Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Currently my system is DSL modem > Linksys RVS 4000 router > 24 port unmanaged switch (x 2).
I have a NAS and a few network printers, all addressed by IP; everyone else is one DHCP.
My goal is to bring in a second router - also an RVS4000 - plugged into the first router, and then connect it to a third switch. The stations that get fed from this switch will be email only with no internet access (that is port 80 is blocked); however they still have to be able to see the NAS and printers on the other switches.
I figure I can put one router on 192.168.1.x and the other on 192.168.2.x (with 2 different DHCP groups; one for the internet group; one for the no-internet group).
The real problem is that in the Advanced Routing of the router I set up the following:
*enet cable from primary router to port 1 of the secondary router
*enet cable from port 4 of the secondary router to the third switch (no users connected yet; I wanted to verify connectibility)
*the primary and secondary routers are configured the same (pppoe, etc...) except as follows:
*primary router 192.168.1.x
*secondary router 192.168.2.x
*both putting out dhcp on their own ranges
*secondary router's advanced routing is set to router (primary is set to gateway) and is using dynamic routing (rip v1)I tried this set-up using the enet cable in both the WAN port and port 1 of the secondary router; either way I couldn't connect to it from my station (I'm on the 192.168.1.x subnet).
I figure that if I can't see the router then users won't be able to see the NAS and printers on the primary router (plus, I have to make corrections and such to the router from time to time).Any ideas?
Can I ask you why do you need two routers?
is this router being hooked up just to block internet traffic?
0 
Perhaps I wasn't clear; I apologize. I'm required to block internet access (port 80) to some users, yet give them access to email and of course, see the NAS and printers (on the first router).
Using two routers (and thus 2 networks) seemed liked the best way to go.
I'm completely open to other ideas. I just need to get it working.
0
if it's a few users; you could add a "fake" LAN proxy server under the browser settings such as 127.0.0.1; they would not be able to get to the internet and you still have access to other ports.
0
Do a static ip assignment to those machine you don't want on the internet. Don't put a gateway entry in. Use a policy to restrict control panel/network properties access so they can't change it.
No additional router required.
0
He could do that too but I think he still need to provide e-mail access to the users so without the default gateway he will not be able to reach the mail server; unless he is using some type of internal e-mail server.
0
wanderer: i thought about static ip's but most everyone knows how to change them; never considered a policy, but my mail server is external (ISP hosted)
mamut0o1: the fake proxy is a neat idea; i'd guess that i could get away with just the one router then. question: what would prevent somebody from un-proxying themselves?
thanks for both your ideas
0
I have done this with some users together with a local policy so they are not able to make any changes to the browser. You can Hide "tools/internet options" from IE so they can't change those settings.
0
manut0o1,
this sounds like an ideal solution. thanks very much.
if i can beg one query from you: i've never had to write a policy before (we've always historically been very open); how do i go about doing it? (sorry if that sounds dumb, but as i said, i've never had to before)
0
Sabre; no problem; under run: trype the following command;
"gpedit.msc" go to the user configuration tab and click on adminstrative template. open windows components | Internet Explorer | Browser menus |
from here you should enable "Disable internet options" and you can add more if you want to.
take a look at the diffenrent templates so you can be familiar with them in the future.
I hope that helps.Mamut0o1
0
Mamut0o1:
The policies worked great. Real smooth and easy. I kept it simple and used the one you mentioned and also went to Administrator Template\Control Panel\Hide Specified Control Panel Applets; here I enabled it and added Internet Options so that there's so "backdoor" so to speak.Thanks again. This is a great tool. I consider this solved (for now).
Sabrefreak
0
imho you dont need 2nd router
the setup in theory :) goes as follow:
you need DHCP pcs with internet access
put static IPs on pcs with email only -on router - in firewall creat acess list, or firewall rules to block in/out traffic on paticular IPs -
2nd option - create limited accounts on PC with email only - put local firewall on with in/out rule blocking port 80 (and similar - https etc, ) - they will be connected to same router - can get access to printes and etc but cant use internet.
0
Bers - I appreciate the ideas. However, because of certain legacy softeare being run still, a lot of people require Admin rights on their pc's. Because of this I couldn't think of a way to prevent them from simply switching back to DHCP from a static if they had the mind to.
However, not many people know about Group Policy, which is much easier to implement then a dual router situation that I first went for.
Now, if I could juist somehow make sure that no one could get into the Group Policy, maybe password protect it or something? It won't be easy with everyone having admin rights though.
Thanks much to everyone.
0
Bers - I appreciate the ideas. However, because of certain legacy softeare being run still, a lot of people require Admin rights on their pc's. Because of this I couldn't think of a way to prevent them from simply switching back to DHCP from a static if they had the mind to.
However, not many people know about Group Policy, which is much easier to implement then a dual router situation that I first went for.
Now, if I could juist somehow make sure that no one could get into the Group Policy, maybe password protect it or something? It won't be easy with everyone having admin rights though.
Thanks much to everyone.
0
well you would need to block access to "run", which easy can be accessed from start>run or task manager > run.
try tweakuior via registry
remove start> run
http://www.pctools.com/guides/regis...
gpedit remove task manager
http://support.microsoft.com/kb/555480this way u block easy way to undo your imba blockagde :)
but disabling task manager can be a pain - coz its has its uses :)
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
