What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Can this be achieved through subnetting?

Zero1

Occasional Visitor
Hi guys.
I have a question regarding subnetting and restricting access to certain parts of the network. Pretty much everything I know about networking (which isn't a great deal) is self learned through experimenting, so there are bound to be gaps or plain misunderstandings.

Let me explain the situation. I'd like to create two seperate networks, so that the computers on them can't communicate with eachother, but so they will be able to share the same modem, and also a printer. One half of the network will be handled by router 1, and the other by router 2 (there are more devices, but I left them out to keep the image simple).

Here's more or less how the network would be physically set up. The modem is downstairs and is conneted by wire to router 1 and router 2. My laptop (PC2) is connected wirelessly to router 2 (as well as a NAS/shared folder I plan to have, which isn't pictured). My sister's laptop (PC1) is connected wirelessly to router 1 and the intention here is that she does not have access to the NAS (or any other device connected to router 2, except the printer). Though I recognise as I've said that, that the printer would probably need a different IP address.

I also have an Xbox and PS3 that will be connected at the same physical location as the printer, and will be sharing media from an open shared folder on a PC at the same location as PC2.

I hope that by segregating the networks so all her traffic is restricted to within router 1 and mine within router 2, that it will kick her music stealing, network lagging tendencies into touch.

I was also thinking about the possibility of offering a wifi hotspot, but again it would need to be on it's own network, seperate from all the others to prevent intruders.

networkhb.png


So what do you guys think? Is what I am aiming for possible, and if so could anyone give me a pointer as to the hostmasks? I gather for this kind of network it would be something like 255.255.252.0. Would you enter that same host mask for every device on the network, or if I'm wanting to restrict access, would I put a different hostmask on PC1 for example, compared to PC2?

I think maybe I'd have to change my addresses to 172.168.X.X also.

Many thanks
 
It sounds like you are describing two problems: your sister's network activity affecting yours, and the desire to deny her access to your resources.

Your solution would not address the former since the bottleneck is at the modem/ISP. Even to simply provide connectivity, your modem must either need to be able to issue public IPs to each router or support NAT (which is likely if the modem contains an integrated router).

Printer sharing will be a pain if it is your introduction to NAT traversal. How severe depends on its placement in the network.

If you set up your NAS properly you should be able to deny your sister access without resorting to network segmentation. For your current situation, are your clients unable to support hidden/passworded shares?

Subnetting is implementation-specific and as such should be delayed until you have a solution hammered out.
 
@jdabbs
I think the way I put it may have been misleading. Her internet use isn't really affecting me. The problem is that my game consoles and media are connected to the LAN side of a WRT54G acting as a wireless bridge connected to the routers downstairs. It means if she copies stuff from my media share that the wireless link of the WRT54G gets choked and affects the ability for the Xbox to communicate with the router downstairs.

Here's a pic of my current setup. The E4200 is a new additon specially for my own laptop so I can download at 100mbps over wireless. I haven't connected anything to it as I don't want to degrade the signal or performance of the router, as I only just get my required bandwidth at my location. However I do intend to replace my WRT54G with another E4200 running DD-WRT as a wireless bridge soon, to be connected to the existing one. I'm also waiting on a firmware update for the Virgin modem/router to put it into bridge mode instead of the E4200, so I can let the Linksys do it's stuff instead. That's what has prompted me to think about rejigging my network.
netyi.png


Yes, currently my media share in an old XP machine (which I don't think you can password protect media shares), and the clients, in this case a PS3 and Xbox360, I don't think support passworded shares either. I know media is shared to the consoles using Windows media player, but I like to have the share open so I can drop any new music into it. Right now I have to VNC into the media box (cause it's headless), enable the share, transfer and disable the share. If they were on seperate networks I could just leave the share up all the time and not worry about stuff getting deleted or my WRT54 struggling.

Thanks a lot for the info, that was a good read. So simple I think almost anyone could follow it.

But before you posted those links, I got chatting to a friend about how I might go about this. To cut a long story short, it turned out to be similar to your write up of the community center's network, but we also got into different subnet values and creating static routes.

If I do as your guide suggested, putting computer 1 on router 1, and computer 2 on router 2 (both connected to a switch to share the internet), then computers 1 and 2 have internet access, but cannot access each other, right?

Am I understanding static routes correctly in that you specify a path to follow? Let's say PC1 and PC2 are on their respective routers, but there is also a printer on router 2, ordinarily there is no communication between devices on router 1 and router 2, but if I set a static route in router 1 pointing to the printer on router 2, would that create and exception and allow communication to that one device on the other router?

If this is so, then this would be the key. I could have devices on their own networks, but make exceptions as I see fit to allow communication between certain devices. That would be perfect for me.


Now regarding subnets, I want to clarify how they work. Let's assume we have a network like the community center's set up. If a computer has an address of 192.168.1.100 and a mask of 255.255.255.0, it can only communicate with addresses in the 192.168.1.X range, right? So in this case, devices on the other router, in the 192.168.2.X range are inaccessible.

If I were to set the host mask of the computer at 192.168.1.100 to 255.255.252.0, would that then allow it to communicate with devices on 192.168.0.X, 192.168.1.X, 192.168.2.X, 192.168.3.X?

Also this is going to be an incredibly noobish question, but do hostmasks work both ways? For example if you set a host mask on a computer of 255.255.255.0, that prevents communication outside of the 192.168.1.X range, but if a computer on 192.168.2.X tried to initiate contact with the computer on 192.168.1.X, would the host mask prevent that or is it a one way thing?



In case you wonder where I'm going with this, this is what I had in mind, referring to my original image.

PC1:
IP:192.168.1.100
Mask:255.255.252.0

PC2:
IP:192.168.2.100
Mask:255.255.255.0

Printer:
IP:192.168.2.2
Mask:255.255.252.0

If subnets work how I think (or hope) they do, then PC1 would be able to reach the printer (presumably once a static route has been set), since the subnet mask allows it to access 192.168.0.X, 192.168.1.X, 192.168.2.X and 192.168.3.X addresses.

PC2 can also access the printer, since the host mask restricts it to 192.168.2.X, but that's Ok since the printer is on the same subnet.

However the bit I'm not sure about would be if the communications between PC1 and PC2 would be blocked. I know that with a mask of 255.255.252.0 that PC1 has access to 4 subnets, but since the host mask of PC2 is set to 255.255.255.0, effectively blocking out communications to anything other than addresses within the 192.168.2.X range, would that have the effect of blocking communications from a computer on 192.168.1.100, or am I mistaken in my understanding of subnets?


I appreciate your excellent guide, but somewhat understanding this concept would open doors for me, so if you have time to give me any pointers (or if you know of any good learning resources), I'd love to read it.


Also thanks for your review on the Linksys E4200. Picked this up the other day and was pleasantly surprised. At close range I got around 224mbps transferring files, and at the other side of the house, I averaged 100-120mbps which is just enough to get the most out of my cable.

Many thanks.
 
Last edited:
The NAT firewall on the second downstream router will prevent access to any resources on its LAN. You can set all the static routes in the world, but the NAT firewall will block them.

Traffic separation can be more simply achieved with using a "smart" / managed switch with VLAN capability. Cisco / Linksys RV series routers have VLAN capability built into the internal switch. Much easier way to go vs. messing with subnets, which really don't separate traffic (for anyone who knows how to tweak static routes) and are a hassle to manage.

See VLAN How To: Segmenting a small LAN
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top