Limit/Restrict access between subnets

A wireless access point grants wireless clients the same access to networks as any wired client has. So, if there are several subnets (routed or bridge) on the LAN, then any client wired or wireless) will have the same access to all subnets (unless specific rules exist saying otherwise).
Source: http://www.tomshardware.co.uk/forum/page-9358_18_0.html
Hi Everyone
I found this text on some forum and I'd like to understand it, or at least, I'd like to understand what is meant by "unless specific rules exist saying otherwise".
The reason for my question is that it's exactly what I'm looking to do. I have a 1st subnet that isn't equipped with wifi and has a few computers connected to it. This subnet is on 192.168.0.0/24. I connected to this subnet a Linksys WRT54G2 that works as a "Gateway" and not as a "Router" and defines the subnet 10.0.0.0/24. This way I can share my internet connection, however, my original idea was to have 2 different subnets and make sure they wouldn't be able to communicate to each other (except for the printer that's on the 1st subnet at  192.168.0.2/24.
Internet
|
Modem
|
Router (no wireless)
|
                            ------------------------------------------------------- 192.168.0.0/24
|            |            |            |              |                 |
PC1     PC2     PC3     PC4     Router    Printer
                                     (wireless)
                                     |
                                                          ------------------ 10.0.0.0/24
                                    |          |          |
                                    PC5    PC6    PC7
What happens is that the machines on the 2nd subnet (10.0.0.0/24) can see the machines of the 1st one (192.168.0.0/24). For example, when I'm on machine 10.0.0.5/24 and I ping 192.168.0.2, not receiving any answer from my subnet the request is therefore sent to the gateway (WRT54G2), which in turn forwards the request to the subnet 192.168.0.0/24 that does indeed get an answer.
And of course, the machines on the 1st subnet cannot see the machines on the 2nd. Obviously, when I'm on 192.168.0.5/24 and I ping 10.0.0.5, the 1st subnet doesn't have any static routes defined to ask the 2nd router to route the request.
All that's not bad, but not good enough yet I'd like to make sure the 2 subnets cannot communicate at all, except for the printer. Or, ideally, the 1st subnet could access the 2nd one, but the 2nd one couldn't access the 1st one.
After thinking a little bit I thought, it shouldn't be that hard, I could simply swap the 2 subnets, PC5, 6 and 7 would be connected through wireless to a first router that is itself directly connected to the internet, and my 2nd subnet would be initialised by the router that doesn't have wifi, like this:
Internet
|
Modem
|
Router (wireless)
|
                            -------------------------------------------- 192.168.0.0/24
|            |            |            |                 |
PC5     PC6     PC7     Router    Printer
                           (no wireless)
                           |
                                               ---------------------------- 10.0.0.0/24
                           |          |          |          |
                          PC1    PC2    PC3    PC4
But here's the problem, that 1st subnet is in fact the one of my dad in law, and he has no intention whatsoever to change anything, he's also very paranoid with security (he buys and sells shares and does quite a few sensitive things), and I don't really want to invest in another internet connection when we have a perfectlly working one already...
So all that to resume my question to: would it be possible, in one way or another, without changing the topologie, to restrict the access between the 2 subnets keeping a door opened for the printer?
I realise this post is quite long, so thank you for reading it until the end!!

Well as your Both the Routers are Connected to each other, so this means your Both the Routers are in the same Network, and if you try to ping the Computer, which is on the 1st Network you will be getting the replies. When you Ping the computer on the 1st Routers, your 2nd Router will talk to your 1st Router, and your 1st Router will give him the replies.
So Basically you want do is, just block all the computers to access each other network on the different subnet. This means Router 1 Computers, should not access the Computers on Router 2. In this case you can try is, Change the Workgroup name of the Computers which are Connected to your 1st Router, and change the Workgroup names of the Computers which are connected to the 2nd Router. On your Router setup page, below the Security tab, you need to check the Box "Filter Anonymous Internet Requests" and click on Save Settings. Well will disable the File and Printer sharing, and your Router 1 Computers will not have a access to the Router 2 Computers As this both the Computers will be in the Different Domain. 
The Printer which you have is it a Network Printer or a Normal USB Printer. If its a USB Printer, then if you change the Workgroup name of the Computer where the Printer is Connect, then that printer might not work on the Computers on the 2nd Router. 

