On Monday 12 September 2005 11:02 am, Dale Beams wrote:

I have a private network that I would like to allow internet access from public computers. Do I simply need to subnet the public side to prevent access to the private network?

I know very little about networking compared to some people on this list but I'll make a guess anyways. If you want to prevent access to the other subnet entirely, you'll need to have a special firewall rule on the computer/device that's a) closest to both subnets and b) has information about how to route to both subnets. Here is a spiffy ASCII picture:

/^ Public Terminals: 192.168.1 Internet |---------| Modem |-|Firewall|-| _ Private Network: 192.168.0

The computer called |Firewall| needs a rule that's something like:

If source is 192.168.0.0/255.255.255.0 and destination is 192.168.1.0/255.255.255.0, reject packet. and also: If source is 192.168.1.0/255.255.255.0 and destination is 192.168.0.0/255.255.255.0, reject packet.

This prevents packets from flowing in both directions.

If you were to make a mistake and have both subnets on the same physical network or if you were to have the rule on a machine other that the first machine to have information about both subnets, the above rules would not work. (Unless you had VLAN's -- but that's a bit too complicated for this email.)

Maybe there's a better way but this is the first solution that comes to mind.