# Isolating a PC on my local network



## Mikuro (Jun 19, 2008)

I recently got a Windows PC for free, and I want to hook it up to the Internet, but I'd like to isolate it from the rest of my local network. (For the security of my Macs, I do not want a Windows PC running wild and free behind my firewall!)

I have a cable modem, and I currently share the internet connection with a few Macs on my local network.

What I would like to do is make it so that anything going from the PC to my Macs would be treated just like it came from the internet, and all computers would have internet access. (File sharing between my Macs and the PC is not my top priority.)

It seems like I should be able to rig this up if I use two routers, but I'm not sure exactly how. I have two ideas. (Let's call the router connected to all my Macs the "primary router" and the one connected to the PC the "sandbox router".)

1. I could connect the sandbox router's WAN port to the primary router (so it would go cable modem -> primary router -> sandbox router), and then connect the Windows PC to the sandbox router and put it on a different subnet than my Macs (say 192.168.*1*.x instead of 192.168.*0*.x, with subnet masks of 255.255.255.0). Would that work, or would the primary router still see anything coming out of the sandbox router as local, since the router itself would have a local IP (as far as the primary router is concerned)?

2. I could do the reverse and plug the primary router's WAN port into the sandbox router (so it would go cable modem -> sandbox router -> primary router). That way anything coming into my Macs from the sandbox would NEED to go through the primary router's WAN port, which I assume would mean the firewall would filter it.  I'd rather not have two routers between my Macs and the Internet for ease of configuration, so would it be okay if I put the primary router in the sandbox's demilitarized zone? Since the primary router would use its own firewall, that would be just like my current one-router setup as far as the Macs are concerned, right?

Which (if either) of these is right/better? I'm not sure what makes sense, and this is not something I want to leave to trial and error.

Any insight would be appreciated.


----------



## Mediocer (Jun 19, 2008)

I have some ideas for you, but I have a question first.  What are you trying to accomplish?  Do you not want your PC to infest you MACs with junk?

We can set up your router, which is crazy, but fun, or apply a firewall to your PC -> more simple and just as effective, since you have a router that is a hardware firewall.

Let me know, I'll have a better answer.

Mediocer


----------



## Mikuro (Jun 20, 2008)

Mediocer said:


> What are you trying to accomplish?  Do you not want your PC to infest you MACs with junk?



Yes, and I also don't want it to have access to local-only things like file sharing and SSH. If the PC were to be compromised, I'm worried that it could exploit these things to reach my Macs, essentially bypassing my firewall. I'm not so much worried about it infecting my Macs, since viruses that spread for Windows to Macs don't exist, but I am concerned with it compromising the data on my Macs.

I'd by happy to simply reconfigure my router, which is a Linksys WRT54G v6. I didn't see any options in the configuration system that looked promising, though. I'd also be happy using two routers in whatever configuration as long as it didn't interfere with my Macs' ability to use things like UPnP (I don't really care if the PC can).

Ideally, I'd like to this without delving into Windows, because I do not trust Windows  or my own ability to properly configure/maintain Windows indefinitely  all that much.

Thanks for the reply.


----------



## Mediocer (Jun 20, 2008)

With windows machines, they only become infected or compromised because of lack of security and type of internet sites you go to.  This really isn't something you need to worry about unless you are looking for trouble. Having a router is the most important step.

Having two routers hooked together is not the best way, they will not talk to each other and will most likely conflict, unless you have them configured correctly.  You can try it out, just plug things in.  If your hookup is modem->r1->r2, I would put your PC on r1 and your mac on r2.  This is not recommended, you my be diving into router forums.

The best thing I would do, as I use both sides, is to download a firewall on your PC to prevent unwanted outgoing and incoming network activity.  Also, don't forget the AV.

For Antivirus I use AVG (download the free version) on my Vista and Avast on my XP 64-bit.  For both I use the firewall Comodo Firewall Pro.  All are free and are highly rated.
If you want an all-in-one product, Kaspersky Internet Security is great, but cost around 80 USD. Others may have other ideas or suggestions for software.

