235 to talk to anything.

The ACL's must be in that order.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Kevin StaleyMIS Administrator

Author

Commented:
Thanks for that recommendation. Our 1841 is managed by our ISP (although that does not mean we could not ask them to add/config these ACL's) so I may try another approach first. We do have HP Procurve switches (3500yl and 2510G) that I was thinking perhaps I could config the port I will connect the E1000 (I will not use the WAN port on the E1000) into to only have access to the port the gateway (10.1.4.100) is in. Do you think that would work?
Top Expert 2014

Commented:
I'm not really familiar with HP Procurve's.  If they support L3 filtering, then you can do the same thing as I suggested with the 1841.
Kevin StaleyMIS Administrator

Author

Commented:
Thanks. I will check with HP and post an update here.
Top Expert 2010
Commented:
The ACLs in the 1841 probably won't work as is because the 10.1.4.x network won't pass through your WAN router to talk to each other. I also am not familier with any ProCurve port filtering capabilities. All is not lost however, I can see a couple possibilities to do what you want to do.

1. If your ISP is willing to work with you there are a couple of possibilities regarding the 1841. If there is an additional spare interface on the 1841 configure it with another ip subnet -- 10.1.5.0 and connect your E1000 to that interface. If going through the ProCurve create a new VLAN for that purpose. If an additional interface is not available on the 1841, it could still be configured with a subinterface for a seperate VLAN, then the proCurve would be configured to trunk the two VLANs to the single interface. At that point ACLs could be added to the 1841 to deny traffic t0 10.1.4.0/24 and allow traffic to the internet.

2. The 2nd possibility would involve installing 3rd party DD-WRT firmware on the E1000. This firmware runs a small linux image that includes IPTables. From that you could keep your existing topoligy configure the IPTables firewall rules directly on the E1000 that would permit the traffic to the Internet and deny the traffic to your internal LAN.

Good Luck
Kevin StaleyMIS Administrator

Author

Commented:
What I ended up doing was to turn on "source port filtering" on our HP 3500yl switch. I was able to "drop" all ports (except the one for our premise router - the Cisco1841) which prevents the port with the E1000 from passing traffic to/through them. I then configured the WAN port on the E1000 with an IP local to our LAN subnet and used DHCP on the E1000 to create a 192.168.100.x subnet. Works great! Thanks for the suggestions, they put me on the right track.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial