One-way traffic on network?

[mkirros]

Our network has a Linksys RV042 router linking to the Internet through a DSL modem in bridged mode. The network uses the 192.168.0.X IP range (the router is 192.168.0.1). For security reasons, I need to have 4 of the computers not be accessible from the other computers on the network. However, I need to be able to access the other computers on the network (including the PDC) from these four.

Can this be done by setting up another router on the network using, say, 192.168.0.X, for the four computers and using a "one-way" static route? Or am I going to be stuck with something disgustingly complicated?

Thanks in advance for any help

 

[pansophic]

You could insert a second router and perform NAT on that router. If you are using Dynamic NAT (the default for most routers these days) there will not be any mapping back to the protected network. This router should get its external address from the existing router (192.168.0.x) and will translate the protected hosts to that address on your internal network.

You just need to make sure that the router protecting the 4 hosts is NOT using 192.168.0 as its backside network. You could easily set it to 192.168.1 or any other RFC 1918 address range like 10.


pansophic

 

[mkirros]

Thanks for the info. I did a test today using just one computer. It works fine for browsing the network, but when I try to hit the Internet I get a timeout error. Is there something simple I'm missing here?

 

[pansophic]

Probably the default route on the protected network's router, or its DNS settings. Check them and make sure that it is correct for your network (the protected network's router should have all of the same settings as the computers on your unprotected network).


pansophic

 

[mkirros]

It's still not working - I suspect the default route (I'm fairly new to the static routing thing). Here's what shows up in my routing table on the protected network's router

Dest LAN IP Subnet Mask Def Gateway Hop Count Interface
192.168.0.0 255.255.255.0 192.168.0.1 15 LAN
192.168.1.0 255.255.255.0 0.0.0.0 1 LAN

Do I need to somehow set a default route in this router to the main router? If so, how is that done? The protected network's router is a Linksys BEFSX41.

 

[pansophic]

You should not need to set a static route on the main router IF the protected network router is doing NAT. The routes look good, except that both networks appear on the LAN interface. 192.168.0.0 should show up on the external interface of that router. But I think that I see the problem. This router is a DSL router and therefore useless on the backend of your network. You need a router that will route between two Ethernet interfaces.

------- -------
|---| Host | |---| Host |
| ------- | -------
| |
------------- | ------------ |
Internet--| ext router |---|---| protected |--|
------------- | | router | |
| ------------ |
| |
| ------- | -------
|---| Host | |---| Host |
------- -------

Like this.

The router that you are using only has a switch on its Ethernet interfaces. It routes between the DSL interface and the switch.

If you have an old computer lying around, you could use a Linux firewall, like IPCop, and two NIC cards to act at the protected router.


pansophic

 

[mkirros]

Thanks - I do have a couple of old computers that I could use for that.

 

[mkirros]

pansophic:

Just wanted to thank you for the info. I got IPCop, loaded it on an old PII box, and it's working like a charm.

 

[pansophic]

Excellent! I'm glad to hear it.


pansophic