Two isolated networks on a router

Hi all

I have a DSL connection and it is shared by 4 computers (A, B, C, D)
through an AP(and router). I want to make first two computers (A, B) on
the network so that they can share files. Similarly I want other two
computers to be in a differnt network (C,D) and be able to share files.

There should clear isolation between these two networks so that A
cannot peek into C 's files.

Please let me know how I can do that with one AP (+ router).

Thanks for your help
Raj

On 3 Nov 2006 23:30:32 -0800, nchekka@gmail.com wrote in
<1162625432.579361.229400@h54g2000cwb.googlegroups .com>:

>I have a DSL connection and it is shared by 4 computers (A, B, C, D)
>through an AP(and router). I want to make first two computers (A, B) on
>the network so that they can share files. Similarly I want other two
>computers to be in a differnt network (C,D) and be able to share files.
>
>There should clear isolation between these two networks so that A
>cannot peek into C 's files.
>
>Please let me know how I can do that with one AP (+ router).

You can't do that kind of isolation with a typical "bargain" wireless
access point. You're going to need two bargain wireless access points
(separate wireless networks) isolated from each other by a capable wired
router.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

On 3 Nov 2006 23:30:32 -0800, nchekka@gmail.com wrote:

>Hi all
>
>I have a DSL connection and it is shared by 4 computers (A, B, C, D)
>through an AP(and router). I want to make first two computers (A, B) on
>the network so that they can share files. Similarly I want other two
>computers to be in a differnt network (C,D) and be able to share files.
>
>There should clear isolation between these two networks so that A
>cannot peek into C 's files.
>
>Please let me know how I can do that with one AP (+ router).
>
>Thanks for your help
>Raj

first, you say AP(router) and your in a wireless group, so i'm
assuming that all the computers are going to be wirelessly connected
to the router.

most 'inexpensive' routers only had out DHCP IPs the a set IP number

ie : lan gateway 192.168.1.1
wireless ip DHCP 192.168.1.100 - 192.168.1.254


The easy way,

PART 1
Set A & B in one workgroup ie: GROUP1
Set C & D in one workgroup ie: GROUP2


PART 2
Set the shares up for A & B
Set the shares up for C & D

Workgroup for C& D
Be sure that users and shares are not the same for WG A&B

Workgroup for A&B
Be sure that users and shares are not the same for WG C&D



Do not exchange the usernames or passwords with GROUP1 and GROUP2

However, if a user in Group2 puts his workgroup name to Group1 he will
be able to see the computers in group 1 but without the passwords he
will not be able to join (see the contents) of the workgroup.

You could make all the accounts 'USER' accounts instead of
administrator accounts of the WG, then they couldn't change the WG
name.


This still isn't secure to a good hacker, The only sure way is to get
a more expensive router that will provide isolation between users but
your going to spend $200 + for this kind of a router


Bob

Thanks Bob,

I will try and update..


Bob Smith wrote:
> On 3 Nov 2006 23:30:32 -0800, nchekka@gmail.com wrote:
>
> >Hi all
> >
> >I have a DSL connection and it is shared by 4 computers (A, B, C, D)
> >through an AP(and router). I want to make first two computers (A, B) on
> >the network so that they can share files. Similarly I want other two
> >computers to be in a differnt network (C,D) and be able to share files.
> >
> >There should clear isolation between these two networks so that A
> >cannot peek into C 's files.
> >
> >Please let me know how I can do that with one AP (+ router).
> >
> >Thanks for your help
> >Raj
>
> first, you say AP(router) and your in a wireless group, so i'm
> assuming that all the computers are going to be wirelessly connected
> to the router.
>
> most 'inexpensive' routers only had out DHCP IPs the a set IP number
>
> ie : lan gateway 192.168.1.1
> wireless ip DHCP 192.168.1.100 - 192.168.1.254
>
>
> The easy way,
>
> PART 1
> Set A & B in one workgroup ie: GROUP1
> Set C & D in one workgroup ie: GROUP2
>
>
> PART 2
> Set the shares up for A & B
> Set the shares up for C & D
>
> Workgroup for C& D
> Be sure that users and shares are not the same for WG A&B
>
> Workgroup for A&B
> Be sure that users and shares are not the same for WG C&D
>
>
>
> Do not exchange the usernames or passwords with GROUP1 and GROUP2
>
> However, if a user in Group2 puts his workgroup name to Group1 he will
> be able to see the computers in group 1 but without the passwords he
> will not be able to join (see the contents) of the workgroup.
>
> You could make all the accounts 'USER' accounts instead of
> administrator accounts of the WG, then they couldn't change the WG
> name.
>
>
> This still isn't secure to a good hacker, The only sure way is to get
> a more expensive router that will provide isolation between users but
> your going to spend $200 + for this kind of a router
>
>
> Bob

> I have a DSL connection and it is shared by 4 computers (A, B, C, D)
> through an AP(and router). I want to make first two computers (A, B) on
> the network so that they can share files. Similarly I want other two
> computers to be in a differnt network (C,D) and be able to share files.
>
> There should clear isolation between these two networks so that A
> cannot peek into C 's files.
>
> Please let me know how I can do that with one AP (+ router).

