Router between local PCs 1

[Spgmtegn]

Hi,

I have got some Windows PCs on a local network (mixed W98,2k,XP). A new PC will be added, it should only communicate with one of the old PCs on a specific port. In order to avoid that the new PC can see or access the old PCs (a part from the specific TCP/IP communication mentioned above) I thought of inserting a standard router (Conceptronic C54BRS4 or Netgear RP614) between the old PCs and the new one.
I have tried connecting the new one to the WAN-side using NAT and the other way around using the filters but I am not able to establish communication at all. Have I misunderstood it all or is it possible to do something like this?
Thanks,

Ole

 

[elmurado]

Should be fine-the subnets need to be different for each 'side'. A router simply connects two networks together. Why not put a firewall on the machine in question that has just the required ports open/configured?

 

[Spgmtegn]

Thank you for your advice. I had not tried with different sub-nets, but doing that now it doesn't work neither. The reason for not restricting in the new "hostil" PC is that the user has got full administrator rights so he can change everything. And to restrict the whole old network is not very amusing.
On the WAN-side I am prompted for DNS and gateway IPs, actually I do not know what to introduce in this case??

 

[KiscoKid]

Any decent router should be able to filter IP traffic between networks. You'll have to access the router's configuration screen to see if you can do it with the one you plan to use.

 

[Spgmtegn]

I have tried two different routers (Conceptronic C54BRS4 and Netgear RP614). With the Netgear I get communication through the NAT table to the right PC, but the answer does not return to the PC on the WAN side of the router. I can see that with the Ethereal analyzer program. I define the WAN side as fixed IP (but I have tried all the possibilities :-( ), the gateway as something non-existing (in the same subnet as the router demands). It might be here the problem is??

 

[KiscoKid]

Can you not assign a second IP address to the LAN side of the router for your new PC to use as its default gateway.

This keeps things simple and eliminates the need to NAT. You shouldn't really need or want to NAT between 2 PC's talking on the same LAN.

 

[Spgmtegn]

No, the gateway address must be in the same segment as the router WAN-address.
The confiuration is like this:


192.168.1.11 |
192.168.1.12 | [************ROUTER***********] PC "Hostil"
192.168.1.13 |-- [192.168.1.200<->192.168.2.200]-192.168.2.10
192.168.1.14 | [***LAN-SIDE********WAN-SIDE**]
192.168.1.15 | [*******************GW=??????*]

NAT ie 192.168.1.13:80

I am not sure this sketch will turn out fine

 

[elmurado]

Does your router let you setup static routes?

 

[Spgmtegn]

Yes, it does admit static routes, but I am not sure how to use it in this case. What exactly is the function of the gateway setting on the WAN-side. Can it be that if it is not physically present then nothing is sent to the originator? I thought of setting up - on the WAN-side - another router with an IP-address and the configure the first router with this one as gateway-address?? I am a little desperate having tried so many things %-)

 

[elmurado]

Okay, imagine what it is like when you have a connection to the internet-the internet is just another network( a very big one).
The info given to you by your ISP includes things like the gateway and the subnet and the DNS servers of the ISP's network.
Your router then has two IP addresses, 1. The PUBLIC IP is the outward facing IP 2. The PRIVATE IP -ie its gateway address.

So the gateway for the single PC needs to be the PUBLIC IP address of the router in question-however, some of these routers do drop certain addresses ie ones which have been reserved as private IP's(eg 192.168.111.0/24) etc-the ones we all use for our LAN's. So I don't think you can have something like that for the IP of the 'WAN' side because the router in its software has it specified(I forget the RFC) that any packets from a private IP arriving on the WAN side should be dropped.
You might have to trick it into thinking that the 'WAN" side has a subnet of say, 255.255.255.252.
I get the feeling that the routers you have used may not be able to do this if they are just adsl routers. What you need to try and do is trick the router into thinking that the hostile PC is the WAN/Internet.

Do you need the other PC's to also be able to connect to the real internet? Because if you do, then this might be alittle tricky with one of those routers.

 

[elmurado]

LAN(192.168.1.0/24)<-->(192.168.1.1)Router(220.80.144.150)<-->220.80.144.149(Hostile PC)
On the hostile PC it will need to have the 220.80.144.150 as its gateway and I think you will need to think about DNS too-because otherwise, how will packets be routed back and forth? This may be where static routes can help.
Then set up a port forwarding service on the router to only forward from the WAN to a certain PC if you try to connect via a certain port.
Do this for each port you need open. Check the Netgear manual for port forwarding and static routes.

If however, you need the LAN side to also connect to the real internet then you will need something with more interfaces as the gateway-eg an old box with Linux on it running IPtables or similar with two NIC's in it, one for one subnet, one for the other, and you could set both to be private subnets.

 

[Spgmtegn]

Thanks for the explanations which I can fully follow. As the LAN-side is connected to the Internet, using external IPs might not be a good idea - I can see on the analyzer-program (Ethereal) that the original WAN-IP address apears in the telegrams on the LAN-side after the NAT-table. You mention the DNS. I do would not think them necesarry as we are not dealing with symbolic addresses. On the other hand, the WAN gateway worries me. If it doesn't exist, can the router find the WAN-PC? I thought of setting the other router (as I have got 2 %-( )up as gateway. Does it sound stupid?

 

[Spgmtegn]

It was a low level error - my low level %-). I did not give the LAN-side PC a gateway address so it did not know where to reply. One thing more learned.