Firewalls vs routers

[Blaqb0x]

Hi,

I have a winNT domain running at work on a LAN(this really isn't a windows Q). Some users bought a linksys router to isolate themselves from the rest of the network and block out certain ports. however the router issues internal ips to the machines and now they can't see the rest of the domain. I was wondering if hardware firewalls issue internal IP or can they just block out ports and still let the machines under it still use 'real' IP's?

**If anyone knows why they can't see the domain, feel free to let me know.**

I really don't want to use individual firewalls for each machine.

thanx

[tolstoy]

A hardware firewall will only dish out IPs if it has DHCP server capabilities. The reason you cannot see the boxes on his side of the router is that they are probably on a seperate subnet or are not passing SMB traffic properly. Before throwing firewalls and routers on the network, you should really have a good understanding of how they work and how they will effect your overall domain structure. Sticking a plug-and-play router onto a corporate LAN and expecting it to work will only cause frustration and headaches. I think what you need to do is strip the router of all its extra capabilities. Turn off NAT, turn off DHCP, then create a seperate subnet for those users on the other side of the router and update all your LAN's routing tables so that those routers know how to get traffic to that side of the domain. Then, only after all traffic is running and your routing works right (you can ping all parts of the lan), build an access control list on the router as to what type of traffic you want to block, incoming as well as outgoing.

If your talking of a shelf-bought lynksys router, you should probably get rid of it, then build a router from linux and block ports with iptables, or get router that allows you to build a good access control list).

[Schotty]

Hi,

*I have a winNT domain running at work on a LAN(this really isn't a windows Q). *Some users bought a linksys router to isolate themselves from the rest of the network and block out certain ports. *however the router issues internal ips to the machines and now they can't see the rest of the domain. *I was wondering if hardware firewalls issue internal IP or can they just block out ports and still let the machines under it still use 'real' IP's?

**If anyone knows why they can't see the domain, feel free to let me know.**

I really don't want to use individual firewalls for each machine.

thanx

You probably dont have all of the networking settings right. For a LAN to talk to each other (espcially in windows) you first off need to be on the same subnet. If you are all using routers to isolate different groups, you are essentially subnetting your LAN up.

In this case, what you want to do is something similar to this:

For your lan issue out IP's to the routers in a range like 192.168.0.0/16 and for each router increment the first zero for the internal IP's. If you ahve the PC's setup with the gateway being the router, you will be able to talk to 'outside' or other subnets.

This situation you descibe is rather ... odd. If you want the best network security, subnet each department and the servers on each their own subnet. And have a gateway of some sort connect them together. One linksys can handle that.

Subnet --\
Subnet -- Gateway -> Internet/VPN
Subnet --/

Email me if you have any further questions at andrew.schott@amerivoice.com

I do this crap for a living