Generally you can't. Most SoHo routers (small office, home office) have a
single switch. That switch usually does not have any sort of VLAN or other
segmenting features. It's usually just "one switch". Thus you can't
partition the traffic.

Your only easy solution would be to just get two more routers. Put each of
them behind the main route and leave their firewalls enabled. That'll work
for nearly all typical online traffic. Just pickup two low-end routers.

-Bill Kearney

On Mon, 6 Nov 2006 17:17:12 -0500, "Bill Kearney"
<wkearney99@hotmail.com> wrote in
<EJydnauRRMv0KdLYnZ2dnUVZ_rSdnZ2d@speakeasy.net> :

>> I have a DSL connection and it is shared by 4 computers (A, B, C, D)
>> through an AP(and router). I want to make first two computers (A, B) on
>> the network so that they can share files. Similarly I want other two
>> computers to be in a differnt network (C,D) and be able to share files.
>>
>> There should clear isolation between these two networks so that A
>> cannot peek into C 's files.
>>
>> Please let me know how I can do that with one AP (+ router).
>
>Generally you can't. Most SoHo routers (small office, home office) have a
>single switch. That switch usually does not have any sort of VLAN or other
>segmenting features. It's usually just "one switch". Thus you can't
>partition the traffic.
>
>Your only easy solution would be to just get two more routers. Put each of
>them behind the main route and leave their firewalls enabled. That'll work
>for nearly all typical online traffic. Just pickup two low-end routers.

The problem with that is the wireless clients will be on "double NAT",
which can cause problems. That's why I recommended wireless access
points isolated by a capable wired router.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

> >Your only easy solution would be to just get two more routers. Put each
of
> >them behind the main route and leave their firewalls enabled. That'll
work
> >for nearly all typical online traffic. Just pickup two low-end routers.
>
> The problem with that is the wireless clients will be on "double NAT",
> which can cause problems. That's why I recommended wireless access
> points isolated by a capable wired router.

Which really isn't much of a problem. I've run several setups behind two
layers of NAT routing and it's been quite workable. Everything any normal
users are going to want to accomplish is going to work. I've tried a whole
range of tools from IM to Skype and they work without incident. Yes, there
are some things like inbound VPN, VoIP and ssh (to name a few) that might
require port programming. But I've configured ports for those forwarded
from the outside NAT through the inside NAT and they likewise worked just
fine.

Now if they wanted to get into fancier setup for inbound traffic then they'd
be better served moving up to a "real" router like any number of the Cisco
offerings. Higher-end routers would allow them to setup VLANs across the
switch ports on a single router and isolate traffic that way. But that
won't come without the added cost of the router AND the experience necessary
to get the various ACLs programmed.

So if all the original poster wants to do is setup the A/B networks separate
from each other, and just wants to use regular web and e-mail sort of
applications they'd be perfectly fine using a double NAT setup. Experience
shows it works.

On Wed, 8 Nov 2006 10:42:59 -0500, "Bill Kearney"
<wkearney99@hotmail.com> wrote in
<8r-dnUR25fzHZszYnZ2dnUVZ_r6dnZ2d@speakeasy.net>:

>> >Your only easy solution would be to just get two more routers. Put each of
>> >them behind the main route and leave their firewalls enabled. That'll work
>> >for nearly all typical online traffic. Just pickup two low-end routers.
>>
>> The problem with that is the wireless clients will be on "double NAT",
>> which can cause problems. That's why I recommended wireless access
>> points isolated by a capable wired router.
>
>Which really isn't much of a problem. I've run several setups behind two
>layers of NAT routing and it's been quite workable. Everything any normal
>users are going to want to accomplish is going to work. I've tried a whole
>range of tools from IM to Skype and they work without incident. Yes, there
>are some things like inbound VPN, VoIP and ssh (to name a few) that might
>require port programming. But I've configured ports for those forwarded
>from the outside NAT through the inside NAT and they likewise worked just
>fine.
>
>Now if they wanted to get into fancier setup for inbound traffic then they'd
>be better served moving up to a "real" router like any number of the Cisco
>offerings. Higher-end routers would allow them to setup VLANs across the
>switch ports on a single router and isolate traffic that way. But that
>won't come without the added cost of the router AND the experience necessary
>to get the various ACLs programmed.
>
>So if all the original poster wants to do is setup the A/B networks separate
>from each other, and just wants to use regular web and e-mail sort of
>applications they'd be perfectly fine using a double NAT setup. Experience
>shows it works.

For you. I've had to remove double NAT for some of my clients and
friends that ran into problems. I personally don't think it's worth the
risk and grief. As I wrote, double NAT can be avoided with two bargain
APs behind a suitable wired router, much cheaper than a Cisco offering.
Or with two bargain wireless routers and a switch/hub if the ISP will
provide two external IP addresses.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

> For you. I've had to remove double NAT for some of my clients and
> friends that ran into problems. I personally don't think it's worth the
> risk and grief.

Risk? Grief? That just bullshit and hype. It works. More than well
enough for most typical home users. It's indeed true that a business
situation /might/ need more. Most, however, won't unless they're hosting
their own services inside their network.