separating LANs?

Hi Everyone,

I look after a small LAN on for a small rural resort. They've got a
handful of computers plugged into a Linksys BEFSR41
(http://tinyurl.com/a99bl) router for network & internet connectivity.

I'm looking for some way to set things up so that if this resort
"shares" its internet connection with a few neighbours they can't "see"
the other computers on the LAN, nor can the neighbours see each other's
computers. The computers at the resort should still be able to see
each other.

Can anyone recommend a (hopefully inexpensive) piece of hardware to
accomplish this? I know I could probably research some kind of a Linux
box to manage the traffic, but I'd prefer to have some kind of small
dedicated piece of equipment that doesn't risk a hard disk failure,
power supply failure etc. as I'm six hours away and the folks at the
resort are computer illiterate.

Thanks in advance.

Cheers,
Geoff Glave
Vancouver, Canada

What about adding another router to the mix?

Keep the router you have connected but designate it for use by only the
resort computers. Add the second router, connecting it's WAN port to one of
the LAN ports of the first router, and designate it for use by only the
"neighbors" computers.

Each router should be assigned a different subnet, and computers from each
subnet(resort and neighbors) will be prevented from seeing each other first
by the hardware then the subnets. Your first router will then route traffic
from the second router to the internet. The second router can get it's IP
address via DHCP or you can assign it an IP and create firewall rules on the
first router to make sure it's traffic is kept completely separate from the
first.

AS far as keeping the neighbors (on teh second subnet) computers from seeing
one another, that is nearly impossible except at switch level, and only if
they are managed switches where you can stop certain communication between
them, such as windows printer and file sharing.

This will require you to reroute some wiring in wiring closets and such to
pyhsically saparate the 2 LANs, but should be doable.

Good Luck

"(E-Mail Removed)" wrote:

> Hi Everyone,
>
> I look after a small LAN on for a small rural resort. They've got a
> handful of computers plugged into a Linksys BEFSR41
> (http://tinyurl.com/a99bl) router for network & internet connectivity.
>
> I'm looking for some way to set things up so that if this resort
> "shares" its internet connection with a few neighbours they can't "see"
> the other computers on the LAN, nor can the neighbours see each other's
> computers. The computers at the resort should still be able to see
> each other.
>
> Can anyone recommend a (hopefully inexpensive) piece of hardware to
> accomplish this? I know I could probably research some kind of a Linux
> box to manage the traffic, but I'd prefer to have some kind of small
> dedicated piece of equipment that doesn't risk a hard disk failure,
> power supply failure etc. as I'm six hours away and the folks at the
> resort are computer illiterate.
>
> Thanks in advance.
>
> Cheers,
> Geoff Glave
> Vancouver, Canada
>
>

A multiport (as many as you need) firewall or router would do the trick. You
will need to configure ACLs to prevent the tenants networks from "seeing"
each other. I don't think any of the cheapos make a multiport that can do
ACL's, so you might have to spend a couple of bucks and get a real one.


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hi Everyone,
>
> I look after a small LAN on for a small rural resort. They've got a
> handful of computers plugged into a Linksys BEFSR41
> (http://tinyurl.com/a99bl) router for network & internet connectivity.
>
> I'm looking for some way to set things up so that if this resort
> "shares" its internet connection with a few neighbours they can't "see"
> the other computers on the LAN, nor can the neighbours see each other's
> computers. The computers at the resort should still be able to see
> each other.
>
> Can anyone recommend a (hopefully inexpensive) piece of hardware to
> accomplish this? I know I could probably research some kind of a Linux
> box to manage the traffic, but I'd prefer to have some kind of small
> dedicated piece of equipment that doesn't risk a hard disk failure,
> power supply failure etc. as I'm six hours away and the folks at the
> resort are computer illiterate.
>
> Thanks in advance.
>
> Cheers,
> Geoff Glave
> Vancouver, Canada
>

Can you provide an example of a switch ACL that blocks file sharing and
printing?