Similar Messages

  • Restricting access between the hours of 9am and 5pm

    i need help in creating policy to restrict access between office hours. i have created the function,
    but don't know how to link this up with my database. below is the function i created
    create or replace function office_hrs_only
    (p_schema IN VARCHAR2 DEFAULT NULL,
    p_object IN VARCHAR2 DEFAULT NULL)
    return VARCHAR2
    AS
    BEGIN
    RETURN 'to_char(sysdate,''HH24'') between 9 and 17';
    END;
    regards,
    christina

    Hi, Christina,
    christylong wrote:
    i need help in creating policy to restrict access between office hours. i have created the function,
    but don't know how to link this up with my database. below is the function i createdAre you trying to implement a row-level security policy? If so, you need to call dbms_rls.add_policy, as shown in the Packages and Types manual:
    http://download.oracle.com/docs/cd/B28359_01/appdev.111/b28419/d_rls.htm#i1000830
    create or replace function office_hrs_only
    (p_schema IN VARCHAR2 DEFAULT NULL,
    p_object IN VARCHAR2 DEFAULT NULL)
    return VARCHAR2
    AS
    BEGIN
    RETURN 'to_char(sysdate,''HH24'') between 9 and 17';
    END;Remember, TO_CHAR returns a string, so you should compare it other strings, not numbers. Try this:
    RETURN  'to_char(sysdate,''HH24'') between ''09'' and ''16''';If you make the upper limit '16', then people will be able to use the table as late as 16:59:59, that is, one second before 5:00 PM.
    That's not completely intuitive, is it? Maybe it would be better if you said:
    RETURN  'to_char(sysdate,''HH24:MI:SS'') between ''09:00:00'' and ''17:00:00''';Edited by: Frank Kulash on Aug 21, 2011 12:11 AM

  • My high school aged child is spending too much time on Facebook, Tumblr to the detriment of home work.  Is there any way I can limit the access to these sites to between 8pm and 10pm?

    My high school aged child is spending too much time on Facebook and Tumblr is there any way I can limit the access time  on these sites to  from 8pm to 10pm?

    System Preferences>Parental Controls has time limits - check out this intro to Parental Controls from Cult of Mac on YouTube.
    Clinton

  • Restricted access to attachments in SRM 7.0 web applications

    Hi,
    We have a very specific problem regarding the handling of attachments with SRM 7.0 web applications. The system is configured to use ArchiveLink for storing documents on a remote content server, which is working fine.
    Now we have a requirement which should restrict access to certain documents to specific user groups. As an example you could say that a Purchase order has (besides others) two documents attached, e.g.
    - signed contract
    - meeting minutes
    The contract should only be visible to a limited number of people, whereas the Meeting Minutes are accessible to everybody.
    Our problem is that apparently only one Content Category ("BBPFILESYS") is used by the SRM web applications for an upload. When granting authorizations on this content category, we cannot distinguish between contracts and meeting minutes anymore.
    Comparing this with the config in ECC we can freely define document types which can be used in AUTH profiles. Is there any similar solution that can be used in SRM 7.0?
    Any help would be greatly appreciated.
    Cheers,
    Mark

    Hello,
    Have a look at note 1334202. It provides some inputs.
    Regards,
    Ricardo

  • SSH login- how do I restrict access to a shared folder?

    I have created Shares in WGM for SMB and AFP access on my OS X 10.4.8 Server. However when I connect via SSH it's not restricting access to the folder based on the User Name I login with- I see the entire volume! How do I restrict access to a specific folder based on a user name setup in WGM? ACL's?

