firewall query

Hi all,

I look after a small businesses LAN that consists of 8 machines at the
moment (all win2k / xp), all machines are connected back to a standard
switch. There is a requirement for a broadband connection to serve two
of these machines only. NO traffic from the other machines should be
visible to or on the Internet. I am looking for an easy solution, one
that the owner can look after with minimal fuss (they are not computer
literate beyond USING the machines). What would be ideal is installing a
BB router that has fairly advanced firewall capabilities built in,
something that could prevent traffic being passed to or coming from the
WAN interface and going to either certain MAC addresses or to certain IP
addresses. Is this possible? Can anyone recommend such a router?

Thanks in advance

G

On 2006-01-05 12:34:42 +0000, Cuprager <(E-Mail Removed)> said:

> Hi all,
>
> I look after a small businesses LAN that consists of 8 machines at the
> moment (all win2k / xp), all machines are connected back to a standard
> switch. There is a requirement for a broadband connection to serve two
> of these machines only. NO traffic from the other machines should be
> visible to or on the Internet. I am looking for an easy solution, one
> that the owner can look after with minimal fuss (they are not computer
> literate beyond USING the machines). What would be ideal is installing
> a BB router that has fairly advanced firewall capabilities built in,
> something that could prevent traffic being passed to or coming from the
> WAN interface and going to either certain MAC addresses or to certain
> IP addresses. Is this possible? Can anyone recommend such a router?
>
> Thanks in advance
>
> G

My Draytek 2600 has VLAN functionality built into the four LAN ports
IIRC, maybe look at that?

Steve

In an earlier contribution to this discussion,
Cuprager <(E-Mail Removed)> wrote:

> Hi all,
>
> I look after a small businesses LAN that consists of 8 machines at the
> moment (all win2k / xp), all machines are connected back to a standard
> switch. There is a requirement for a broadband connection to serve two
> of these machines only. NO traffic from the other machines should be
> visible to or on the Internet. I am looking for an easy solution, one
> that the owner can look after with minimal fuss (they are not computer
> literate beyond USING the machines). What would be ideal is
> installing a BB router that has fairly advanced firewall capabilities
> built in, something that could prevent traffic being passed to or
> coming from the WAN interface and going to either certain MAC
> addresses or to certain IP addresses. Is this possible? Can anyone
> recommend such a router?
> Thanks in advance
>
> G

How about putting a second network card in each of the 2 PCs which need
internet access - and connect those to an ADSL modem/router. You could then
have two totally independent subnets - with just these 2 PCs on both. All 8
could still communicate with each other via the original switch.
--
Cheers,
Tim
______
Please reply to newsgroup. Reply address is invalid.

"Tiscali Tim" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)

[snip]

> How about putting a second network card in each of the 2
> PCs which need internet access - and connect those to an
> ADSL modem/router. You could then have two totally
> independent subnets - with just these 2 PCs on both. All
> 8 could still communicate with each other via the
> original switch.

That's overkill, surely..? Assuming WinXP, just go into Control Panel then
navigate to Local Area Connection Status. Click "Properties" and ensure
TCP/IP is *not* selected for any machine you *don't* want to be able to
see the internet. They should still be able to see each other ok.

Ivor

Ivor Jones wrote:
> "Tiscali Tim" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)
>
> [snip]
>
>
>>How about putting a second network card in each of the 2
>>PCs which need internet access - and connect those to an
>>ADSL modem/router. You could then have two totally
>>independent subnets - with just these 2 PCs on both. All
>>8 could still communicate with each other via the
>>original switch.
>
>
> That's overkill, surely..? Assuming WinXP, just go into Control Panel then
> navigate to Local Area Connection Status. Click "Properties" and ensure
> TCP/IP is *not* selected for any machine you *don't* want to be able to
> see the internet. They should still be able to see each other ok.
>
> Ivor
>
>
Tim,

It had crossed my mind but i quickly dismissed it as there has to be a
more dynamic way to do it.

Ivor,

I need TCP/IP enabled im afraid.

