routing net access through windows computer

I am currently running a three computer wired network connected to B/B
with an ADSL router (Mercury/NetLynx ART514CX 4 port).
I have my computer (call it 10.0.0.12) connected directly through the
router, and then the other two computers (10.0.0.4|5) through a second,
10mbit router/switch.

I wish to restrict access to the net from one of the two peripheral
computers (10.0.0.4), without affecting either of 10.0.0.12 or 10.0.0.5

I have an option on the modem to do "half bridge filtering" which (I
think) basically means I can make 'net access available to any one computer

But I want to be able to control each computers access individually.

I think that if I set the half bridge filtering to allow 10.0.0.12 and
then assign 10.0.0.12 as the DNS
server for 10.0.0.4 and 10.0.0.5 , I can control who accesses what.

Will this work?
What else do I need.

I am currently running WinXP PRO on all three machines, but I do have
the option of running a 4th machine dedicated to Linux, (and just this job).

--
BigEgg

"bigegg" <(E-Mail Removed)> wrote in message
news:43592ee9$0$6509$(E-Mail Removed)...
>I am currently running a three computer wired network connected to B/B with
>an ADSL router (Mercury/NetLynx ART514CX 4 port).
> I have my computer (call it 10.0.0.12) connected directly through the
> router, and then the other two computers (10.0.0.4|5) through a second,
> 10mbit router/switch.
>
> I wish to restrict access to the net from one of the two peripheral
> computers (10.0.0.4), without affecting either of 10.0.0.12 or 10.0.0.5
>
> I have an option on the modem to do "half bridge filtering" which (I
> think) basically means I can make 'net access available to any one
> computer
>
> But I want to be able to control each computers access individually.
>
> I think that if I set the half bridge filtering to allow 10.0.0.12 and
> then assign 10.0.0.12 as the DNS
> server for 10.0.0.4 and 10.0.0.5 , I can control who accesses what.
>
> Will this work?
> What else do I need.
>
> I am currently running WinXP PRO on all three machines, but I do have the
> option of running a 4th machine dedicated to Linux, (and just this job).
>
Can you install windows on the 4th PC? If so, CCProxy
(http://www.youngzsoft.net/ccproxy/) would do the job but you would need
NIC's - one for the internet connection and one for the connection to the
network.

In article <43592ee9$0$6509$(E-Mail Removed)>,
bigegg says...
> I am currently running a three computer wired network connected to B/B
> with an ADSL router (Mercury/NetLynx ART514CX 4 port).
> I have my computer (call it 10.0.0.12) connected directly through the
> router, and then the other two computers (10.0.0.4|5) through a second,
> 10mbit router/switch.
>
> I wish to restrict access to the net from one of the two peripheral
> computers (10.0.0.4), without affecting either of 10.0.0.12 or 10.0.0.5
>
> I have an option on the modem to do "half bridge filtering" which (I
> think) basically means I can make 'net access available to any one computer
>
> But I want to be able to control each computers access individually.
>
> I think that if I set the half bridge filtering to allow 10.0.0.12 and
> then assign 10.0.0.12 as the DNS
> server for 10.0.0.4 and 10.0.0.5 , I can control who accesses what.
>
> Will this work?
> What else do I need.
>
Buy a decent router. All the Netgears I've come across do this as
standard.


--
Conor

"You're not married, you haven't got a girlfriend and you've never seen
Star Trek? Good Lord!" - Patrick Stewart, Extras.

Conor wrote:
> In article <43592ee9$0$6509$(E-Mail Removed)>,
> bigegg says...
>
>>I am currently running a three computer wired network connected to B/B
>>with an ADSL router (Mercury/NetLynx ART514CX 4 port).
>>I have my computer (call it 10.0.0.12) connected directly through the
>>router, and then the other two computers (10.0.0.4|5) through a second,
>>10mbit router/switch (which is also plugged directly into the ADSL router)
>>
>>I wish to restrict access to the net from one of the two peripheral
>>computers (10.0.0.4), without affecting either of 10.0.0.12 or 10.0.0.5
>>
>>I have an option on the modem to do "half bridge filtering" which (I
>>think) basically means I can make 'net access available to any one computer
>>
>>But I want to be able to control each computers access individually.
>>
>>I think that if I set the half bridge filtering to allow 10.0.0.12 and
>>then assign 10.0.0.12 as the DNS
>>server for 10.0.0.4 and 10.0.0.5 , I can control who accesses what.
>>
>>Will this work?
>>What else do I need?
>>
>
> Buy a decent router. All the Netgears I've come across do this as
> standard.
>
>

Would this enable me to (for instance) allow access to certain ports at
certain times of day, or control the bandwidth of each port?

