Ron_Jeremy

need to (partly) connect 2 networks

Recommended Posts

Network "A":

2 x Win9x PC's

1 XP PC (I think it's Home, not Pro)

static IP's (192.x.x.x)

file sharing amongst machines

No Internet access ("stand alone" network)

Network "B"

3 x XP PC's

DHCP

file sharing amongst machines

SOHO router to broadband connection

The machines in network "B" now must be able to access the lone XP machine in network "A", but not the other 2 Win9x PC's. Where I am unsure to proceed is that ideally, no PC's in network "A" would be able to sneak onto the Internet (via what ever means users may conjure) through network "B".

Share this post


Link to post
Share on other sites

The easiest way would be to put the PCs you want to talk to each other and have Internet access on the same network subnet.

Alternatively, make the single PC in the remote location multihomed and connect a 2nd NIC that's attached to the Internet network.

Share this post


Link to post
Share on other sites

A third solution would be the following:

Lets assume the host on network A which is to be accessible from network B is called host X.

1) Buy a small firewall/router/switch thingy which also does NAT (I assume it will be something similar to the SOHO router you already have) and give it an IP on network B.

2) Connect all hosts on network A to it.

3) Setup the router to forward all incoming traffic from network B to host X and to only allow outgoing traffic from host X to network B.

This has the advantage that you can easily, and temporarily grant access to hosts on network A and that you do not need to do any changes to host X. Disadvantages is that it probably costs a little bit more.

The result will be something like:

   ________                             _________                              _________
 (        )      +-------------+      (         )      +--------------+      (         )
( Internet )<--->¦ SOHO router ¦<--->( Network B )<--->¦ Extra router ¦<--->( Network A )
 (________)      +-------------+      (_________)      +--------------+      (_________)

Share this post


Link to post
Share on other sites

How physically close are the networks? Under XP on the computer you need access to, why not just add a second IP address that is on the network with the other systems that must access it and not add a gateway, so the machine has no way of getting to the internet?

Share this post


Link to post
Share on other sites
How physically close are the networks?  Under XP on the computer you need access to, why not just add a second IP address that is on the network with the other systems that must access it and not add a gateway, so the machine has no way of getting to the internet?

195772[/snapback]

You haven't stolen your name, have you? This would indeed seem the simplest and most logical solution.

Share this post


Link to post
Share on other sites
How physically close are the networks?  Under XP on the computer you need access to, why not just add a second IP address that is on the network with the other systems that must access it and not add a gateway, so the machine has no way of getting to the internet?

195772[/snapback]

You haven't stolen your name, have you? This would indeed seem the simplest and most logical solution.

195779[/snapback]

> Where I am unsure to proceed is that ideally, no PC's in network "A" would be able to sneak onto the Internet (via what ever means users may conjure) through network "B".

Without physical separation, secure authentication or some kind of VLAN, this isn't possible I think.

Share this post


Link to post
Share on other sites

Logical1, your idea was one of 2 thoughts I had regarding the situation. However, as Olaf pointed out, I am mostly concerned with the other 2 PC's on network "A" sneaking throught the XP machine & onto the 'Net.

Opq, that was my first thought too. But then the other 2 Win9x machines can use the XP PC as a gateway & access the 'Net.

I believe the main problem is that whom ever sits in front of either Win9x machine effectively becomes "Administrator" (sorry if I'm wrong, but I have almost zero Win9x experience). Thus, they can alter network settings at will & configure the XP machine as the gateway or what have you.

Edited by Ron_Jeremy

Share this post


Link to post
Share on other sites

Limited time, so a quick idea...

(I assume that you can lock down the Administrator rights on the XP machine; if not then nothing will work except an external router/firewall.)

Assuming the "A" machines are simply sharing files, switch "A" boxes to NetBEUI protocol(yes, it works on XP) and remove TCP/IP protocol (and .dll's) from W9x machines; set IP address on XP machine to part of "B" network but leave gateway blank (as suggested before). The lack of gateway will prevent XP box from working as router even if W9x users re-install and reconfigure TCP/IP on their boxes, as well as prevent internet access from the XP box.

Share this post


Link to post
Share on other sites

Does network A have it's own switch? Where is A and B located in relation to each other?

And will people with access to network A be able to do things such as switch network cables between the 98 and XP boxes? Will people at network A have admin on the XP box?

Share this post


Link to post
Share on other sites
...switch "A" boxes to NetBEUI protocol(yes, it works on XP)...

NetBEUI doesn't list as an available protocol in XP. How do you use it?

Share this post


Link to post
Share on other sites
Does network A have it's own switch?  Where is A and B located in relation to each other?

And will people with access to network A be able to do things such as switch network cables between the 98 and XP boxes?  Will people at network A have admin on the XP box?

195803[/snapback]

Yes, the comps in A are just connected via a switch & use static IP assignments. The 2 networks are very close to each other (adjoining rooms or something) They have admin on the XP box too.

Share this post


Link to post
Share on other sites

My option is still viable since as long as there is no gateway on the XP machine from network A that is connecting to the other network, then it doesn't have internet access and unless you specifically set the gateway and turn on internet connection sharing or TCP/IP forwarding in XP, then the other computers will not have internet access. If you prefer to complicate matters more, just pick a random address besides 1 or 254 for the gateway address of the other network, so even someone guessing will have to go through a lot of tries before even being able to get the XP machine of network A on the internet. One other thing that would slow them down is to setup IE so that all internet addresses are in the Restricted sites zone and then put in a bogus proxy server address. That'll take someone some time to figure out.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now