Questions

How to give visitors internet access without access to my WORKGROUP files?

Tags:
+
1 Votes
Locked

How to give visitors internet access without access to my WORKGROUP files?

JomegaJohn
Hi there,

There must be some obvious solutions to this simple need; but after much searching, I have failed to find any - so any help will be MUCH appreciated :)

I have a wired home network (all cables, wireless is disabled) on a broadband router (BT Home Hub 3.0), where every computer has full access to every other one for file sharing, all on one windows WORKGROUP.

I want to allow house guests to be able plug their own computers into my router for simple internet access WITHOUT being able to have access to my WORKGROUP network and files (maybe not even be able to see it).

What are my options for achieving this?

Ideally I would like to just somehow block the entire WORKGROUP access, so as not to have to mess around with setting lots of User permissions and constant logons/passwords for each access or session.

I have looked into trying to add specific network Users Permissions (instead of ???Everyone???), but got stuck trying to add network users under network permissions (since only local users appear). Also, it seems there may be a possibility of using a different subnet addresses rather than the usual 255.255.255.0 using Static IPs for each of my WORKGROUP computers.

But really I???m still completely confused and would welcome ANY suggestions!

Set up:
My main files are stored on USB drives connected to a small netbook, simply running Windows XP Pro, which acts as a kind of file server ??? this is 95% of the need for shared access.
Then there are other computers on the WORKGROUP running Windows XP Pro, Vista and Windows 7 all with full access to each other???s files.
As I have no proper server, I believe that I can have no Domains,

Thank you
NB Reposted to Q&A from the Discussions section - sorry didn't realise the difference :) !
  • +
    1 Votes
    robo_dev

    If this were a business network you would setup a separate VLAN to separate guest WLAN users from the rest of the network.

    However at home, setup a separate WLAN router for guests. While connecting a router-to-a-router is not ideal from a performance standpoint, this is the simplest solution. Since the WLAN router has a firewall, even if it passes the ports used for SMB (Microsoft networking) outbound (137, 139, 445), it will block inbound SMB traffic, thus preventing your other PCs and workgroup from being visible from the WLAN guests. Thus the WAN port of the guest WLAN router would plug into any LAN port available and it would get it's external IP address from the DHCP server in your existing router/firewall. Since most WLAN routers also have a four-port Ethernet switch built-in, guests could plug into that as well for wired access.

    In general, since SMB is a broadcast-based protocol, and Microsoft protocols in general are promiscuous and not all that secure, what you need to do is to establish a separate physical network with a firewall between it at your Windows machines.

    A separate logical network could be setup using multiple VLANs on a switch, and with a router between VLANs you could setup access control lists to allow certain traffic to pass (to allow your guests access to a LAN printer for example), but that would require a LAN-to-LAN router as well an Ethernet switch that can support VLANs.

    +
    1 Votes
    JomegaJohn

    Hi robo_dev

    This is REALLY helpful, thank you!

    I don't at all understand the 2nd option around VLANs, but I think I get the 1st extra router option it seems a great way to keep a firewall between the two networks!

    I have a spare Linksys WRT54G with a WLAN port previously setup for a PPPoE WLAN input from the ADSL modem. From what I understand, I can just plug a network cable between that WLAN port and a spare port on my current router, and then plug my guests into the Linksys WRT54G network ports.

    What I'm not clear on is whether I will need to change the Linksys WRT54G configuration at all (since it was set up to expect to a PPPoE logon on the WLAN port).

    So, how will I need to change the setup?

    1) how will the Linksys WLAN port need to be configured, if at all?
    2) will I need to change the Linksys Firewall or DCHP server settings, or any other ones, if so how?
    3) It seems that I wouldnt need to change any settings on the current router (a BT Home Hub 3.0), but if I do what would they be?

    Very many thanks again :)

    +
    0 Votes
    JomegaJohn

    Ahah! I made great progress :)

    I connected the old Linksys router's WLAN to the current router.

    Then I conifugured the router (running Tomato firmware, as it happens) - changing the WLAN from PPPoE to DHCP and it worked! (though to be fair, I had previously changed the router's address to 192.168.2.1 rather than 192.168.1.1 )

    Plugging in a computer (with Dynamic IP allocation) automatically gave it 192.168.2.100 (as first avaiable DHCP address) and I immedaitely got full speed internet access.

    I took a look at the Firewall in the Linksys, but couldn't make sense of the few settings, so just left them.

    However, simply browsing the Network in Windows 7 over this new connection did, indeed, NOT reveal any of my own WORKGROUP computers!

    So, I reckon it's DONE - yippee!!

    Thanks so much again.

    +
    1 Votes
    robo_dev

    But seriously, glad that worked for you.

    VLANs are a way to divide an Ethernet network into multiple networks on a single switch.

    For example, if you have a 24 port Cisco switch, you can create a network and subnet using ports 1-12 as VLAN1, and ports 13-24 as VLAN2. It's exactly like having two ethernet switches, however it's still one switch.

    +
    1 Votes
    JomegaJohn

    Hi robo_dev

    This is REALLY helpful, thank you!

    I don't at all understand the 2nd option around VLANs, but I think I get the 1st extra router option it seems a great way to keep a firewall between the two networks!

    I have a spare Linksys WRT54G with a WLAN port previously setup for a PPPoE WLAN input from the ADSL modem. From what I understand, I can just plug a network cable between that WLAN port and a spare port on my current router, and then plug my guests into the Linksys WRT54G network ports.