Basically, I want to restrict access to HTTP (port 80) on one computer
to between 4pm and 9pm, without restricting the other computers.
I also want to restrict p2p (which is port 16xx, I think) to 1GB per day
per computer...

I know it's possible to do this by using a computer based
router/firewall with two NICs, but I was hoping to avoid doing that, for
the simple reason that if someone plugs in to the ADSL router, they
would bypass my controls.


If I could also block access to certain sites from certain computers,
that would be even better.

Ideally what I could do with is a program which could just take a list
in the form:


COMPUTER : IP ADDRESS : PORT : TIME1 : TIME2 : QUOTA

and then restrict the traffic from CO.MP.UT.ER to IP.AD.DR.ESS:PORT
between TIME1 & TIME2 to QUOTA Mb

I can set the "default gateway" on all the computers to the firewall
computer, but what then?




--
BigEgg

On 22 Oct 2005 13:37, bigegg <(E-Mail Removed)> wrote:

>Would this enable me to (for instance) allow access to certain ports at
>certain times of day, or control the bandwidth of each port?

>Basically, I want to restrict access to HTTP (port 80) on one computer
>to between 4pm and 9pm, without restricting the other computers.

Yes for controlling access (sometimes by protocol, so you may allow web
browsing, but block {up to a point - a teenager will find a way :} other
traffic), but I doubt you will see traffic limiting by IP on many of the
cheaper (sub 250 pounds) units. I don't have hands on for the costly ones
to be able to recommend something more expensive...

The Belkin F5S7630 (I think - it is around 2 years old, so not a model you
could buy new today, I suspect) has protocol control, and I set one up to
restrict certain traffic (for a teenager's PC) for a friend - it's quite
easy and they must have similar models which are not too costly...

>I also want to restrict p2p (which is port 16xx, I think) to 1GB per day
>per computer...

>I know it's possible to do this by using a computer based router/firewall
>with two NICs, but I was hoping to avoid doing that, for the simple
>reason that if someone plugs in to the ADSL router, they would bypass
>my controls.

You could put the protocol restrictions into the router as well, but it's
surely also possible that someone willing to plug into the router may get
the idea to change IP address and thus get past rules you've added! PGM.

--

UK ADSL <http://tinyurl.com/dghgq> - Happy to save cash with Plus.Net!

Unsuitable for heavy downloaders, but fine for video/audio streaming.

Peter M wrote:
> On 22 Oct 2005 13:37, bigegg <(E-Mail Removed)> wrote:
>
>
>>Would this enable me to (for instance) allow access to certain ports at
>>certain times of day, or control the bandwidth of each port?
>
>
>>Basically, I want to restrict access to HTTP (port 80) on one computer
>>to between 4pm and 9pm, without restricting the other computers.
>
>
> Yes for controlling access (sometimes by protocol, so you may allow web
> browsing, but block {up to a point - a teenager will find a way :}

oh, I'm quite sure he'll try - but he knows I have other options to
limit his access - up to and including a hammer through his motherboard.


> I doubt you will see traffic limiting by IP on many of the
> cheaper (sub 250 pounds) units. I don't have hands on for the costly ones
> to be able to recommend something more expensive...
>

I really don't want to shell out for anything else, I'd prefer a
software-only solution using my existing hardware if at all possible.

>
> You could put the protocol restrictions into the router as well, but it's
> surely also possible that someone willing to plug into the router may get
> the idea to change IP address and thus get past rules you've added! PGM.
>

Basically, I'll limit web access to just my computer + my shed computer,
(the two which are "unrestricted"), and block all other IPs, plus with
my ideal solution, I would have a log of which IP addresses are logged
in, and accessing the 'net, at any time.



Is there anything fundamentally wrong with my idea of:

1. setting my "firewall" computer to be the default gateway on other
computers, so any non-LAN IP requests are passed to it

2. blocking access to the internet from other computers by the half
bridge filter on my ADSL router.

3. running some sort of routing control/firewall program(s) on the
"firewall" computer [a]

4. leaving all the computers connected to the ADSL router, which would
just be running as a hub for the non-"firewall" computers

[a] which is basically my question: which OS? which program(s)?

--
BigEgg

In article <435a3298$0$73603$(E-Mail Removed)>,
bigegg says...

>
> Would this enable me to (for instance) allow access to certain ports at
> certain times of day, or control the bandwidth of each port?
>
Yes.

