Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access control with router

Status
Not open for further replies.
hosikuma

hosikuma

Technical User
Dec 20, 2001
12
CA
I have an SMC Barricade 7004VBR ....but my questions probably applies to routers in general including the Linksys ones.

I have the router connected to the DSL modem and a separate switch. Thru the router, is it possible to keep some PC clients OFF the network (i.e they won't be able to see the other computers) and yet allow them to have internet access?
 
Sort by date Sort by votes
Subnet.

Use static IPs for the computers that are going to be off network but still need internet access.

If the Network clients receive IPs in the range 192.168.1.x, then your non-Network clients should be given static IPs on a different subnet, e.g. 192.168.10.x
 
Upvote 0 Downvote
bcastner......

You are the only one of many of I have asked this question and you are the only one who has put forth a possible solution. We were all looking at the "access control" sections of several routers and could not really figure it out.

From the above, if I put three clients on the 198.168.10.X
subnet i.e. 192.168.10.1 / 192.168.10.2 / 192.168.10.3 they should not be able to access the network but access the internet as long as the router IP and the other clients are in the 192.168.1.X range. Now, I am guessing that these 3 computers will be able to see each other i.e they will have made their own little network.

Going further if I don't want THESE three computers to even see each other over the network let alone the rest of the network then would I have to go this route?

computer 1 192.168.11.x
computer 2 192.168.12.x
computer 3 192.168.13.x

.....these 3 computers would be able to access the internet but not see any of the computers on the 192.168.1.x network.....nor each other?

am I following this right bcastner?
 
Upvote 0 Downvote
Yes, but before you go to crazy I was violating a firm principle of TCP/IP addressing: You cannot have a Gateway address on a different subnet.

My thought was that any router that permitted a Class B subnet on the router (255.255.0.0) would work without having to use static route additions. The clients would be given Class C subnets (255.255.255.0). Which means your schema would also work in this setting.

A slightly higher grade router would permit true Class B addressing and likely "Virtual" LANs, they would really be easy to setup and isolate the two different client types. Zyxel and Cisco come to mind.

You want to avoid many of the consumer grade routers that only permit Class C subnetting. Linksys comes to mind, but many consumer routers have this limit.



 
Upvote 0 Downvote
I know I'm getting tired now, my explanation makes little sense.

The router would have a Class-C subnet of 255.255.255.0
The clients would use Class-B subnet masks of 255.255.0.0

In this setting your schema would work. You also could use a consumer grade router like a Linksys.

You really only need Class-C addrssing on the router, although my comments about using a classless router for virtual lans and added security still apply.
 
Upvote 0 Downvote
Also, nearly every firwall can be set to block specific traffic. If the trusted zone for the LAN-side was set in the firewall, the Internet only folks would be blocked by this simple expendient.
 
Upvote 0 Downvote
bcastner.....

thanks for all the info...I think I'm going to need a little time to digest the subnet setup.

As for the firewall to block specific traffic.....I've seen some routers that have an "access control" section (i.e. USR 8000 router) on the ones i've seen they allow you to block internet access and yet allow you the network access. I haven't seen one that blocks network access and yet allows internet access. Can you give me a router brand that I can look at? I also have the old Linksys BEFSR41 router hanging around and went thru the interface with no luck.
 
Upvote 0 Downvote
bcastner....

If I was to block network access but allow internet access....what protocol would I be looking to block?
 
Upvote 0 Downvote
You would use the software firewall on the network clients. You would not bother to do this at the router. For example, if you created a trusted zone for all IPs in the 192.168.1.x range, you would block all other IPs in the 192.168.x.x range. For the LAN only clients you would block all IPS in the 192.x.x.x range.

Any firewall software would do this at the client level. Zone Alarm, Kerio, Sygate, etc.

In addition for the non-LAN clients you would control their protocols. Install TCP/IP but not Netbios, IPX, etc.

You could then use any router with the scheme discussed above.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

JennyJo25
  • Locked
  • Question
Linksys VPN Router connectivity to ISP modem/router issue
Replies
3
Views
217
Samthyr
Samthyr
larry419
  • Locked
  • Question
Replacement Router Recommendations.
Replies
1
Views
138
SYQUEST
SYQUEST
protocolpcs
  • Locked
  • Question
Linksys E1200 router "Internet" port
Replies
6
Views
188
goombawaho
goombawaho
Telecomp9434
  • Locked
  • Question
Intervlan router
Replies
1
Views
123
smah
smah
goombawaho
  • Locked
  • Question
Adding an old WRT54G as an access point with a new dual band router
Replies
5
Views
149
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top