"perfimage" <(E-Mail Removed)> wrote in message
news:3FBF1DE9-4B72-414A-BEC7-(E-Mail Removed)...
> What about adding another router to the mix?
>
> Keep the router you have connected but designate it for use by only the
> resort computers. Add the second router, connecting it's WAN port to one
of
> the LAN ports of the first router, and designate it for use by only the
> "neighbors" computers.
>
> Each router should be assigned a different subnet, and computers from each
> subnet(resort and neighbors) will be prevented from seeing each other
first
> by the hardware then the subnets. Your first router will then route
traffic
> from the second router to the internet. The second router can get it's IP
> address via DHCP or you can assign it an IP and create firewall rules on
the
> first router to make sure it's traffic is kept completely separate from
the
> first.
>
> AS far as keeping the neighbors (on teh second subnet) computers from
seeing
> one another, that is nearly impossible except at switch level, and only if
> they are managed switches where you can stop certain communication between
> them, such as windows printer and file sharing.
>
> This will require you to reroute some wiring in wiring closets and such to
> pyhsically saparate the 2 LANs, but should be doable.
>
> Good Luck
>
> "(E-Mail Removed)" wrote:
>
> > Hi Everyone,
> >
> > I look after a small LAN on for a small rural resort. They've got a
> > handful of computers plugged into a Linksys BEFSR41
> > (http://tinyurl.com/a99bl) router for network & internet connectivity.
> >
> > I'm looking for some way to set things up so that if this resort
> > "shares" its internet connection with a few neighbours they can't "see"
> > the other computers on the LAN, nor can the neighbours see each other's
> > computers. The computers at the resort should still be able to see
> > each other.
> >
> > Can anyone recommend a (hopefully inexpensive) piece of hardware to
> > accomplish this? I know I could probably research some kind of a Linux
> > box to manage the traffic, but I'd prefer to have some kind of small
> > dedicated piece of equipment that doesn't risk a hard disk failure,
> > power supply failure etc. as I'm six hours away and the folks at the
> > resort are computer illiterate.
> >
> > Thanks in advance.
> >
> > Cheers,
> > Geoff Glave
> > Vancouver, Canada
> >
> >

I cannot provide an ACL. I do not know of a way to stop computers connected
to the same switch from seeing one another unless the client comps are
firewalled individually, as the switch is unable to stop any traffic between
computers on the same switch, but it can stop traffic between managed
switches, much the same way a firewall blocks ports, you stop traffic between
switches on ports 137, 138, and 139.

Chances are the OP doesn't have managed switches so this is all moot, but I
believe he can successfully acheive the end result by using a second
inexpensive router and some creative firewalling rules in the 2 routers.

"Neteng" wrote:

> Can you provide an example of a switch ACL that blocks file sharing and
> printing?
>
>
> "perfimage" <(E-Mail Removed)> wrote in message
> news:3FBF1DE9-4B72-414A-BEC7-(E-Mail Removed)...
> > What about adding another router to the mix?
> >
> > Keep the router you have connected but designate it for use by only the
> > resort computers. Add the second router, connecting it's WAN port to one
> of
> > the LAN ports of the first router, and designate it for use by only the
> > "neighbors" computers.
> >
> > Each router should be assigned a different subnet, and computers from each
> > subnet(resort and neighbors) will be prevented from seeing each other
> first
> > by the hardware then the subnets. Your first router will then route
> traffic
> > from the second router to the internet. The second router can get it's IP
> > address via DHCP or you can assign it an IP and create firewall rules on
> the
> > first router to make sure it's traffic is kept completely separate from
> the
> > first.
> >
> > AS far as keeping the neighbors (on teh second subnet) computers from
> seeing
> > one another, that is nearly impossible except at switch level, and only if
> > they are managed switches where you can stop certain communication between
> > them, such as windows printer and file sharing.
> >
> > This will require you to reroute some wiring in wiring closets and such to
> > pyhsically saparate the 2 LANs, but should be doable.
> >
> > Good Luck
> >
> > "(E-Mail Removed)" wrote:
> >
> > > Hi Everyone,
> > >
> > > I look after a small LAN on for a small rural resort. They've got a
> > > handful of computers plugged into a Linksys BEFSR41
> > > (http://tinyurl.com/a99bl) router for network & internet connectivity.
> > >
> > > I'm looking for some way to set things up so that if this resort
> > > "shares" its internet connection with a few neighbours they can't "see"
> > > the other computers on the LAN, nor can the neighbours see each other's
> > > computers. The computers at the resort should still be able to see
> > > each other.
> > >
> > > Can anyone recommend a (hopefully inexpensive) piece of hardware to
> > > accomplish this? I know I could probably research some kind of a Linux
> > > box to manage the traffic, but I'd prefer to have some kind of small
> > > dedicated piece of equipment that doesn't risk a hard disk failure,
> > > power supply failure etc. as I'm six hours away and the folks at the
> > > resort are computer illiterate.
> > >
> > > Thanks in advance.
> > >
> > > Cheers,
> > > Geoff Glave
> > > Vancouver, Canada
> > >
> > >
>
>
>

I thought so, because it's not possible. You can not put ACLS's on a switch
(layer 2 ) that blocks ports (layer 4) or IP's (layer 3), unless the switch
is layer 3 capable.