    Hey George,
    It sounds like you are trying to limit ssh/sftp users to a specific area, aka jails. The FTP server lets you 'chroot' users to a certain area making it appear as the root thus preventing them from navigating up the hierarchy, which is what I think you, and me and many others are trying to accomplish.
    The ssh compiled into OS X is missing this very needed feature. There have been a few documented workarounds, but they've either been too insecure or too clunky for me.
    I've dealt with the fact that my users can get to the root of the hard drive, and have just been very careful about my privileges (by using ACLs), thus preventing them from getting inside areas they shouldn't.
    There's a good write up here: http://www.schwie.com/brad/macosxsftpchroot/ and if you include the term 'chroot' in your searches, you should find a bit about it here too.
    And Roger, I think George meant the file sharing protocol used by ssh. man sftp.

  • Is there a way to disable/restrict access to Help Restart with Add-ons Disabled or just to Help altogether?

    I have students who use Help>Restart with Add-ons Disabled to disable add-ons, reset things, and go into Safe Mode. I'd like to be able to disable their ability to do so. Is this possible? I am also using a product called Fortres 101, which is a file security application. I can use it to limit file access to read only or even no access. If there are certain files that Firefox uses to allow access to these options, then maybe I can use these file names and make them read only or no access.

    Note that you would only have to hold down the Shift key while starting Firefox to start in Safe Mode.
    Any restriction added via an extension can easily be bypassed by knowledgeable users.
    See also:
    *http://mike.kaply.com/2012/04/10/customizing-firefox-disabling-safe-mode/
    *http://mike.kaply.com/2013/01/11/disabling-safe-mode-in-firefox-17/

  • Multiple routers and subnets - can't access across subnets

    Hey all, I'm having an issue with multiple routers and subnets on my FIOS connection. Here's how everything is setup:
    Primary router:
    ActionTec MI424WR Rev D (from Verizon)
    WAN IP: From ISP
    WAN NETMASK: From ISP
    LAN IP: 192.168.1.1LAN NETMASK: 255.255.255.0
    Secondary router (WAN connected to ActionTec LAN):
    Belkin N750 gigabit w/ 802.11n
    WAN IP: 192.168.1.2
    WAN NETMASK: 255.255.255.0
    LAN IP: 192.168.2.1
    LAN NETMASK: 255.255.255.0
    With this setup, I have the secondary router's WAN port connected to a LAN port on the primary router. Each are broadcasting an SSID and each are running DHCP to assign address to their respective subnets. Everything was well and good, except that I could reach 192.168.1.* systems from 192.168.2.*, but not vice versa -- anything connected to the Primary router was blind to systems connected to Secondary. Also, I could not ping anything on .2 from .1.
    So, I added the following static route to the primary router:
    DESTINATION: 192.168.2.0
    NETMASK: 255.255.255.0
    GATEWAY: 192.168.1.2
    Once this was added to the router, I could ping everything, so that was good. However, even though .1 can now ping .2, I can't access certain things such as the web interface of my NAS (192.168.2.2). I can ping it, but accessing it in the browser from .1 doesn't work; however, accessing from .2 does work.
    I think the ActionTec router might be blocking it, but that's just a guess. The firewall on this thing has me thoroughly confused. Currently, I have 192.168.1.2 in the DMZ on the ActionTec, but that didn't make a difference. I've also completely disabled the firewall on the secondary Belkin router, but still nothing.
    Any help from the pros here? Much appreciated!
    Solved!
    Go to Solution.

