Disconnect PC From Internet
What's handiest way to leave a Windows 10 PC connected to my Ethernet Network (DHCP),
but totally disconnected from the internet?
but totally disconnected from the internet?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Turn off the router and take it with you :)
But frankly speaking It depends on which network is used. Are you in local network of some company or is it a home network?
But frankly speaking It depends on which network is used. Are you in local network of some company or is it a home network?
ASKER
Thanks Paul & Cliff
What about IPv6?
What about IPv6?
ASKER
It's a home network (5 PCs) and a few other devices
Router = Technicolor TG789vn
Router = Technicolor TG789vn
Ditto with IPv6 - no default gateway, means no traffic to the Internet.
What about IPv6?? What's the specific question?
isolate it on a vlan if possible with no internet access.
you could also lock it down with a software firewall
ASKER
What about IPv6?? What's the specific question?Just making sure (confirmed by Paul)
If you have a managed switch you could create a VLAN and configure the port used for that. You're asking a fairly complicated question here.
ASKER
you could also lock it down with a software firewallCould you expand on that please.
Except that router publish their record continously on IPv6 so SLAAC will pickup on that.
(IPv6 is very good in autoconfiguration).
(IPv6 is very good in autoconfiguration).
OK, so back in the day I used Zone Alarm, now part of CheckPoint. But it had a lockdown option to essentially close all inbound/outbound ports. Closing the network connection. You could do the same with any software firewall, either block all, or if you need local LAN access, you could just right policies that prevent all internet bound traffic from coming in or going out.
Ideally to be perfectly honest, I would create a vlan. Netgear use to sell small pro series switches that had it.
Might I ask what exactly are you trying to accomplish. Maybe we are going about this the wrong way?
Ideally to be perfectly honest, I would create a vlan. Netgear use to sell small pro series switches that had it.
Might I ask what exactly are you trying to accomplish. Maybe we are going about this the wrong way?
ASKER
Except that router publish their record continously on IPv6 so SLAAC will pickup on that.That comment is was above my head!
I'd appreciate it someone could elucidate me.
Might I ask what exactly are you trying to accomplish.Nothing special - Just no Internet with full local network sharing.
The problem here is none of these are 100%. A software firewall can technically have a bug and that can be exploited.
VLANs are great. But now we are abck to my first comment. If the network has internet access, so does the machine. A VLAN, by definition, is a new network. And if you bridge it or route it to a other network...see above.
In highly secure environments, machines that should never have internet access are "air gapped." They are literally standalone or on a network segment with no outside access.
If there were an easier foolproof way then the practice of air-gaps would not exist.
VLANs are great. But now we are abck to my first comment. If the network has internet access, so does the machine. A VLAN, by definition, is a new network. And if you bridge it or route it to a other network...see above.
In highly secure environments, machines that should never have internet access are "air gapped." They are literally standalone or on a network segment with no outside access.
If there were an easier foolproof way then the practice of air-gaps would not exist.
While any device could have a bug, networking devices included, I see your point. How about just having a good old fashion physical firewall?
To take a note from Sex Ed, if this computer can talk to other computers on the LAN, than it is talking to all the computers it has talked to on the internet also..... Ok, not entirely true but if you trust your internal LAN, and it get compromised then you are still trusting a compromised machine.
To take a note from Sex Ed, if this computer can talk to other computers on the LAN, than it is talking to all the computers it has talked to on the internet also..... Ok, not entirely true but if you trust your internal LAN, and it get compromised then you are still trusting a compromised machine.
A physical firewall is just a dedicated computer (processor, RAM, and all) running an OS (Linux or custom such as Cisco's iOS) running a software firewall. Same as above applies. And documented cases in the wild of bugs in physical firewalls being exploited, which is why air-gapped networks exist.
The point I was trying to make is this: IF the OP really wants what they say they want, the only way to accomplish that is to disconnect the internet from the network that the computer is plugged into. Turn off any and all routers (on a home network that is usually one)...full stop, do not pass go.