    What I'm not clear on is whether I will need to change the Linksys WRT54G configuration at all (since it was set up to expect to a PPPoE logon on the WLAN port).

    So, how will I need to change the setup?

    1) how will the Linksys WLAN port need to be configured, if at all?
    2) will I need to change the Linksys Firewall or DCHP server settings, or any other ones, if so how?
    3) It seems that I wouldnt need to change any settings on the current router (a BT Home Hub 3.0), but if I do what would they be?

    Very many thanks again :)

    +
    1 Votes
    robo_dev

    But seriously, glad that worked for you.

    VLANs are a way to divide an Ethernet network into multiple networks on a single switch.

    For example, if you have a 24 port Cisco switch, you can create a network and subnet using ports 1-12 as VLAN1, and ports 13-24 as VLAN2. It's exactly like having two ethernet switches, however it's still one switch.

  • +
    1 Votes
    robo_dev

    If this were a business network you would setup a separate VLAN to separate guest WLAN users from the rest of the network.

    However at home, setup a separate WLAN router for guests. While connecting a router-to-a-router is not ideal from a performance standpoint, this is the simplest solution. Since the WLAN router has a firewall, even if it passes the ports used for SMB (Microsoft networking) outbound (137, 139, 445), it will block inbound SMB traffic, thus preventing your other PCs and workgroup from being visible from the WLAN guests. Thus the WAN port of the guest WLAN router would plug into any LAN port available and it would get it's external IP address from the DHCP server in your existing router/firewall. Since most WLAN routers also have a four-port Ethernet switch built-in, guests could plug into that as well for wired access.

    In general, since SMB is a broadcast-based protocol, and Microsoft protocols in general are promiscuous and not all that secure, what you need to do is to establish a separate physical network with a firewall between it at your Windows machines.

    A separate logical network could be setup using multiple VLANs on a switch, and with a router between VLANs you could setup access control lists to allow certain traffic to pass (to allow your guests access to a LAN printer for example), but that would require a LAN-to-LAN router as well an Ethernet switch that can support VLANs.

    +
    1 Votes
    JomegaJohn

    Hi robo_dev

    This is REALLY helpful, thank you!

    I don't at all understand the 2nd option around VLANs, but I think I get the 1st extra router option it seems a great way to keep a firewall between the two networks!

    I have a spare Linksys WRT54G with a WLAN port previously setup for a PPPoE WLAN input from the ADSL modem. From what I understand, I can just plug a network cable between that WLAN port and a spare port on my current router, and then plug my guests into the Linksys WRT54G network ports.

    What I'm not clear on is whether I will need to change the Linksys WRT54G configuration at all (since it was set up to expect to a PPPoE logon on the WLAN port).

    So, how will I need to change the setup?

    1) how will the Linksys WLAN port need to be configured, if at all?
    2) will I need to change the Linksys Firewall or DCHP server settings, or any other ones, if so how?
    3) It seems that I wouldnt need to change any settings on the current router (a BT Home Hub 3.0), but if I do what would they be?

    Very many thanks again :)

    +
    0 Votes
    JomegaJohn

    Ahah! I made great progress :)

    I connected the old Linksys router's WLAN to the current router.

    Then I conifugured the router (running Tomato firmware, as it happens) - changing the WLAN from PPPoE to DHCP and it worked! (though to be fair, I had previously changed the router's address to 192.168.2.1 rather than 192.168.1.1 )

    Plugging in a computer (with Dynamic IP allocation) automatically gave it 192.168.2.100 (as first avaiable DHCP address) and I immedaitely got full speed internet access.

    I took a look at the Firewall in the Linksys, but couldn't make sense of the few settings, so just left them.

    However, simply browsing the Network in Windows 7 over this new connection did, indeed, NOT reveal any of my own WORKGROUP computers!

    So, I reckon it's DONE - yippee!!

    Thanks so much again.

    +
    1 Votes
    robo_dev

    But seriously, glad that worked for you.

    VLANs are a way to divide an Ethernet network into multiple networks on a single switch.

    For example, if you have a 24 port Cisco switch, you can create a network and subnet using ports 1-12 as VLAN1, and ports 13-24 as VLAN2. It's exactly like having two ethernet switches, however it's still one switch.

    +
    1 Votes
    JomegaJohn

    Hi robo_dev

    This is REALLY helpful, thank you!

    I don't at all understand the 2nd option around VLANs, but I think I get the 1st extra router option it seems a great way to keep a firewall between the two networks!

    I have a spare Linksys WRT54G with a WLAN port previously setup for a PPPoE WLAN input from the ADSL modem. From what I understand, I can just plug a network cable between that WLAN port and a spare port on my current router, and then plug my guests into the Linksys WRT54G network ports.

    What I'm not clear on is whether I will need to change the Linksys WRT54G configuration at all (since it was set up to expect to a PPPoE logon on the WLAN port).

    So, how will I need to change the setup?

    1) how will the Linksys WLAN port need to be configured, if at all?
    2) will I need to change the Linksys Firewall or DCHP server settings, or any other ones, if so how?
    3) It seems that I wouldnt need to change any settings on the current router (a BT Home Hub 3.0), but if I do what would they be?

    Very many thanks again :)

    +
    1 Votes
    robo_dev

    But seriously, glad that worked for you.

    VLANs are a way to divide an Ethernet network into multiple networks on a single switch.

    For example, if you have a 24 port Cisco switch, you can create a network and subnet using ports 1-12 as VLAN1, and ports 13-24 as VLAN2. It's exactly like having two ethernet switches, however it's still one switch.