"perfimage" <(E-Mail Removed)> wrote in message
news:22A341CA-80A9-445E-B2BC-(E-Mail Removed)...
> I cannot provide an ACL. I do not know of a way to stop computers
connected
> to the same switch from seeing one another unless the client comps are
> firewalled individually, as the switch is unable to stop any traffic
between
> computers on the same switch, but it can stop traffic between managed
> switches, much the same way a firewall blocks ports, you stop traffic
between
> switches on ports 137, 138, and 139.
>
> Chances are the OP doesn't have managed switches so this is all moot, but
I
> believe he can successfully acheive the end result by using a second
> inexpensive router and some creative firewalling rules in the 2 routers.
>
> "Neteng" wrote:
>
> > Can you provide an example of a switch ACL that blocks file sharing and
> > printing?
> >
> >
> > "perfimage" <(E-Mail Removed)> wrote in message
> > news:3FBF1DE9-4B72-414A-BEC7-(E-Mail Removed)...
> > > What about adding another router to the mix?
> > >
> > > Keep the router you have connected but designate it for use by only
the
> > > resort computers. Add the second router, connecting it's WAN port to
one
> > of
> > > the LAN ports of the first router, and designate it for use by only
the
> > > "neighbors" computers.
> > >
> > > Each router should be assigned a different subnet, and computers from
each
> > > subnet(resort and neighbors) will be prevented from seeing each other
> > first
> > > by the hardware then the subnets. Your first router will then route
> > traffic
> > > from the second router to the internet. The second router can get
it's IP
> > > address via DHCP or you can assign it an IP and create firewall rules
on
> > the
> > > first router to make sure it's traffic is kept completely separate
from
> > the
> > > first.
> > >
> > > AS far as keeping the neighbors (on teh second subnet) computers from
> > seeing
> > > one another, that is nearly impossible except at switch level, and
only if
> > > they are managed switches where you can stop certain communication
between
> > > them, such as windows printer and file sharing.
> > >
> > > This will require you to reroute some wiring in wiring closets and
such to
> > > pyhsically saparate the 2 LANs, but should be doable.
> > >
> > > Good Luck
> > >
> > > "(E-Mail Removed)" wrote:
> > >
> > > > Hi Everyone,
> > > >
> > > > I look after a small LAN on for a small rural resort. They've got a
> > > > handful of computers plugged into a Linksys BEFSR41
> > > > (http://tinyurl.com/a99bl) router for network & internet
connectivity.
> > > >
> > > > I'm looking for some way to set things up so that if this resort
> > > > "shares" its internet connection with a few neighbours they can't
"see"
> > > > the other computers on the LAN, nor can the neighbours see each
other's
> > > > computers. The computers at the resort should still be able to see
> > > > each other.
> > > >
> > > > Can anyone recommend a (hopefully inexpensive) piece of hardware to
> > > > accomplish this? I know I could probably research some kind of a
Linux
> > > > box to manage the traffic, but I'd prefer to have some kind of small
> > > > dedicated piece of equipment that doesn't risk a hard disk failure,
> > > > power supply failure etc. as I'm six hours away and the folks at the
> > > > resort are computer illiterate.
> > > >
> > > > Thanks in advance.
> > > >
> > > > Cheers,
> > > > Geoff Glave
> > > > Vancouver, Canada
> > > >
> > > >
> >
> >
> >

> > Can anyone recommend a (hopefully inexpensive) piece of hardware to
> > accomplish this?

Thanks everyone for your suggestions.

Cheers,
Geoff Glave
Vancouver, Canada

And just what was your point? Why did you ask the question if you knew it
wasnt possible and I said it wasnt possible (except on a managed switch) in
the first place?