> Basically, I want to restrict access to HTTP (port 80) on one computer
> to between 4pm and 9pm, without restricting the other computers.

Not a problem.

> I also want to restrict p2p (which is port 16xx, I think) to 1GB per day
> per computer...
>
> I know it's possible to do this by using a computer based
> router/firewall with two NICs, but I was hoping to avoid doing that, for
> the simple reason that if someone plugs in to the ADSL router, they
> would bypass my controls.
>
>
> If I could also block access to certain sites from certain computers,
> that would be even better.
>
Yep - can do that as well.

Website blocking is easy in software though by modifying the hosts file
on that particular PC.

In Windows XP, edit the \windows\system32\drivers\etc\hosts file.

Format is:

domain name you want to block 127.0.0.1

For example:

www.playboy.com 127.0.0.1

What this does is redirect any request from any software on that PC for
www.playboy.com to a local loopback address so they get a 404 not found
error.

> Ideally what I could do with is a program which could just take a list
> in the form:
>
>
> COMPUTER : IP ADDRESS : PORT : TIME1 : TIME2 : QUOTA
>
> and then restrict the traffic from CO.MP.UT.ER to IP.AD.DR.ESS:PORT
> between TIME1 & TIME2 to QUOTA Mb
>
> I can set the "default gateway" on all the computers to the firewall
> computer, but what then?
>
You need a server OS or some software to do it.



--
Conor

"You're not married, you haven't got a girlfriend and you've never seen
Star Trek? Good Lord!" - Patrick Stewart, Extras.

In article <435a6940$0$6518$(E-Mail Removed)>,
bigegg says...

> I really don't want to shell out for anything else, I'd prefer a
> software-only solution using my existing hardware if at all possible.
>
If you don't want to pay money...

http://www.smoothwall.org/



--
Conor

"You're not married, you haven't got a girlfriend and you've never seen
Star Trek? Good Lord!" - Patrick Stewart, Extras.

"bigegg" <(E-Mail Removed)> wrote in message
news:435a6940$0$6518$(E-Mail Removed)...
> Peter M wrote:
>> On 22 Oct 2005 13:37, bigegg <(E-Mail Removed)> wrote:
>>
>>
>>>Would this enable me to (for instance) allow access to certain ports at
>>>certain times of day, or control the bandwidth of each port?
>>
>>
>>>Basically, I want to restrict access to HTTP (port 80) on one computer to
>>>between 4pm and 9pm, without restricting the other computers.
>>
>>
>> Yes for controlling access (sometimes by protocol, so you may allow web
>> browsing, but block {up to a point - a teenager will find a way :}
>
> oh, I'm quite sure he'll try - but he knows I have other options to limit
> his access - up to and including a hammer through his motherboard.
>
>
>> I doubt you will see traffic limiting by IP on many of the
>> cheaper (sub 250 pounds) units. I don't have hands on for the costly
>> ones to be able to recommend something more expensive...
>>
>
> I really don't want to shell out for anything else, I'd prefer a
> software-only solution using my existing hardware if at all possible.
>
>>
>> You could put the protocol restrictions into the router as well, but it's
>> surely also possible that someone willing to plug into the router may get
>> the idea to change IP address and thus get past rules you've added! PGM.
>>
>
> Basically, I'll limit web access to just my computer + my shed computer,
> (the two which are "unrestricted"), and block all other IPs, plus with my
> ideal solution, I would have a log of which IP addresses are logged in,
> and accessing the 'net, at any time.
>
>
>
> Is there anything fundamentally wrong with my idea of:
>
> 1. setting my "firewall" computer to be the default gateway on other
> computers, so any non-LAN IP requests are passed to it
>
> 2. blocking access to the internet from other computers by the half bridge
> filter on my ADSL router.
>
> 3. running some sort of routing control/firewall program(s) on the
> "firewall" computer [a]
>
> 4. leaving all the computers connected to the ADSL router, which would
> just be running as a hub for the non-"firewall" computers
>
> [a] which is basically my question: which OS? which program(s)?
>
As I said before, CCProxy will do all that which will run on your old PC
with windows.

"Conor" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) t...
> In article <435a6940$0$6518$(E-Mail Removed)>,
> bigegg says...
>
>> I really don't want to shell out for anything else, I'd prefer a
>> software-only solution using my existing hardware if at all possible.
>>
> If you don't want to pay money...
>
> http://www.smoothwall.org/
>
>
>
I use Smoothwall - it is just that, a firewall. The free edition does not
allow restricting access from IP addresses on the LAN