| Author |
Message |
John Buczek
Guest
|
 Posted:
Sat Oct 08, 2005 2:46 am Post subject:
Networking to PREVENT connectivity! |
|
|
Three neighbors and I live in a rural, orphan area where neither DSL
or Cable modem broadband will be available for at least 10 years. We
want to correct this by connecting to a 4Mbaud cable modem service at
a business 2.5 miles away with line of sight over water.
This looks like a wireless problem but really the fact that some of
the links are WiFi is incidental. The real problem is isolating the
users from one another. We are NOT kids. We don't play games
and we have confidential information on our computers.
The proposed setup is like this:
Cable Modem > DLink DI-604 which we will call "WAN router"
From there one connection to a Linksys BEFSR41 called "Business
Router", for the three users there, and one to our long range bridge.
This 2.5 mi. link will use a pair of Engenius Senao 2611-CB3+DELUXE
AP's in PtoP bridge mode with narrow beam parabolic dishes.
The output from the bridge goes to a DLink DES-105 switch which we
call "NAN Switch". (Chosen at the suggestion of DLink Support).
From there one output goes to a Netgear FS-605 called "Mary's Switch"
and to the two users in that house.
Three outputs go to short haul WiFi links to three other homes using
pairs of DLink DWL-2100AP's also in PtoP bridge mode also with narrow
beam dishes.
One of these short haul links only wants one user so the bridge AP
will connect directly to the PC. The other two links will go to
existing Linksys BEFW11S4's ("John's Router" & "Riley's Router") and
thence to both hard wired and wireless users.
PROBLEM:
We DO NOT want ANY connectivity between any of the homes or between
the business and any or all of the homes. The ONLY thing we want is
access to the internet.
We DO want strictly local connectivity for computers within the
business and at each home. I.E. downstream of the local
routers/switches.
The problem is: after a month of reading manuals and searching on the
internet I can't find any reinforcement that this setup will work as
we wish. Everyone WANTS to connect to everyone on their network.
Nobody talks about using this kind of equipment to isolate subnets the
way we want.
QUESTIONS:
Q: Will this setup do what we wish?
Q: What kind of IP addressing scheme should we use.
Are those two questions related?
Here's the scheme we've been thinking.
WAN router = 192.168.0.1
NAN Switch is non-configurable
Business router = 192.168.1.1
and users are 192.168.1.2-4
Mary Switch is non-configurable. Her users are 192.168.2.2-3
Riley Router = 192.168.3.1 and users are 192.168.3.2-8
John Router = 192.168.4.1 and users are 92.168.4.2-5
and would the subnet mask in these
cases then be: 255.255.252.0 or does that open up
conductivity?
Should it be 255.255.255.0?
Q: As we understand it (maybe wrongly) this kind of uniform
addressing tree would be necessary for the "WAN router" to act as NAT
server. Would it be possible to let the routers in each home act as a
"second stage" NAT server? Then the local addressing in the business
and each home would be independent of the others.
Would this add too much overhead?
Q: Would it be necessary/useful to activate the firewalls on all
routers or just the "WAN Router" unit.
Q: Is the DI-604 "WAN Router" necessary or could we connect our long
range link to the unused port on the "Business Router"? Since all
three of the existing workstations on this router can "see" each
other, we thought the extra router would be necessary to protect the
business.
I sure hope we can make this work because all the equipment is already
in use or is on the way. PLEASE don't tell me that I bought the wrong
models and if I just upgraded everything would be easy.
BTW. We propose to use static IP addressing for security and to lock
the size of the pool.
Thanks
John |
|
| Back to top |
|
 |
James Knott
Guest
|
| Posted:
Sat Oct 08, 2005 3:30 am Post subject:
Re: Networking to PREVENT connectivity! |
|
|
John Buczek wrote:
| Quote: | We DO NOT want ANY connectivity between any of the homes or between
the business and any or all of the homes. The ONLY thing we want is
access to the internet.
|
Just use cheap firewall/router boxes for each user, to block access from
others. |
|
| Back to top |
|
|
stephen
Guest
|
| Posted:
Sun Oct 09, 2005 12:39 am Post subject:
Re: Networking to PREVENT connectivity! |
|
|
"John Buczek" <johnb@skagit-studio.com> wrote in message
news:o5rdk11cqpbesat6v8egafi0dasllcuind@4ax.com...
| Quote: | Three neighbors and I live in a rural, orphan area where neither DSL
or Cable modem broadband will be available for at least 10 years. We
want to correct this by connecting to a 4Mbaud cable modem service at
a business 2.5 miles away with line of sight over water.
This looks like a wireless problem but really the fact that some of
the links are WiFi is incidental. The real problem is isolating the
users from one another. We are NOT kids. We don't play games
and we have confidential information on our computers.
The proposed setup is like this:
Cable Modem > DLink DI-604 which we will call "WAN router"
From there one connection to a Linksys BEFSR41 called "Business
Router", for the three users there, and one to our long range bridge.
This 2.5 mi. link will use a pair of Engenius Senao 2611-CB3+DELUXE
AP's in PtoP bridge mode with narrow beam parabolic dishes.
The output from the bridge goes to a DLink DES-105 switch which we
call "NAN Switch". (Chosen at the suggestion of DLink Support).
From there one output goes to a Netgear FS-605 called "Mary's Switch"
and to the two users in that house.
Three outputs go to short haul WiFi links to three other homes using
pairs of DLink DWL-2100AP's also in PtoP bridge mode also with narrow
beam dishes.