    Ok, I figured it out and everything is now working. The issue appears to be that the ActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internal traffic -- it treats it as external traffic and closes it off. To fix this, it required some Advanced Firewall Filters that were far from unituitive and took a lot of testing to get it just right. If anyone runs into a similar situation in the future, here's a rundown of what I did to make it all work:
    Primary Router:
    ActionTec, MI424WR Rev D
    WAN IP/NETMASK:Assigned by ISP
    LAN IP/NETMASK:192.168.1.1 / 255.255.255.0
    Secondary Router:
    Belkin N750 Gigabit w/ 802.11n
    WAN IP/NETMASK:192.168.1.2 / 255.255.255.0
    LAN IP/NETMASK:192.168.2.1 / 255.255.255.0
    Plug Secondary router's WAN port into a LAN port on the Primary router.
    Setup Secondary router to have static LAN address (192.168.1.2)
    At this point, you should have 2 separate subnets: Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*).
    Systems on both subnets should be able to reach the internet. Also, Subnet 2 should be able to ping and reach systems on Subnet 1; however, systems on Subnet 1 should not be able to ping or reach systems on Subnet 2. For this, we need to create a static route so Subnet 1 can reach Subnet 2.
    Create and apply the following static route in the Primary router:  (Advanced > Routing)
    RULE NAME:Network (Home/Office)
    DESTINATION:192.168.2.0(your secondary subnet)
    GATEWAY:192.168.1.2(secondary router's WAN IP)
    NETMASK:255.255.255.0
    METRIC:1
    The router now has a route between Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*). You should be able to ping systems on Subnet 1 from 2, and ping systems on Subnet 2 from 1. You should not be able to access any systems, though -- the firewall is still blocking all but ping traffic from Subnet 1 to Subnet 2. We need to create some firewall rules to allow this communication.
    Make sure Primary firewall is set to at least typical/medium (Firewall Settings > General).
    We need to create some network objects to make it easier to manage the rules we'll create. Go to Advanced > Network Objects and do the following:
    1.Click Add. You are now on Edit Network Object screen. 
    2.Set Description to 'Subnet 1'.
    3.In Items section below, click Add.
    4.Set Network Object Type to 'IP Subnet'.
    5.Set Subnet IP Address to 192.168.1.0.
    6.Set Subnet Mask to 255.255.255.0.
    7.Click Apply. You are now back on Edit Network Object screen.
    8.Click Apply. You are now back on Network Objects Screen.
    9.Repeat the above steps again, but this time creating a second network object called 'Subnet 2':
    Nameubnet 2
    IP Subnet:192.168.2.0
    Subnet Mask:255.255.255.0
    Now we create the firewall rules. Go to Firewall Settings > Advanced Filtering.
    In the Inbound/Input rules section, click the Add link next to Network (Home/Office) Rules.
    Create the following Advanced Filter:
    SOURCE ADDRESSelect 'Subnet 1'
    DEST. ADDRESSelect 'Subnet 2'
    PROTOCOL:'Any'
    OPERATION:'Accept Packet'
    OCCUR:'Always'
    Click Apply. You will now be back on the Advanced Filtering page.
    In the Outbound rules section, click the Add link next to Network (Home/Office) Rules.
    Create the following Advanced Filter:
    SOURCE ADDRESSelect 'Subnet 1'
    DEST. ADDRESSelect 'Subnet 2'
    PROTOCOL:'Any'
    OPERATION:'Accept Packet'
    OCCUR:'Always'
    Click Apply. You will now be back on the Advanced Filtering page.
    Click Apply.
    You're all done. You should now have internet access on both subnets, be able to ping across subnets and also be able to access services across subnets (local webservers, SSH, telnet, mail, etc). You will not be able to see network file shares across subnets in Windows, however, as this requires a WINS server (which is well outside the scope of this post). For instance, I have a Western Digital NAS on the 192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; on Subnet 1, however, I have to access it by its IP \\192.168.2.10\. 