Just wondering if I missed something

"Neteng" wrote:

> I thought so, because it's not possible. You can not put ACLS's on a switch
> (layer 2 ) that blocks ports (layer 4) or IP's (layer 3), unless the switch
> is layer 3 capable.
>
>
> "perfimage" <(E-Mail Removed)> wrote in message
> news:22A341CA-80A9-445E-B2BC-(E-Mail Removed)...
> > I cannot provide an ACL. I do not know of a way to stop computers
> connected
> > to the same switch from seeing one another unless the client comps are
> > firewalled individually, as the switch is unable to stop any traffic
> between
> > computers on the same switch, but it can stop traffic between managed
> > switches, much the same way a firewall blocks ports, you stop traffic
> between
> > switches on ports 137, 138, and 139.
> >
> > Chances are the OP doesn't have managed switches so this is all moot, but
> I
> > believe he can successfully acheive the end result by using a second
> > inexpensive router and some creative firewalling rules in the 2 routers.
> >
> > "Neteng" wrote:
> >
> > > Can you provide an example of a switch ACL that blocks file sharing and
> > > printing?
> > >
> > >
> > > "perfimage" <(E-Mail Removed)> wrote in message
> > > news:3FBF1DE9-4B72-414A-BEC7-(E-Mail Removed)...
> > > > What about adding another router to the mix?
> > > >
> > > > Keep the router you have connected but designate it for use by only
> the
> > > > resort computers. Add the second router, connecting it's WAN port to
> one
> > > of
> > > > the LAN ports of the first router, and designate it for use by only
> the
> > > > "neighbors" computers.
> > > >
> > > > Each router should be assigned a different subnet, and computers from
> each
> > > > subnet(resort and neighbors) will be prevented from seeing each other
> > > first
> > > > by the hardware then the subnets. Your first router will then route
> > > traffic
> > > > from the second router to the internet. The second router can get
> it's IP
> > > > address via DHCP or you can assign it an IP and create firewall rules
> on
> > > the
> > > > first router to make sure it's traffic is kept completely separate
> from
> > > the
> > > > first.
> > > >
> > > > AS far as keeping the neighbors (on teh second subnet) computers from
> > > seeing
> > > > one another, that is nearly impossible except at switch level, and
> only if
> > > > they are managed switches where you can stop certain communication
> between
> > > > them, such as windows printer and file sharing.
> > > >
> > > > This will require you to reroute some wiring in wiring closets and
> such to
> > > > pyhsically saparate the 2 LANs, but should be doable.
> > > >
> > > > Good Luck
> > > >
> > > > "(E-Mail Removed)" wrote:
> > > >
> > > > > Hi Everyone,
> > > > >
> > > > > I look after a small LAN on for a small rural resort. They've got a
> > > > > handful of computers plugged into a Linksys BEFSR41
> > > > > (http://tinyurl.com/a99bl) router for network & internet
> connectivity.
> > > > >
> > > > > I'm looking for some way to set things up so that if this resort
> > > > > "shares" its internet connection with a few neighbours they can't
> "see"
> > > > > the other computers on the LAN, nor can the neighbours see each
> other's
> > > > > computers. The computers at the resort should still be able to see
> > > > > each other.
> > > > >
> > > > > Can anyone recommend a (hopefully inexpensive) piece of hardware to
> > > > > accomplish this? I know I could probably research some kind of a
> Linux
> > > > > box to manage the traffic, but I'd prefer to have some kind of small
> > > > > dedicated piece of equipment that doesn't risk a hard disk failure,
> > > > > power supply failure etc. as I'm six hours away and the folks at the
> > > > > resort are computer illiterate.
> > > > >
> > > > > Thanks in advance.
> > > > >
> > > > > Cheers,
> > > > > Geoff Glave
> > > > > Vancouver, Canada
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>

It is NOT possible on a managed switch either. That's my point.

