Page 1 of 1
Need help...
Posted: Fri Aug 20, 2004 5:16 pm
by maxpz
I need an explanation!
I'm opening a range in my mikrotik for each user, like:
192.168.1.1/30
192.168.2.1/30
...
192.168.250.1/30...
I use this to unable my users to see each other for the security reasons.
But i still want to run some servers (antivirus server, fileshare etc.).
So, HOW can I configure my mikrotik, so the users will be able to see the range where my servers are (example: 192.168.0.1/28), and still not see each other?
Posted: Sat Aug 21, 2004 6:49 am
by signal
You are a bit confusing here.
You say you are "opening a range", which to me is allowing your users to do something. yet you say you are doing it to "unable" them to see eachother.
Can you explain in terms of what rules are you using and in which chains?
Posted: Sun Aug 22, 2004 2:02 am
by maxpz
Well, let me explain:
Instead of opening a range in the router for all my users like
192.168.1.1/24
I open a range for each user, like:
192.168.1.1/30 (mikrotik) and 192.168.1.2 (user1)
192.168.2.1/30 (mikrotik) and 192.168.2.2 (user2)
192.168.3.1/30 (mikrotik) and 192.168.3.2 (user3)
...
192.168.100.1/30 (mikrotik) and 192.168.100.2 (user100)
If I create only one range and put all my users there, they can see each other.
So, the way I'm using, they can only ping their gateway wich is the IP I add in the router for every user.
So they can not ping any computer in other range (ex. 192.168.1.2 cannot ping 192.168.100.2),
but I still need to have some servers (file share...etc) and I want all my users to be able to see these servers (ex. all the users can ping 192.168.0.2-5)
I hope this helps...
Posted: Sun Aug 22, 2004 3:10 am
by signal
You just make rules to allow the networks you want to communicate, and then deny the rest. It would be very helpful if you would post what you have as far as rules.
Brian
Posted: Sun Aug 22, 2004 6:16 am
by GJS
I think one very simple way to do this is to add an additional range (more properly called a subnet, I believe) for your servers and then add a static routing table entry for each user subnet to the server subnet.
This would not be very practical if you have a large number of subnets though.
This is an interesting question, though, as I beleive that what you are trying to achieve is blocking inter-client traffic when they are all connected to one router interface. My clients are connected via an 802.11b access point which has this facility built-in. Maybe it would be better to use a switch (if you clients are hard wired) which has this facility? Then all clients could be on one subnet.
'Hope this helps.
Guy
Posted: Sun Aug 22, 2004 5:49 pm
by signal
Well if they were all in one subnet, then you could just have the MT reply-only to ARP. The servers imho should be off a different interface than the customers are behind.
Posted: Mon Aug 23, 2004 12:20 pm
by maxpz
thanks guys,