Adding a second router for web filtering.

Netgear Netgear rp614 web safe router -...
October 20, 2009 at 13:29:36
Specs: Windows XP
Business Lan, about 60 computers. 1 T1 line. All this works fine. The issue is that employees can surf unrestricted.

To resolve, I got a Netgear Web safe router which does URL filtering.

Question is? What is the best setup for this? The goal is to be able to point some computers to the Netgear router in order to filter traffic.

I already have a DHCP server, so I don't need the built in DHCP server in the netgear.

Do I just set the gateway setting to the Netgear IP for those that I want to do web filtering?

For example:

Main Gateway:



See More: Adding a second router for web filtering.

Report •

October 20, 2009 at 13:57:16
Do you have a Firewall?

Even though you can do filtering through a router you will probably have routing problems and redundant gateway problems.

It is better to do this through a dedicated firewall.

Other wise yes, just simply change the computers default gateways to go through that router instead.

Report •

October 20, 2009 at 14:09:01
Key here is "go thru"
which you can not do with this ip config
Main Gateway:

You would need to change your physical configuration as follows;

T1<>router<>netgear<>all pcs/servers/switches

ipconfig would be as follows assuming is your present gateway


The subnet between the netgear wan and T1 router has to be different than your internal subnet.

Report •

October 20, 2009 at 14:43:45
Wonderer: Thanks. I was hoping to have only some of the computers go through the netgear, as some of them we don't want to filter, and some we do.

Will we have to physically seperate the two so that it goes
T1 Router<>Netgear<>Filtered Computers and then
T1 Router<> Non-Filtered Computers?

The netgear has a WAN address, and an "Internet Port" of (I assigned it a static IP address.)

So this will work as long as I put the computer on the downside of the Netgear? Do I need the Netgear to do DHCP?

I need all the servers to talk to a local server as well as other resources.


Report •

Related Solutions

October 20, 2009 at 15:12:50
what comes off router1 will be in the subnet 192.168.0.x and what is off the netgear will be in the 192.168.1.x.

If this is a "true" gateway that means two way traffic. It would make sense that you would have the netgear do dhcp to supply the x.x.1.x network.

Report •

October 20, 2009 at 15:12:51
Might use proxy.pac files.

Playing to the angels
Les Paul (1915-2009)

Report •

October 20, 2009 at 15:25:34
"So this will work as long as I put the computer on the downside of the Netgear? Do I need the Netgear to do DHCP?"

"I need all the servers to talk to a local server as well as other resources."

There is the rub. By adding another router to your network you are creating a different routing path which will screw you up. You may need to install a second NIC into your servers that are connected to the second gateway because windows does not support redundant gateways.

The reason I know about this is because I too have two routers with two different Public IPs and gateways to the Web. I do it for redundancy so that if one goes down then I can just change their default gateways. Also, it give me the ability to do load balancing where I can setup half of my nodes to one gateway and the other half to the other.

Now your other problem is the T1 like Wonderer said. Where is the combiner? Is it in your Netgear box or does the T1 go into another box before going into your Netgear? If the combiner is in your Netgear router then you have no way of hooking the WAN port of your second router to the T1. If it goes into another router (Like the ISPs Router) just before your router then you can hook up a 3 port switch and assign the a second Public IP to your second router depending on your how many Public IPs you have.

Report •

October 20, 2009 at 19:43:06
If the router is acting as a gateway between the segments it should pass all server/workstation traffic between the subnets by default. That, in its self, should not imped server to pc traffic.

If running AD the subnet should be added in sites and services plus dns server host/ptr records entered for all the netgear subnet hosts since dynamic dhcp is not enabled.

Report •

October 21, 2009 at 14:00:51
OK, I set this up as described above, but I found two problems:

1. Since the new subnet is on a 1.x instead of 0.x, I could not just do an ip renew. For whatever reason, it would not find the router. The workaround was to assign a static IP in the 1.x range, and let it find the router, and then set it back to DHCP. Then it would get a new IP address and connect to the internet and network.

2. Another issue was that after a computer was successfully on the network, there were network issues. In particular, an access database which is heavily used started having many problems. The user would restart access and it would work for a few minutes and would get another network error.

I finally took the new router off the network and it all started working fine again, but of course without the URL filtering.

So what the deal? Do I need a higher quality router? The netgear only cost $40 and it really isn't meant for the use that it was put through. The router had about 20 users, and the router was the throughput device to the server where the Access database is. I think that a better setup would be the URL filter is NOT between the server and the nodes, and only on the gateway side which I think would be much less traffic.

I also have a Netgear FVS318 which I am going to try the same experiment with. Maybe it is a higher quality switch.


Report •

October 21, 2009 at 15:00:54
Clearly something was off on your filtering.

If you want to approach this seriously you have three routes;

1. replace your internet facing router with a firewall like Sonicwall which does real filtering and logging.

2. setup a linux/FreeBSD box with two nics and gnu firewall software like squid.

3. roll out a hosts file containing the urls you don't want them going. Best if via gpo to that group alone.

Not being a linux guy we do the sonicwall.

Report •

Ask Question