"perfimage" <(E-Mail Removed)> wrote in message
news:91957EF9-9FB1-4C5A-87C9-(E-Mail Removed)...
> And just what was your point? Why did you ask the question if you knew it
> wasnt possible and I said it wasnt possible (except on a managed switch)
in
> the first place?
>
> Just wondering if I missed something
>
> "Neteng" wrote:
>
> > I thought so, because it's not possible. You can not put ACLS's on a
switch
> > (layer 2 ) that blocks ports (layer 4) or IP's (layer 3), unless the
switch
> > is layer 3 capable.
> >
> >
> > "perfimage" <(E-Mail Removed)> wrote in message
> > news:22A341CA-80A9-445E-B2BC-(E-Mail Removed)...
> > > I cannot provide an ACL. I do not know of a way to stop computers
> > connected
> > > to the same switch from seeing one another unless the client comps are
> > > firewalled individually, as the switch is unable to stop any traffic
> > between
> > > computers on the same switch, but it can stop traffic between managed
> > > switches, much the same way a firewall blocks ports, you stop traffic
> > between
> > > switches on ports 137, 138, and 139.
> > >
> > > Chances are the OP doesn't have managed switches so this is all moot,
but
> > I
> > > believe he can successfully acheive the end result by using a second
> > > inexpensive router and some creative firewalling rules in the 2
routers.
> > >
> > > "Neteng" wrote:
> > >
> > > > Can you provide an example of a switch ACL that blocks file sharing
and
> > > > printing?
> > > >
> > > >
> > > > "perfimage" <(E-Mail Removed)> wrote in message
> > > > news:3FBF1DE9-4B72-414A-BEC7-(E-Mail Removed)...
> > > > > What about adding another router to the mix?
> > > > >
> > > > > Keep the router you have connected but designate it for use by
only
> > the
> > > > > resort computers. Add the second router, connecting it's WAN port
to
> > one
> > > > of
> > > > > the LAN ports of the first router, and designate it for use by
only
> > the
> > > > > "neighbors" computers.
> > > > >
> > > > > Each router should be assigned a different subnet, and computers
from
> > each
> > > > > subnet(resort and neighbors) will be prevented from seeing each
other
> > > > first
> > > > > by the hardware then the subnets. Your first router will then
route
> > > > traffic
> > > > > from the second router to the internet. The second router can get
> > it's IP
> > > > > address via DHCP or you can assign it an IP and create firewall
rules
> > on
> > > > the
> > > > > first router to make sure it's traffic is kept completely separate
> > from
> > > > the
> > > > > first.
> > > > >
> > > > > AS far as keeping the neighbors (on teh second subnet) computers
from
> > > > seeing
> > > > > one another, that is nearly impossible except at switch level, and
> > only if
> > > > > they are managed switches where you can stop certain communication
> > between
> > > > > them, such as windows printer and file sharing.
> > > > >
> > > > > This will require you to reroute some wiring in wiring closets and
> > such to
> > > > > pyhsically saparate the 2 LANs, but should be doable.
> > > > >
> > > > > Good Luck
> > > > >
> > > > > "(E-Mail Removed)" wrote:
> > > > >
> > > > > > Hi Everyone,
> > > > > >
> > > > > > I look after a small LAN on for a small rural resort. They've
got a
> > > > > > handful of computers plugged into a Linksys BEFSR41
> > > > > > (http://tinyurl.com/a99bl) router for network & internet
> > connectivity.
> > > > > >
> > > > > > I'm looking for some way to set things up so that if this resort
> > > > > > "shares" its internet connection with a few neighbours they
can't
> > "see"
> > > > > > the other computers on the LAN, nor can the neighbours see each
> > other's
> > > > > > computers. The computers at the resort should still be able to
see
> > > > > > each other.
> > > > > >
> > > > > > Can anyone recommend a (hopefully inexpensive) piece of hardware
to
> > > > > > accomplish this? I know I could probably research some kind of
a
> > Linux
> > > > > > box to manage the traffic, but I'd prefer to have some kind of
small
> > > > > > dedicated piece of equipment that doesn't risk a hard disk
failure,
> > > > > > power supply failure etc. as I'm six hours away and the folks at
the
> > > > > > resort are computer illiterate.
> > > > > >
> > > > > > Thanks in advance.
> > > > > >
> > > > > > Cheers,
> > > > > > Geoff Glave
> > > > > > Vancouver, Canada
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >

"perfimage" <(E-Mail Removed)> wrote in message
news:91957EF9-9FB1-4C5A-87C9-(E-Mail Removed)...
> And just what was your point? Why did you ask the question if you knew it
> wasnt possible and I said it wasnt possible (except on a managed switch)
in
> the first place?

I'm sure he doesn't need me to answer for him,...but I've been in the same
position too. The problem is that there are routers,..switches, and Layer3
Swtiches (router & switch combined),...and then on top of that people don't
always use the correct terminology for what they are describing. So we will
ask it the way he did to verify the details and the context in sort of an
"indirect" way so that we know what we are dealing with before we stick our
foot in our mouths by making an "absolute" statement that might end up being
wrong in your particular context.

For example a standard switch has no ACLs (being "managed" doesn't
matter),..a layer3 Switch often does have ACLs.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------