Networking to PREVENT connectivity!

Three neighbors and I live in a rural, orphan area where neither DSL or Cable modem broadband will be available for at least 10 years. We want to correct this by connecting to a 4Mbaud cable modem service at a business 2.5 miles away with line of sight over water.

This looks like a wireless problem but really the fact that some of the links are WiFi is incidental. The real problem is isolating the users from one another. We are NOT kids. We don't play games and we have confidential information on our computers.

The proposed setup is like this:

Cable Modem > DLink DI-604 which we will call "WAN router"

From there one connection to a Linksys BEFSR41 called "Business Router", for the three users there, and one to our long range bridge.

This 2.5 mi. link will use a pair of Engenius Senao 2611-CB3+DELUXE AP's in PtoP bridge mode with narrow beam parabolic dishes.

The output from the bridge goes to a DLink DES-105 switch which we call "NAN Switch". (Chosen at the suggestion of DLink Support).

From there one output goes to a Netgear FS-605 called "Mary's Switch" and to the two users in that house.

Three outputs go to short haul WiFi links to three other homes using pairs of DLink DWL-2100AP's also in PtoP bridge mode also with narrow beam dishes.

One of these short haul links only wants one user so the bridge AP will connect directly to the PC. The other two links will go to existing Linksys BEFW11S4's ("John's Router" & "Riley's Router") and thence to both hard wired and wireless users.


We DO NOT want ANY connectivity between any of the homes or between the business and any or all of the homes. The ONLY thing we want is access to the internet.

We DO want strictly local connectivity for computers within the business and at each home. I.E. downstream of the local routers/switches.

The problem is: after a month of reading manuals and searching on the internet I can't find any reinforcement that this setup will work as we wish. Everyone WANTS to connect to everyone on their network. Nobody talks about using this kind of equipment to isolate subnets the way we want.


Q: Will this setup do what we wish?

Q: What kind of IP addressing scheme should we use.

Are those two questions related?

Here's the scheme we've been thinking.

WAN router = NAN Switch is non-configurable

Business router = and users are Mary Switch is non-configurable. Her users are

Riley Router = and users are

John Router = and users are

and would the subnet mask in these cases then be: or does that open up conductivity? Should it be

Q: As we understand it (maybe wrongly) this kind of uniform addressing tree would be necessary for the "WAN router" to act as NAT server. Would it be possible to let the routers in each home act as a "second stage" NAT server? Then the local addressing in the business and each home would be independent of the others.

Would this add too much overhead?

Q: Would it be necessary/useful to activate the firewalls on all routers or just the "WAN Router" unit.

Q: Is the DI-604 "WAN Router" necessary or could we connect our long range link to the unused port on the "Business Router"? Since all three of the existing workstations on this router can "see" each other, we thought the extra router would be necessary to protect the business.

I sure hope we can make this work because all the equipment is already in use or is on the way. PLEASE don't tell me that I bought the wrong models and if I just upgraded everything would be easy.

BTW. We propose to use static IP addressing for security and to lock the size of the pool.



Reply to
John Buczek
Loading thread data ...

Just use cheap firewall/router boxes for each user, to block access from others.

Reply to
James Knott

not quite, but close, and should be easy to fix (except it might need some more boxes). anyone "nearer" to the cable modem cant see anyone further away (i.e. on the user side of a router). but the opposite may not be true - the further away user might be able to see PCs etc for a user nearer to the modem.

You can fix this is you split a LAN wherever there is transit traffic by adding another router - so there is a dedicated user LAN at every site.

A less detailed abstraction might make the requirement clearer. You have a public gateway at your cable modem. there is a transit network so various sites can access the gateway there is a LAN at each site with users which should be private.

the complications occur because you have mixed up the transit and user parts of the network.

any shared network (i.e. used for transit traffic) should use a unique subnet.

any user only (leaf) network - different to all the shared ones, but could be the same as other leaves. in factif they are all the same that would tend to minimise any "bleed through" risks - for example if something is mis-configured.

yes - you can cascade several NATs - the main complication is if you want incoming connections, since there is only 1 IP on the ultimate "outside", so port forwarding would have to work through the chain of NAT routers to any leaf subnet.

every leaf node should be set to provide isolation (not many of these devices are real firewalls, despite what the manufacturers write on the box) - you get most of the protection from NAT anyway since connections to users cant be initiated from outside unless there is port forwarding set up.

i think you will need NAT on the router into the cable modem to keep public address use down to 1 address, and limit any config access from outside.

across the shared networks - you could use "proper" IP routing rather than NAT - or if the kit allows it you could just run it as a bridged network without any transit routing at all.

Dont know the Dlink stuff so cant comment.

however - apart from pt - pt wireless links which tend to use proprietary extensions to 802.11, nothing you are asking for needs non standard or unusual features from the kit......

hardly matters - a much bigger issue is if someone can "join" some of your wireless links.

1 of the assumptions behind your design is that people are co-operating, and there wont be any problems with deliberate attempts to snoop on traffic, or access other peoples kit.
Reply to


The most obvious solution would be two level NAT, such that each user (family) has their own private net, and the WAN side of those routers goes into another NAT router before it gets to the long wireless link.

If you really want security you can run VPNs as far as possible, such as with the BEFVP41. It could be VPN until just before it goes into the final cable modem. Note that depending on how it is connected, people at that business may be able to see your data.

By the way, this is probably more appropriate for comp.protocols.tcp-ip, as you are considering IP level filtering. (not crossposted)

-- glen

Reply to
glen herrmannsfeldt Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.