  • WRT54G / upgraded firmware, unable to access across subnets

    Hi,
    I have a network with 10 WRT54G (v6) 's.  Recently I upgraded the firmware on two units from 1.00.7 to the latest 1.02.2 and am experiencing some network wierdness.
    The wireless routers are connected via the LAN port to a linux router which is a firewall/bridge between subnets 10.1.3.x & 10.1.1.x.  I have rules in place to allow my workstation to http to the 10 routers and disallow everything else.  All of this is logged.
    I cannot from my workstation (10.1.1.x) access the web interface on the two units I upgraded the firmware on 10.1.3.x).  I can still access the web interface on the remaining units (10.1.3.x)
    I can however access the web interface from the same subnet to the newly upgraded units.
    I can see from the firewall log that the packet is making it out correctly and tcpdump verifies this.
    Does anybody have a clue what is going on.  I feel like it would be best to return to the previous firmware, but where do I find it???
    Thanks,
    Lee

    Hi Lee,
    logon to ftp://ftp.linksys.com/pub/network/ and download the previous firmware version and try downgrading the firmware...

  • FMS Limit Domain Access??

    How do you limit access to FMS app instances from a certain
    domain? For example, if I only want example.com/file.swf to create
    an app instance and run - but if I try localhost/file.swf or
    otherdomain.com/file.swf it will not? Thank you.

    Check out this file here:
    http://www.adobe.com/products/flashmediaserver/pdfs/FlashMediaServer3_WhitePaper_ue_v1.pdf.
    I don't know if you can limit on an application instance level, but
    you can set on the server level.
    Here's the relevant block from the PDF, on page 50:
    quote:
    Restrict access from domains By default, a client can connect
    to Flash Media Server from any domain or IP address, which can be a
    security risk. You can create a whitelist of allowed domains (or a
    blacklist of banned domains) to ensure that only authorized clients
    can connect to your applications or services. You can add a
    comma-delimited list of domains and/or IP-address blocks in the
    Adaptor.xml or vHost.xml configuration files to add this level of
    security. This is usually the first step in locking down your
    server; it prevents malicious or unauthorized domains from freely
    accessing your applications and streams.

  • Restricting access to Queries via Search

    Does anyone have any ideas on restricting access to queries from the Bex search. We have folks that are using the search functionality of Bex and are finding queries that we have not been published to a reporting role. We instruct our query writers that when devloping queries, do not publish them to a reporting role until they are finalized and tested. We are finding that folks are using search in Bex and finding these queries that may be in the middle of development and trying ot use them. In other words, we would like to restrict the Bex search to just queries published to reporting roles.

    Hi Diago,
         Our dilema is that restricting access of the search by query name (via the role) requires the query writer, when finished with the development of their query, to do a savas with a different technical name that falls into the role restrictions of the authorization. This then leaves two versions of the query out there until the original gets deleted, if the query writer happens to remember to do that. It would be great to limit the search mechanism to just published queries. What are other folks doing to get around this issue. It seems that everyone would be running into it unless the search could be restricted in such a manner.

  • Restricting Access Based on IP Address

    I am wondering how Oracle Identity Management lets us check if the request comes from a specific IP Address before authentication. I need to restrict access to web pages for a username or role to a certain location and IP address, in fact a bank branch.
    Please note that I don't want to limit access to the server to one IP address in general, but I need to let in a pair of (IPx,Usernamex) in other words bind IPs and identities.
    Any suggestion for this?
    Thank you
    Regards,
    Farbod

    Hi
    Sorry for not answering until now but I have been busy the last couple of days.
    You need to implement this functionality on the first node in your system so that you can get the originator IP. If your application server is behind something that changes the originator IP you will simply not be able to read the IP and the approach of using SSO call outs will not work. SSO call out will only work if the app server is placed in front.
    If you have a load balancer in front you will need to install a reverse proxy of some kind in front of the load balancer. If you have the money for licenses I would recommend looking at OAAM.
    What you will be building is basically a SSO setup so as long as the SSO system supports your authentication scheme and has an SSO plug in that supports your app server you will be fine.
    If you have plenty of time but little license money you might want to look at building something based on Apache and Mod_proxy or mod_security. I did a little bit of work on this back in 2003 but it doesn't seem to be a common pattern today so I am not sure how viable this option is.
    Hope this helps
    /M

  • PI Sender HTTP adapter restricting access by IP

    We have a web service hosted on PI and we would like to limit access to this web service to only one web service client application. This is a high volume interface and not particularly sensitive data so we are not really looking for the SSL overhead. Is there any way other than SSL or using the HTTP logon procedure of AS-ABAP to restrict access to this web service? For example, can we specify anywhere on the AS or in the configuration of the PI Sender HTTP adapter that only requests from a certain IP addresses be processed?

