Firewall or router for 2 separate workgroups?

If you want to do it cheap, you can use two linksys routers.

The routers would be setup in series like this:

INTERNET || Linksys 1 > LAN 1 (these can be seen by Linksys 2) || Linksys 2 > LAN 2 (these can't be seen my Linksys 1)

So, connect L2 to a LAN port on L1, and you can do all the you want and all of the machines can still access the Internet.

YOU MUST USE DIFFERENT IP RANGES ON BOTH ROUTERS

L1 = 192.168.8.0/24 L2 = 192.168.16.0/24

It also helps if you card code the L2 WAN IP (public) to something like

192.168.8.2/24 and then enter the DNS properly.

Thanks for the advice.

Is something like the Linksys BEFSX41 which has Stateful Packet Inspection enough? Or do I need to consider other security appliances such as Sonicwall TZ 150 or Checkpoint Safe @ Office 105, etc?

All computer in the small office are Windows XP (SP2 and up to date), using peer to peer. One Windows XP Prof acts as a peer to peer "server" for documents and databases. All pc's have Norton 2005 Antivirus. The Internet is used for proprietary financial software updates. No funny stuff. We scan for spyware regularly and backup regularly.

My main concern was the other subnet/workgroup (which is different company/business) seeing or accessing our pc's, since I have no idea if or how they are protected. I don't want some worm or virus from the other group getting into our pc's.

Thanks for any advice.

Forgot to mention, there is no email server, no ftp access, no vpn. Just small office sharing internal files over peer to peer, and accessing Internet for info and updates and normal email via ISP.

I don't consider the cheap firewalls worth purchasing if you want to run an office or commercial space, the TZ series is not something I would purchase for any customer. I have a strong fondness for WatchGuard and would purchase a X700 for a company/commercial site, but they run about $1900.

Unles you want to do HTTP filtering, attachment removal (on inbound SMTP to the mail server), etc... You can get by fine with a cheap NAT router in most cases. You really need to monitor the Linksys unit logs (use Wall Watcher).

I've got a number of customers that use the BEFVP41 unit for the IPSec tunnels to the home office, none of them have port-forwarding, but none of them have been compromised.

If you do the poor-mans DMZ/LAN using double routers, you won't have much in the way of problems - again, the router is not a firewall and has nothing to stop users from running malicious code on web/ftp sites or from running infected email.

If you run your own email server, make sure that you remove any attachment that can't be virus scanned or that could be executed before it gets to the users email box (GFI and Symantec make good products for this).

If you have a web/ftp server, make sure you lock it down - follow all the MS directions (or for the OS you use). I use File Zilla Server for FTP as I don't like the limited configuration options that you get with IIS on Windows.

What we need to know is what are you running inside that could be compromised and what services you allow your users to use - what OS, what virus protection, etc....

We setup a multi-tenant office space (2 floors, 6 different companies), we got a T1 for the building and 16 public IP. We setup a single Linksys router for each, giving them each a PUBLIC IP, but no inbound forwarding and none of them have the admin password to the routers (and they are locked in a closet where only the building owner has a key).

If you want to have both groups completely isolated from each other, you need two IP, one for each router, like this:

INTERNET CONNECTION || HUB/SWITCH | | | \\_ Linksys 1 (LAN 1) | \\_ Linksys 2 (LAN 2)

Neither LAN can access the other.

I'm not sure what the /24 above means.

Does that imply 24 addresses, 192.168.8.0 through 192.168.8.23 or something about the subnet mask.

Normally I would have 192.168.8.0 with subnet mask of 255.255.255.0

Thanks.

24 means that the first 24 bits (255.255.255.x) relate to the mask - the way a mask is used is in binary, each of the 4 represents 11111111.11111111.11111111.1111111 = 255.255.255.255.

A /24 would be 255.255.255.0 A /16 would be 255.255.0.0 A /8 would be 255.0.0.0

Just to expand on Leythos' explanation a bit, so you can see the connection between the different ways of expressing the mask:

/32 = 11111111.11111111.11111111.11111111 = 255.255.255.255 /24 = 11111111.11111111.11111111.00000000 = 255.255.255.0 /16 = 11111111.11111111.00000000.00000000 = 255.255.0.0 /8 = 11111111.00000000.00000000.00000000 = 255.0.0.0

Using 198.0.0.0 as an example:

198.0.0.0/32 = 198.0.0.0 through 198.0.0.0 = 1 IP 198.0.0.0/24 = 198.0.0.0 through 198.0.0.255 = 256 IPs 198.0.0.0/16 = 198.0.0.0 through 198.0.255.255 = 65536 IPs 198.0.0.0/8 = 198.0.0.0 through 198.255.255.255 = 16777216 IPs

Just a question, if I were to enter the address of one (or more) of the LAN2 machines in the LMHOSTS file of my LAN1 machine, would that LAN1 machine see the others?

I understand that Zyxel routers have an IP ALIASDIS command to disable IP routing between alias interfaces (so far, I know that the Prestige 650HW has it).

Does anybody know if a similar facility is implemented in cheaper run-of-the-mill routers?

Thanks

Lorenz

The only way the outer LAN can get to the inner LAN is if you open ports on the inner LAN. The inner LAN (Lan 2) has no unsolicited inbound means of access - so unless your LAN 2 machines contact LAN 1 machines, LAN 1 machines can't talk to LAN 2 machines.

Thank You, That is the clearest explanation Iv'e seen.