One of these short haul links only wants one user so the bridge AP
will connect directly to the PC. The other two links will go to
existing Linksys BEFW11S4's ("John's Router" & "Riley's Router") and
thence to both hard wired and wireless users.
PROBLEM:
We DO NOT want ANY connectivity between any of the homes or between
the business and any or all of the homes. The ONLY thing we want is
access to the internet.
We DO want strictly local connectivity for computers within the
business and at each home. I.E. downstream of the local
routers/switches.
The problem is: after a month of reading manuals and searching on the
internet I can't find any reinforcement that this setup will work as
we wish. Everyone WANTS to connect to everyone on their network.
Nobody talks about using this kind of equipment to isolate subnets the
way we want.
QUESTIONS:
Q: Will this setup do what we wish?
|
not quite, but close, and should be easy to fix (except it might need some
more boxes).
anyone "nearer" to the cable modem cant see anyone further away (i.e. on the
user side of a router).
but the opposite may not be true - the further away user might be able to
see PCs etc for a user nearer to the modem.
You can fix this is you split a LAN wherever there is transit traffic by
adding another router - so there is a dedicated user LAN at every site.
A less detailed abstraction might make the requirement clearer.
You have a public gateway at your cable modem.
there is a transit network so various sites can access the gateway
there is a LAN at each site with users which should be private.
the complications occur because you have mixed up the transit and user parts
of the network.
| Quote: |
Q: What kind of IP addressing scheme should we use.
|
any shared network (i.e. used for transit traffic) should use a unique
subnet.
any user only (leaf) network - different to all the shared ones, but could
be the same as other leaves. in factif they are all the same that would tend
to minimise any "bleed through" risks - for example if something is
mis-configured.
| Quote: |
Are those two questions related?
Here's the scheme we've been thinking.
WAN router = 192.168.0.1
NAN Switch is non-configurable
Business router = 192.168.1.1
and users are 192.168.1.2-4
Mary Switch is non-configurable. Her users are 192.168.2.2-3
Riley Router = 192.168.3.1 and users are 192.168.3.2-8
John Router = 192.168.4.1 and users are 92.168.4.2-5
and would the subnet mask in these
cases then be: 255.255.252.0 or does that open up
conductivity?
Should it be 255.255.255.0?
Q: As we understand it (maybe wrongly) this kind of uniform
addressing tree would be necessary for the "WAN router" to act as NAT
server. Would it be possible to let the routers in each home act as a
"second stage" NAT server? Then the local addressing in the business
and each home would be independent of the others.
|
yes - you can cascade several NATs - the main complication is if you want
incoming connections, since there is only 1 IP on the ultimate "outside", so
port forwarding would have to work through the chain of NAT routers to any
leaf subnet.
| Quote: |
Would this add too much overhead?
Q: Would it be necessary/useful to activate the firewalls on all
routers or just the "WAN Router" unit.
|
every leaf node should be set to provide isolation (not many of these
devices are real firewalls, despite what the manufacturers write on the
box) - you get most of the protection from NAT anyway since connections to
users cant be initiated from outside unless there is port forwarding set up.
i think you will need NAT on the router into the cable modem to keep public
address use down to 1 address, and limit any config access from outside.
across the shared networks - you could use "proper" IP routing rather than
NAT - or if the kit allows it you could just run it as a bridged network
without any transit routing at all.
| Quote: |
Q: Is the DI-604 "WAN Router" necessary or could we connect our long
range link to the unused port on the "Business Router"? Since all
three of the existing workstations on this router can "see" each
other, we thought the extra router would be necessary to protect the
business.
|
Dont know the Dlink stuff so cant comment.
however - apart from pt - pt wireless links which tend to use proprietary
extensions to 802.11, nothing you are asking for needs non standard or
unusual features from the kit......
| Quote: |
I sure hope we can make this work because all the equipment is already
in use or is on the way. PLEASE don't tell me that I bought the wrong
models and if I just upgraded everything would be easy.
BTW. We propose to use static IP addressing for security and to lock
the size of the pool.
|
hardly matters - a much bigger issue is if someone can "join" some of your
wireless links.
1 of the assumptions behind your design is that people are co-operating, and
there wont be any problems with deliberate attempts to snoop on traffic, or
access other peoples kit.
Regards
stephen_hope@xyzworld.com - replace xyz with ntl |
|
| Back to top |
|
|
glen herrmannsfeldt
Guest
|
| Posted:
Sun Oct 09, 2005 8:20 am Post subject:
Re: Networking to PREVENT connectivity! |
|
|
John Buczek wrote:
| Quote: | Three neighbors and I live in a rural, orphan area where neither DSL
or Cable modem broadband will be available for at least 10 years. We
want to correct this by connecting to a 4Mbaud cable modem service at
a business 2.5 miles away with line of sight over water.
This looks like a wireless problem but really the fact that some of
the links are WiFi is incidental. The real problem is isolating the
users from one another. We are NOT kids. We don't play games
and we have confidential information on our computers.
|
(snip)
The most obvious solution would be two level NAT, such that each
user (family) has their own private net, and the WAN side of those
routers goes into another NAT router before it gets to the long wireless
link.
If you really want security you can run VPNs as far as possible, such as
with the BEFVP41. It could be VPN until just before it goes into the
final cable modem. Note that depending on how it is connected, people
at that business may be able to see your data.
By the way, this is probably more appropriate for comp.protocols.tcp-ip,
as you are considering IP level filtering. (not crossposted)
-- glen |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in