And the responses have been intended to provoke the question...does the OP *really* want what they think they want. I'd argue that in most cases, home or business, allowing a computer access to the internet is completely fine. There are businesses with computers and servers on 24/7 that have internet access. When deciding anything like this, or even any halfway measure (VLAN, etc), what is the risk? What is the effort? And what is the reward? In most cases, the effort will outweigh any perceived reward.
The point I was trying to make is this: IF the OP really wants what they say they want, the only way to accomplish that is to disconnect the internet from the network that the computer is plugged into. Turn off any and all routers (on a home network that is usually one)...full stop, do not pass go.
And the responses have been intended to provoke the question...does the OP *really* want what they think they want. I'd argue that in most cases, home or business, allowing a computer access to the internet is completely fine. There are businesses with computers and servers on 24/7 that have internet access. When deciding anything like this, or even any halfway measure (VLAN, etc), what is the risk? What is the effort? And what is the reward? In most cases, the effort will outweigh any perceived reward.
Ok, but I think you miss the OP original concern. We can debate an "air-gapped" network all we want, but this does not meet the goals, so it is not a feasible solution. If that were the case he could unplug the nic. But he wants local LAN access, so what is the best solution.
Not really provoking a question as much as stating that it is impossible. But we all work on networks where some machines don't have internet access. But not off the network either.
Not really provoking a question as much as stating that it is impossible. But we all work on networks where some machines don't have internet access. But not off the network either.
" But we all work on networks where some machines don't have internet access. But not off the network either. "
That's where we disagree. Or more fundamentally, is not what the OP asked.
A machine on a network that has internet access is not *TOTALLY* disconnected from the internet. Full stop. The OP specifically bolded that word in their original post.
Internet access is one thing. TOTALLY DISCONNECTED is another. The two are not interchangeable. I do not work on networks where a machine is on the network but is totally disconnected from the internet (I'm sticking the the OPs request, not your interpretation of it), but is still on the network. That is a clear conflict of requirements and cannot be resolved.
The only way for the OP to get what he wants is to unplug the router. And I specifically listed that option in paragraph #2 of my latest comment, which I basically stole from noxcho's first comment. That is the only legitimate way to accomplish what the OP actually asked.
Would the machine have access to other local resources? Yes.
Would it have access to the internet? No
Would the internet have access to it? No
But that is a de-facto air-gapped network at that point. So no, I stand by my initial premise and am not arguing semantics. The question, as asked, can only be achieved as stated. VLANs and default gateways do not achieve the required goal. And so I also stand by my attempt to get the OP to rethink why they want what they want. I am not saying they can't unplug the router. I am saying the effort may not be worth the reward if this is a regular "on again, off again" occurrence.
That's where we disagree. Or more fundamentally, is not what the OP asked.
A machine on a network that has internet access is not *TOTALLY* disconnected from the internet. Full stop. The OP specifically bolded that word in their original post.
Internet access is one thing. TOTALLY DISCONNECTED is another. The two are not interchangeable. I do not work on networks where a machine is on the network but is totally disconnected from the internet (I'm sticking the the OPs request, not your interpretation of it), but is still on the network. That is a clear conflict of requirements and cannot be resolved.
The only way for the OP to get what he wants is to unplug the router. And I specifically listed that option in paragraph #2 of my latest comment, which I basically stole from noxcho's first comment. That is the only legitimate way to accomplish what the OP actually asked.
Would the machine have access to other local resources? Yes.
Would it have access to the internet? No
Would the internet have access to it? No
But that is a de-facto air-gapped network at that point. So no, I stand by my initial premise and am not arguing semantics. The question, as asked, can only be achieved as stated. VLANs and default gateways do not achieve the required goal. And so I also stand by my attempt to get the OP to rethink why they want what they want. I am not saying they can't unplug the router. I am saying the effort may not be worth the reward if this is a regular "on again, off again" occurrence.
A PLC on a airgapped PC could be subverted as has been (in)conveniently be shown by the Stuxnet worm
So even an airgap can be bridged.
So you need to be really careful, and think very thorough about the attacks you want to protect against.
So even an airgap can be bridged.
So you need to be really careful, and think very thorough about the attacks you want to protect against.
