Replies

I’ll give a +1 for Techsoup also. I work for several nonprofits and they make it possible to run software we could not otherwise afford….

From apple’s community>

https://discussions.apple.com/docs/DOC-3413

It looks like you might already own all the hardware you need…..

I do not run apple myself but several of my customers do.

I think the Time Capsule already has a remote access function using something called “back to my mac”. Maybe someone on here has played with it and can chime in on this………

The above suggestions are good. (probably better than your original idea of using a VPN.) If you are just looking at file sharing, I think the Dropbox suggestion is one of the best.

If you are still interested in VPN. Cisco makes a line of routers that works well at a very good pricepoint. Have a look at the RV series here:
http://www.cisco.com/cisco/web/solutions/small_business/products/routers_switches/small_business_routers/index.html

The RV110W can be purchased for less then $100.

I just installed an RV180 (no wireless) with Gigabit LAN ports for a customer for less then $150.

We are using this with the Cisco QuickVPN client for an offsite worker to access his terminal server running quickbooks accounting. Obviously running a terminal server session over the VPN works better then transfering files as most of us do not have the bandwidth to move large files quickly over a VPN connection…..

You are on two different networks with total segregation now. As long as everything works I would not worry about the double NAT issue. If you ever decide to run your own web or email server and need to forward a port to the internet you may have a headache, however, it is likely that their modem is setup as a bridge so you are actually getting a separate PUBLIC ip address for each network…..

Glad you got it working securely the way you wanted and you (and maybe a few of the rest of us) learned a bit more about networking along the way.

I found an old Netgear router in the back room, so I’ll be testing with that in the coming days

First try using the router as a switch like Paul suggested.

Plug a computer directly into one of the LAN ports on the old netgear router. Login to the router’s administration page and turn of DHCP server. (you do not want this router to assign IP addresses in this case as you want to get them from your ISP)

Once your settings have taken affect, plug the line from the modem into one of the LAN ports on the old router. (That is correct, for this use you will not use this router’s WAN port.)

Plug the cables from the WAN ports on your other two routers to LAN ports on this old netgear router.

If that works, you have your networks isolated and no double NAT issues………

Good luck,

mercyh

That is a little like me driving onto your farm, seeing a bin of corn, and asking how it got there. You could give me the short answer that you put it in there with an auger or you could start with working the ground, fertilizing, planting, etc…:^_^:

Start with this (all eight pages of it)

http://computer.howstuffworks.com/nat.htm

Once you understand that :o: ask your more specific questions…..

PS> I am getting the planter ready to plant soybeans here….

I think it is a pretty basic router

Yes, that has none of the capabilities we are discussing here.

If you need true segregation you will need to purchase another piece of equipment, either a switch or a router as discussed above. If you do not feel that there is a high risk of your data being compromised, you may be ok the way you are right now. If the second network is on a different subnet then your network, (your network is 192.168.1.X and the second network is 192.168.5.X for example) the firewall on each of your PC’s if properly configured will secure them from access from the other network.

I think the question is: is there anything I can do to the main office router to ensure that one of the LAN ports is sent directly to the internet and is NOT accessible to/from any device (PC or Printer) attached to any other LAN ports (or connected wirelessly)?

That depends entirely on how advanced your main office router is. Can you give us the brand and model number?

Many business grade devices allow multiple untrusted ports to be assigned. You won’t find this capability on a residential grade device though…….

The VLAN capabilities that Paul mentions require not only a commercial grade router but also VLAN capable switches and of course someone that knows how to configure them.

I would also use a switch instead of router 1

This recommendation is situational…. (I actually have a network setup this way myself).

The caveat is that your ISP (Internet Service Provider) can issue two IP addresses on one modem. How their network is setup will determine this.

I live in rural Kansas, USA and we have several Wireless ISPs that use PPPOE as their connection protocol. The connection is created on the router with a user name and password. (It actually is a type of dialup connection that the router does) In this situation you have to use a router to create the connection and then NAT that connection to the other segments of the network.

If Pauls suggestion works it is preferable to my suggestion.

I would not set the IP on the 2 routers, you won’t be able to manage them unless you also set DHCP to the 10 range.

The interesting thing is that you actually CAN manage router 1 from inside the #2 and #3 network. The same reason that currently your network is not isolated also makes router 1 available. You will not see that router if you look at network devices in Windows 7 as it is on a different segment, however if you type the ip of router 1 into a browser it should bring up the management window for it. If the IP of router 1 is the same as routers 2 and 3 this will not work as those routers will not look for that IP outside of their own segments because it already exists there.

Also, some routers will not work correctly if the same subnet is used on the WAN and LAN interfaces. If the routers are all the same brand, from the factory they will be setup with all the same subnets.

I would suspect that today you have it setup with their router plugged directly into your network. The firewall in the router acts somewhat like a one way valve allowing data to flow out but not in. That gives you something like this. (the arrows indicate the direction data can flow freely).

internet
^
^
Your router
^
^
Your network
^
Their router
^
^
Their network

As you can see, Their network is not accessible by you but your network can be accessed by them…….

The following is a way to do it using only residential equipment. This will result in the networks being double NATed which will break some advanced internet use such as Port forwards to the internal network and VPN tunnels. All normal internet browsing and email should work with this.

You will need three routers.

Internet modem
v
v
Router 1
v . . . . . . v
v . . . . . . v
Rtr 2. . . . Rtr 3
v . . . . . . . v
v . . . . . . . v
Your. . . . . Their
network . . network

The WAN (or internet) port on router 1 connects to the modem, The WAN ports of routers 2 and 3 connect to the LAN ports on router 1. I would set the internal (LAN) network address on Router 1 to 10.0.0.1

I would set the external IP address on router 2 as 10.0.0.2 and the LAN address to the current gateway address you are using on your network.

I would set the external IP address on router 3 as 10.0.0.3 and the LAN address to the current gateway address they are using on their network.

This setup will allow you to use the single IP address from your ISP and split it to two other routers. You will have both your and their network isolated from each other with the firewalls in routers 2 and 3.

If your ISP will assign two IP addresses on a single connection, you can put a Switch in place of Router 1 and leave the WAN ports on routers 2 and 3 set to obtain an IP automatically. This would eliminate the double NAT issue on your network.

If by Verizon, you are talking about a verizon mobile broadband device like a USB receiver, you should not have any trouble with interference. If you are talking about a Verizon MiFi that creates a mobile hotspot, you will want to turn it off while you are on the wifi connection from the park.

Mercyh, Wow, I will contact Ubiquiti, they say a far as 300m, that should do it if I can work it out, I imagine they can walk me through the set up etc and I’ll find out the cost. Many thanks………..Stan

This is professional stuff and you will find that they are not geared to support “user” level people. (they would expect to be working with IT certified people). However, they have an excellent forum with some very helpful members.

I think RetiredGeek has the right idea. I have used the following company for this. In fact, Flying J truckstops give truckers a modified version of one of these devices that allow them to connect to the Flying J hotspots from more than 5 miles away…..

Look at the following devices:

http://www.ubnt.com/powerapn

http://www.ubnt.com/nanostationloco

http://www.ubnt.com/nanostationm

These devices are aimed at the Wireless ISP market. The price is very good and I have found the quality to be terrific. I have had a very hard time finding them when I want them though……

Most suppliers prebook their orders and generally sell several hundred at a time so finding stock can be difficult.