    If you do not care about security then pass some basic authentication in the form of userid and password in either the header fields or in the url parameters.  These could then be authenticated in the Web Service - though this is not ideal

  • Can I restrict a specific subnet/host to specific server in CSS?

    I would like to restrict a specific subnet/host to access the same server. Can I do that?
    Thanks

    Hi,
    You can configure an ACL on the CSS. This should achieve what you are trying to do.
    For more details, check
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/security/guide/Access.html#wp1133930
    I hope this helps
    Daniel

  • Restricting access to form

    Is there a way to restrict access to a form? The form - and some selections - might have proprietary data and we would like to restrict use of the form to a private workgroup. We are not trying to create a survey product that is open to the world. If not, is there a recommended solution with the same functionality as FormsCentral that has a feature to limit form access to authorized users?  Thank you.

    Unfortunately Formscentral does not have a way to limit access to forms. While you could control access to the form by embedding it in a web page that controls access this solution is not perfect.
    Andrew

  • Airport Utility Timed Access Control does not allow/restrict access to wireless clients per the time set.

    I have been trying to setup Timed Access Control in Airport Utility and it does not seem to be working correctly. 
    In Airport Utility from Edit Timed Access Control I Enter a name for my device (iPad/iPhone any device), enter my mac address, set time for Everyday and use default Between 9:00 AM and 5:00 PM, save and then update. When I go to my device iPad iPhone etc. I still have access even when it is after the time set, 5:00PM.  If I set no access it will restrict access also I set a time between 2:00 PM and 5:00 PM and access was restricted.  It doesnt seem to matter what the device is.  I know that the MAC Adress is set correctly.  It seems like an issue with the Utility, possibly time miss match or something.  Not sure if I am missing something or if this Utility just has flaws. Please Help.

    I changed the default to (no access) and set an entry for my test device (an iPad) to "Everyday Between 9am to 5pm.  The iPad was still able to gain access to the network. 
    Something else to note, if I try to edit the time of an entry it gives me an error on my MBP "Invalid value", "The value for “Timed Access Control” is invalid."  This happens even if I delete a digit (number or letter in the time field) and replace with the exact same. Not sure if the two are related. I have tried to edit access from my iPad.  I don't get any errors but I still don't get the expected results.  I called Apple to try and get Tech support but they were not much help. Thanks again.

Maybe you are looking for

  • Two different item categories in sales document

    Hi Friends, Can we have two different line items in the sale order by which one item is relevant for billing  F2 and the second line item is relevant for pro forma invoice F5.  And also, I want to use second line item as consignment item so that when

  • Excel upload to internal table in 3.1i system?

    Hi all, I have 5 fields each varying 5-20 chars length. How to upload the excel from desktop to internal table in 3.1 system. Thanks, Kris

  • Can we improve iOS 7 for senior citizens?

    I support 20-30 people in the local community here and most are senior citizens.  iOS 7 has been a big miss with this group of people. We immediately used accessibility to turn off parallax and to fatten the fonts.  This helps, but they still object

  • Can't install Git with Pacman

    There seems to be some conflict with libssh2 and curl. I tried to use the option --force and it actually broke pacman. I had to reinstall the whole distribution. What's the proper way to fix this issue ? Pacman version is 4.2.1 /etc/pacman.d/mirrorli

  • How to manage sequence number in PLD but not use LineNum()?

    Hi,All I want to show number in PLD. Probem, I can't use LineNum() because in some row in matrix that no price i will not show data. Now,if i use LineNum() when i print preview in column system will skip record that no have price. How to manage for g