It is a home network and the internet is provided through router/modem. Go into its settings and disable the internet then. Your home network will continue working. Or just disconnect the ISP cable from that router. Keep things simple.
BTW, do you want to disconnect only this PC or entire network?
BTW, do you want to disconnect only this PC or entire network?
I would suggest the OP provide further guidance, at this point it is just semantics.
We are both looking at "totally" different. For me that could mean just a kid computer that needs Word and Excel, but no internet access. It that totally no internet, no. But was the intent of the request?
We are both looking at "totally" different. For me that could mean just a kid computer that needs Word and Excel, but no internet access. It that totally no internet, no. But was the intent of the request?
Here are some cheap tricks you can do that will help block Internet traffic:
- Block port 80 in the firewall. This is what's used for http traffic, which would effectively disable browsing.
- In Internet Settings, change the proxy server to some random numbers. This should cause the browser to time out while looking for them, thus disabling browsing.
- If you're trying to conserve bandwidth except when you need it, you can also designate the network as a "metered" connection and it will stop a lot of the background stuff that goes on.
- Block port 80 in the firewall. This is what's used for http traffic, which would effectively disable browsing.
- In Internet Settings, change the proxy server to some random numbers. This should cause the browser to time out while looking for them, thus disabling browsing.
- If you're trying to conserve bandwidth except when you need it, you can also designate the network as a "metered" connection and it will stop a lot of the background stuff that goes on.
It is more than semantics though. Yes, I believe the OP should clarify their need, and that was why I was stressing that all of the methods provided were half measures. But let's take a real-world often-asked question from EE as an example:
Let's say, hypothetically, that the OP has read about problems with Windows 10 v1809. And that windows update slows networks down to a crawl. The OP decides that Windows Update is a problem the easiest cure is to keep the machine off the internet so it doesn't get updates and break.
But would removing the default gateway and blocking internet access at the router solve his/her problem? No. Windows 10 has included "Delivery Optimization" for several versions and allows a machine to get updates from other machines on the network. They could wake up tomorrow and find that the machine, despite no access to the internet, got the bits from another local machine and upgraded itself.
The machine was demonstrably NOT "totally disconnected" from the internet. The actual behavior changed, and that means it was more than a semantic difference. Totally disconnected is an extreme state, and is itself unusual. Provoking further questions in such a scenario is not unwarranted.
Let's say, hypothetically, that the OP has read about problems with Windows 10 v1809. And that windows update slows networks down to a crawl. The OP decides that Windows Update is a problem the easiest cure is to keep the machine off the internet so it doesn't get updates and break.
But would removing the default gateway and blocking internet access at the router solve his/her problem? No. Windows 10 has included "Delivery Optimization" for several versions and allows a machine to get updates from other machines on the network. They could wake up tomorrow and find that the machine, despite no access to the internet, got the bits from another local machine and upgraded itself.
The machine was demonstrably NOT "totally disconnected" from the internet. The actual behavior changed, and that means it was more than a semantic difference. Totally disconnected is an extreme state, and is itself unusual. Provoking further questions in such a scenario is not unwarranted.
ASKER
Interesting discussion; and I thought this was going to be a simple question!
Paul's suggestion of removing the default gateway should be sufficient for my needs (which are very basic).
Williams "cheap tricks" are also useful.
By the way, my VPN (PIA) has an internet kill switch which automatically kicks in if the VPN fails.
Paul's suggestion of removing the default gateway should be sufficient for my needs (which are very basic).
Williams "cheap tricks" are also useful.
By the way, my VPN (PIA) has an internet kill switch which automatically kicks in if the VPN fails.
lol, glad we could help and a low tech solution works
ASKER
Thanks to everyone for this interesting discussion.
--------------------------
I'm not happy with EE's new method of distributing closing points.
It's lack the fine tuning that was available with previous iterations.
--------------------------
I'm not happy with EE's new method of distributing closing points.
It's lack the fine tuning that was available with previous iterations.
Removing the default gateway is a good suggestion, but that only prevents outbound packets from finding a route. The system could still be susceptible to inbound attacks, such as Denial of Service or malformed packets.