Because you received this machine for free, I would either do a fresh install of windows, if you have the CD, or at least scan the machine.

Set strong passwords on your mac and disable SMB sharing along with remote login, if you don't use it. If you do, set the correct access so that only certain users can ssh in.


----------



## Mikuro (Jun 20, 2008)

Thanks for the advice on Windows apps. I've already done a clean install of XP, and I do have some antivirus software, but it's a bit overwhelming. SpyBot's already driving me nuts with its constant alerts! I have AVG installed, but haven't really used it yet. I'll definitely check out Comodo Firewall.



Mediocer said:


> Having two routers hooked together is not the best way, they will not talk to each other and will most likely conflict, unless you have them configured correctly.  You can try it out, just plug things in.  If your hookup is modem->r1->r2, I would put your PC on r1 and your mac on r2.  This is not recommended, you my be diving into router forums.



That's what I'm really worried about, conflicts and other problems with two routers. It doesn't matter to me if the router's don't talk to each other &#8212; that's the idea, really &#8212; but I'm a little concerned about configuring it to allow seamless Mac usage. I'm really wondering if enabling the DMZ (demilitarized zone) on router 1 (the sandbox) pointing to router 2 (primary, connected to the Macs) would work well. I've never used DMZ before, since it seemed like nothing more than a security hole, so I'm not entirely sure how it works.

Like I said, I'd really like to avoid relying on Windows or Windows software to keep my local network protected. I don't have confidence in software firewalls in general, to be honest. More importantly, I have this computer primarily to mess around with it, so at some point I'm bound to open up a security hole or two accidentally.

That's why I really want to get a hardware firewall between my Macs and the PC.

I already have an old router I can use as a sandbox, so I might just mess around with the configuration, and put one of my Macs in the sandbox to verify that it works before connecting the PC.


----------



## Mikuro (Jun 21, 2008)

I've been hammering away at it for a while now, taking one of my Macs and putting it in the sandbox. At first, everything "just didn't work". Turns out neither of my routers like having their WAN devices hot-swapped. Power cycling all devices after every change made things a lot smoother!

Your recommendation of putting the Macs on the second router was right. Option #1 is completely wrong, because as I feared, if you make the sandbox router a client on the primary router, everything coming from the sandbox is treated as local. That means the sandbox has access to the primary LAN. Auto-discovery does not work, but I CAN manually ssh into the IPs if I know them, and I can also access BOTH router configuration pages from the 'sandboxed' machine. So it's not much of a sandbox... more like an ivory tower!

However, reversing it as in option #2 &#8212; making the primary router a client on the sandbox &#8212; seems to be working just fine. I CANNOT access the primary machines from the sandboxed machines, but I CAN access the sandboxed machines from the primary machines. I CANNOT access the primary router's configuration from the sandboxed machines. UPnP on the primary machines works when I set the sandbox router's DMZ to the primary router's address.

Honestly, that surprised me. As I said, I'm not entirely clear on how DMZs are supposed to work. On Wikipedia it says that "Hosts in the DMZ should not be able to establish communication directly with any other host in the internal network," but it seems like that is not the case here. Hmm. Is that not a universal trait of DMZs, or is it a sign of a problem?

I'm going to leave my network running like this (without introducing the PC) for a while and see if any problems arise. I'd still love to hear any tips, or any potential problems I may have overlooked.

To summarize, this is the setup that seems to work:
&#8226; Cable modem connects to sandbox router's WAN port.
&#8226; Sandbox router's client port 1 connects to the primary router's WAN port. Other client ports connect to the PC you want to isolate.
&#8226; Primary router uses DHCP to get an IP address (e.g., 192.168.100.100) on the sandbox router. (Note: this IP _should_ be set statically instead of using DHCP, to prevent the IP from changing and exiting the DMZ. I was just too lazy to do it right the first time. I will change it later.)
&#8226; Sandbox router's DMZ is set to the primary router's IP (192.168.100.100).
&#8226; All Macs connected to the primary router continue using their pre-existing settings, and get the same IPs they got before (e.g., 192.168.0.x)

I have not had time to test this extensively, so YMMV.


----------