"Cuprager" <(E-Mail Removed)> wrote in message
news:dpjjdu$t0o$(E-Mail Removed)...
> Ivor Jones wrote:
>> "Tiscali Tim" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)
>>
>
>>
>> That's overkill, surely..? Assuming WinXP, just go into Control Panel
>> then navigate to Local Area Connection Status. Click "Properties" and
>> ensure TCP/IP is *not* selected for any machine you *don't* want to be
>> able to see the internet. They should still be able to see each other ok.
>>
>> Ivor
>>
>>
> Tim,
>
> It had crossed my mind but i quickly dismissed it as there has to be a
> more dynamic way to do it.
>
> Ivor,
>
> I need TCP/IP enabled im afraid.
>



what about removing the default gateway entry on the pc's you dont want on
the net.

In an earlier contribution to this discussion,
(E-Mail Removed) <(E-Mail Removed)> wrote:

>
>
> what about removing the default gateway entry on the pc's you dont
> want on the net.

That should do it - but you'd probably have to configure the IP addresses
etc. manually to achieve that. If you were to use the router as a DHCP
server and allocate addresses automatically, it would also set the gateway -
and allow internet access.

A lot depends on whether you simply wish not to enable internet access, or
whether you wish to positively prevent it - if you see the subtle
difference. If the latter, my earlier suggestion of 2 network cards in 2 of
the PCs, and separate subnets, would be preferable - despite some people
regarding it as overkill. [The actual cost is only about 30 quid for 2
network cards and two ethernet cables - 'cos you're going to need an ADSL
modem/router either way]
--
Cheers,
Tim
______
Please reply to newsgroup. Reply address is invalid.

use a drayek

details on "howto" here

http://www.draytek.co.uk/support/kb_...filtering.html just web
browsing...

If you want to block ALL access no need to create a rule there is a direct
option to enter an IP address, you can even do it on a timed day of week
basis.

1st option is nice so you could set up so that windows updates worked but
nothing else.

Rob





"Cuprager" <(E-Mail Removed)> wrote in message
news:dpj3p2$or7$(E-Mail Removed)...
> Hi all,
>
> I look after a small businesses LAN that consists of 8 machines at the
> moment (all win2k / xp), all machines are connected back to a standard
> switch. There is a requirement for a broadband connection to serve two of
> these machines only. NO traffic from the other machines should be visible
> to or on the Internet. I am looking for an easy solution, one that the
> owner can look after with minimal fuss (they are not computer literate
> beyond USING the machines). What would be ideal is installing a BB router
> that has fairly advanced firewall capabilities built in, something that
> could prevent traffic being passed to or coming from the WAN interface and
> going to either certain MAC addresses or to certain IP addresses. Is this
> possible? Can anyone recommend such a router?
>
> Thanks in advance
>
> G

Rob382 wrote:
> use a drayek

or Belkin

> If you want to block ALL access no need to create a rule there is a direct
> option to enter an IP address, you can even do it on a timed day of week
> basis.

It has similar time-of-day / day-of-week options for groups of IPs.
Setting the 'allowed' PCs to have fixed IP addresses in a group that
is allowed access, and all others in a group that has no access would
be easy, and probably a bit cheaper than many other routers. Remote
access might be an option to allow for support (if OP has a fixed IP
for example, or via one of the internet-enabled PCs with a remote
control access, such as via www.logmein.com). Peter M.

Tiscali Tim wrote:
> In an earlier contribution to this discussion,
> (E-Mail Removed) <(E-Mail Removed)> wrote:
>
>
>>
>>what about removing the default gateway entry on the pc's you dont
>>want on the net.
>
>
> That should do it - but you'd probably have to configure the IP addresses
> etc. manually to achieve that. If you were to use the router as a DHCP
> server and allocate addresses automatically, it would also set the gateway -
> and allow internet access.
>
> A lot depends on whether you simply wish not to enable internet access, or
> whether you wish to positively prevent it - if you see the subtle
> difference. If the latter, my earlier suggestion of 2 network cards in 2 of
> the PCs, and separate subnets, would be preferable - despite some people
> regarding it as overkill. [The actual cost is only about 30 quid for 2
> network cards and two ethernet cables - 'cos you're going to need an ADSL
> modem/router either way]
Thanks for your help! Removing the GW seems like the best solution for
the current requirements, thanks for all of the other suggestions.

G