How to firewall a router from network shares?

[Jakeleg]

I have AT&T uVerse.

CAT5 out of the uVerse box into a wired switch.

A bunch of computers plugged into the switch and sharing files. They are all in a Windows workgroup (not Homegroup).

Then, an Airport Extreme is also plugged into the switch. When I connect to the Airport, I can still see all the computers plugged into the switch.

Is there a way to make those devices connected via the Airport not be able to see anything but the public internet? I basically want to use the Airport as a restricted guest network.

 

[chev65]

The Airport Extreme like most modern routers have a guest wireless network which can be enabled in order to isolate the guest from the rest of the network. You should be able to find the setting some place in the firmware under wireless set up.

The following link gives more specific instructions for setting this up.

AirPort base stations: About the Guest network feature

 

[Jakeleg]

Thanks, that worked, but here's what I had to do.

Since my Airport was plugged into a switch, and not directly into the modem, it defaulted to Bridge mode. But, when in Bridge mode, Airports disable the Guest Network.

I switched from Bridge mode to "Share a Public IP." This still did not make the Guest Network option show up, but, now when I connect to my Airport network, I cannot see all my network shares (as I desired). So, it solved the problem in a way.

I also get a "Double NAT" warning from my Airport now.

Any comments on what I've done or recommendations for a better setup?

 

[chev65]

Thanks, that worked, but here's what I had to do.

Since my Airport was plugged into a switch, and not directly into the modem, it defaulted to Bridge mode. But, when in Bridge mode, Airports disable the Guest Network.

I switched from Bridge mode to "Share a Public IP." This still did not make the Guest Network option show up, but, now when I connect to my Airport network, I cannot see all my network shares (as I desired). So, it solved the problem in a way.

I also get a "Double NAT" warning from my Airport now.

Any comments on what I've done or recommendations for a better setup?

I would think that just mentioning using the Guest Network would be enough to solve the issue.

When ever you plug a secondary router into a switch it's usually required to turn off DHCP in order for the added router to pick up the default gateway IP from the first router. You never mentioned if this was done or not?

I believe it defaulted to bridge mode in order to disable it's own DHCP or, in the case of a router/modem combo unit disabling the bridge mode would remove the modem from the equation. This is also the reason for dual NAT error. I'm not sure if this Airport Extreme is a combo or not, I don't keep up with every version of these Airport router/modem's.

The link mentions that bridge mode needs to be turned off for the Guest network to work but other than that I really have no idea what would make the Guest network "show up" on this particular router's firmware settings as there are a million different firmware settings for a million different routers and every one of them is different.

With my routers it's very easy as the Guest network settings are right there but I'm not familiar with the Airport Extreme as it's an apple product and I'm a Windows guy.

Sharing a Public IP is basically saying it's outside the regular network but for more specific instructions I'd look into the Airport's user manual.

 

[Jakeleg]

Thanks, unfortunately Apple's manual doesn't really address these things. I've only been able to figure out what I've described from other searches. Blind person leading his blind self.

Re: DHCP> I still want this "guest network" to be able to host numerous devices. Don't I have to have DHCP on for that?

 

[chev65]

Thanks, unfortunately Apple's manual doesn't really address these things. I've only been able to figure out what I've described from other searches. Blind person leading his blind self.

Re: DHCP> I still want this "guest network" to be able to host numerous devices. Don't I have to have DHCP on for that?

Well normally when we connect a secondary router or access point to a network that already has a router with DHCP then you would need to turn off DHCP on the secondary router so that everything is in the same subnet, using the same gateway etc. This is true in every case that I know of so I don't think it would be different in your case.

I'm not completely sure how this particular router handles Guest wireless accounts but usually DHCP for the entire network is handled by the gateway "first" router which is connected to the modem, while the secondary router becomes an access point on the same subnet as soon as you disable DHCP.

So try disabling DHCP on the secondary router and see if the actual Guest wireless account shows up. You should be able to issue this Guest account a completely different SSID, password etc. as was mentioned in the link I posted earlier. Anyone joining this Guest wireless account won't have access to anything in the regular network.

 

[Jakeleg]

Great explanation... trying now.

Turns out that "Bridge Mode" is the same as turning off DHCP, and, on Airports, when you are on Bridge Mode, the Guest Network option disappears.

So, it's still a mystery how to have the Airport Guest Network show up while also not giving Double NAT warnings.

 

[Jakeleg]

None of this has worked.

Anyone who connects to my Airport can see all the computers connected on the same switch with it.

 

[Jakeleg]

Back to my original question... how can I isolate this network from the workgroup and other computers (not using Airport's guest network feature)?

 

[chev65]

Back to my original question... how can I isolate this network from the workgroup and other computers (not using Airport's guest network feature)?

Since the Airport "what a POS" isn't up to the task you can simply change the Workgroup name on the machines that require an isolated network. Change to something other than the default Workgroup.

http://www.sevenforums.com/tutorials/51711-workgroup-name-view-change.html

Or you can set up a Homegroup between the trusted machines while keeping the other machines in the workgroup. This creates isolation of network machines, the Workgroup machines can still see the Homegroup machines but won't be able to access any files unless they are purposely shared with "Everyone" via the Homegroup sharing settings.

http://www.sevenforums.com/tutorials/43961-homegroup-create.html

 

[Jakeleg]

Unfortunately, computers in different workgroups can still see one another.

 

[Jakeleg]

Unfortunately, even devices in separate workgroups can see one another, so that doesn't help. I did try, though.

(I just saw this on Page 2.)

 

[chev65]

Even if they can see each other no access to the files would be possible between machines in different workgroups. Although they shouldn't be able to even see each other at all if they are in different Workgroups but I'm not about to go down that rabbit hole.

Setting up a Guest wireless network is bog standard and beyond simple on every other router in the known universe other than the one you are using I suppose.

So it seems you are looking for an answer to a question that I have already answered.

 

[Jakeleg]

>So it seems you are looking for an answer to a question that I have already answered.
I am on a computer in one workgroup viewing a computer on another workgroup, so that suggestion doesn't work. Homegroups don't achieve what my original request asked. Someone else suggested the Guest network, but, as I've described, that's not an option.

Thanks for giving it a shot, though.