Firewall or ???

Get a 2nd router for the resort. Get each neighbour to purchase a router. That way everyone will be isolated behind a router on a seperate network, as will the resort.

WAN Router1(0.0/24) Resort router - Resort LAN (192.168.10.0/24) Neighbour1 Router - Neighbour1 LAN (20.0/24) Neighbour2 router - Neigh2 LAN etc (30.0/24)

Make sure that router 1 supports routes to other networks e.g.

192.168.10.0/24 via 192.168.0.10, 192.168.20.0/24 via 192.168.0.20 etc Cheers, E.

You can do this with ONE router and a firewall on each of YOUR systems. Here's my setup; I have 3 systems of my own and have two roommates which need access too.

1) Use DHCP for everything 2) I use the MAC filtering feature to preassign the IP address for my systems. To keep the addresses easy to manage, I added 7 phony MACs to fill out the range 192.168.0.1 thru 192.168.0.10. These are the TRUSTED SYSTEMS. 3) the roommates will be forced into addresses 192.168.0.11 and above these are the UNTRUSTED SYSTEMS. 4) now the firewall can setup a TRUSTED ZONE 192.168.0.1 thru 192.168.0.10 or you can explicitly add a rule like allow in/out 192.168.0.1 thru 192.168.0.10 tcp+udp all ports

The Default Windows Firewall will not configure this way, so you need something else. I have Norton NIS 2005, but many are having problems with it in XP/Home. AVG is a good alternative and you need to disable MS-FW if any other is installed.

Recommend: unplug from the net, do the install, disable MS-WF, and reattach the net. Get the updates(if any) and register your copy. THEN configure the above.

snipped-for-privacy@softtracks.com wrote:

I would hate to be the one trying to manage that from 6 hours away. Consider the amount of bullshittery involved in setting up a new PC or printer. Plus NIS deciding to default to it's inbuilt ruleset as it usually does will bugger things completely.

The idea is sound but will ultimately rely on clueless people to manage it on a day to day basis. 1-click goodbye network hello 6 hour drive.

Software firewalls are bad, m'kay. E.

Use multiple public IP address assigned to separate routers.

If you only have one IP address, then connect several routers in a tree with so that they can share the connection like this:

ROUTER 1 (If you need more than 4 ports, add a switch)

ROUTER 2, ROUTER 3, ROUTER 4, ROUTER 5

Now, you connect your computers to router 2, and then each other company/neighbor to another different router.

You need to have ROUTER 2 (and 3,4,5,6,7...) each have a FIXED WAN address of ROUTER 1's LAN network.

Each router (2....) must be in a DIFFERENT LOCAL NETWORK or you can run into routing issues using these cheap units.

ROUTER 1 LAN = 192.168.8.1/24

ROUTER 2 WAN = 192.168.8.12 ROUTER 2 LAN = 192.168.16.1/24

ROUTER 3 WAN = 192.168.8.13 ROUTER 3 LAN = 192.168.17.1/24

ROUTER 4 WAN = 192.168.8.14 ROUTER 4 LAN = 192.168.18.1/24

You get the idea from here.

I don't think the original poster impled any 6hr drive. Of course a dedicated hw firewall is better, but not everyone needs/can afford one. Yes, a single FW in a DMZ would be easier to maintain, but that's another system too.

that's your opinion

your opinion again. it took less that 20 minutes and the MAC->IP is rigorous. To expand within the limits of the 4port router, I only need to drop the one or more dummies and insert the new MAC - - :)

One point here is once you show people HOW TO FISH, they can feed themselves :-)

once again, that's your opinion

Unfortunately that's exactly the issue - I don't want a 6-hour drive when someone says "I can't check my hotmail."

I think this this the best solution and is the one I'm going to go with.

Thanks everyone for your help.

Cheers, Geoff Glave Vancouver, Canada

Actually once you show people how to fish, they spend every spare dollar getting appropraite gear, lures and tackle, researching target species bite cycles (moon phase, barometric pressure, migration timetable etc) as well as preferred baits/lures/attractants/burley's/FAD's etc and the hatch cycles of those baits in order to replicate them (e.g. worm farm), natural bait collection, like lure presentation etc.

The point here is once you show people how to fish, you create an angling addict ;->

E.

A FortiGate 60 will handle this easily, it has 4 interfaces. Plus you can do antivirus and intrusion detection on it. If desired you can also set up segments with category filtering, for example to prevent people from downloading p*rn in the Internet Cafe.

Canadian list on them with all subscriptions for 1 year is $1149 cdn.

-Russ.

I think you can accomplish all that with a Check Point Safe@Office with a Power Pack. Plug the LAN computers into the LAN (you'll probably need a hub/switch as the Safe@ has 4 LAN ports). Plug another hub/switch into the Safe@ dedicated DMZ port. Activate HotSpot on the DMZ. Define a user/password for each of the neighbours and set it to an unlimited time period. The best part - the Safe@ has a remote management feature over https, so no 6 hours driving unless someone physically unplugs it. Needless to mention - network antivirus, stateful inspection firewall, traffic shaping (QoS). The works. You can download the datasheet and check out prices here: