Tech Support Guy banner
Status
Not open for further replies.
1 - 7 of 7 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
I have two networks in the same office that want to share one multi-function printer. The printer is networked.

The setup is as follows:-

Network 1
----------
Netgear ADSL Router - DHCP Server, Internet Connection etc.
DHCP and Gateway address 192.168.0.1
IP Range 192.168.0.xx
Subnet 255.255.255.0
Approx 5 PCs, 4 of which have dynamic IP addresses assigned by Router, 1 has static IP and is used as pseduo server for file and printer sharing.


Network 2
---------
4 PCs all of which must have static IPs
IP Range: 192.168.0.xx (yes, the same as Network 1!)
No internet connection and don't want it
1 x Network Switch


Ideally, we want to allow just one PC on Network 2 to access the networked printer, but no access to internet.

If I changed the IP address range on network 1 to say, 192.168.1.xx, and obviously connected the router on Network 1 to the Switch on Network 2, would I be able to set up a static route on the PC in network 2 to be able to access the printer?

If so, how would I do that?

Or are there better ways to do it?

And (finally) if I wanted to in the future, would I be able to allow access to the internet to just one of the PCs on Network 2, using the internet connection provided by Network 1?

Thanks!
Tom
 

·
Registered
Joined
·
208 Posts
It depends on your network equipment. You are probably talking about consumer-level, junk equipment, so the answer is a possible “no” though there may be routing capabilities in some consumer equipment accessible via the web GUI.

To route between networks, there are a lot of rules.

You form LANs (Local Area Networks): Each LAN must have its own subnet AKA network number. i.e. 192.168.0.x/255.255.255.0 and another 192.168.0.x/255.255.255.0 is not going to work because they have the same network number, 192.168.0.0

Since your Subnet Mask is 255.255.255.0, that tells us the network portion of an address such as 192.168.0.17 would be 192.168.0 and the host portion is 17. Make sense?

For instance, your example:

192.168.0.x
255.255.255.0 (24 - Bit Subnet Mask)

This network has a Network Number of 192.168.0.0, which cannot be used by the hosts {computers, printers, servers, IP Phones ...} as an address. It is used specifically with Layer-3 network equipment (such as a Cisco Router) combine with a subnet to specify what network(s) to route traffic. In other words, if you wanted to configure a static route, you would specify the network number, subnet mask, and what to do it - push the trafic through a specific interface on a network device, towards another IP address of another directly-connected device (even if through a line such as T-1), or tell a routing protocol such as OSPF or EIGRP to include that network in its routing updates, so other network equipment becomes aware of your device hosting that specific network.

A bit of info about your Network:

192.168.0/24 (Is the network)
192.168.0.0 (Network Number)
255.255.255.0 (Subnet Mask)
Subnet Mask is 24 Bits (hence /24 means the same thing)

192.168.0.255 (Is the Broadcast Address)
192.168.0.1 Through 192.168.0.254 (Usable IP Addresses for Connected Network Interfaces)

Okay, so now you know what is involved in IP Routing, it is good to know a bit about the OSI Model. Please read about the Media Layers {1, 2, 3} of the OSI model, so you understand how data travels in a network. http://en.wikipedia.org/wiki/OSI_model

Specifically, the Physical Layer is cabling, hubs, and equipment that does nothing but blindly push bits.

Data-Link Layer is Layer-2 and it is used predominantly in network switching. Essentially, it pushes frames (typically Ethernet frames) intelligently on a Local Area Networks through the use of Interface to MAC-Addresses (Physical Addresses) mappings. Basically, switches learn what computer (or host) has a specific MAC address and store that in a table, so frames destined to that device do not need to get blindly broadcasted to other devices (and later dropped) loosing bandwidth as in a hub.

Layer-3 is the Network Layer dealing predominantly with routing traffic outside networks. Although IP addresses are used on LANs, too, if they are destined to an outside network, they do not belong to a directly attached network interface on a computer. The computer sends these packets to the default-gateway, which is a router’s interface on a LAN. From there, the router decides what to do with that packet. The mapping is generally to correlate Interfaces to Networks in that different interfaces sit on different networks and a router determines where to route the packets based on IP information & static/dynamic routing tables.

Your Solution:

Create two separate networks or subnets.

192.168.0.x/255.255.255.0 and 192.168.1.x/255.255.255.0 are fine; since, 192.168.1 and 192.168.0 are both different network portions they can be routed.

Basically, you need to define the Default Gateway of each network and place a router with a directly-connected interface for each network

Solution Example:

Network 1
192.168.0.x
255.255.255.0
192.168.0.1 (Gateway)

192.168.0.2 – 192.168.0.254 (Other stuff on the network)

Network 2
192.168.1.x
255.255.255.0
192.168.1.1 (Gateway)

192.168.1.2 – 192.168.1.254 (Other stuff on the network)

A Router with two (or more) Ethernet ports now sits between the two LANs. Provided the networks are directly-connected to the same router, it will work without the need to create routing tables. If these are connected to different routers, you need to setup routing tables via Static or Dynamic routing.

Ethernet Port 0 (on Router to Network 1 Switch): 192.168.0.1/255.255.255.0

Ethernet Port 1 (on Router to Network 2 Switch): 192.168.1.1/255.255.255.0

You know you have routing working when you can test connectivity with the PING command to a node or host on another network.

In other words, if you have a computer say 192.168.0.3/24 and you can PING 192.168.1.4/24, you know the routing was a success. Without routing, you cannot leave the 192.168.0.0/24 network.
 

·
Registered
Joined
·
208 Posts
twindy,

I wish to provide you some less abstract info.

Do, change the IP addresses on your second network. From there, if it is possible in your consumer-router, tell it that the network port that connects the switch for your second network is on a different network.

The router almost definitily tells everything on Network 1 what its default-gateway is along with providing an IP address VIA DHCP, so Network 1 is ready to go.

From there, Network 2 needs to point to a reachable Default Gateway, which must be your router with one caveat. The IP Address of the Default Gateway for Network 2 must have an IP address that belongs to Network 2.

If your consumer Netgear, Linksys, D-Link whatever is smart enough, it may even host an entirely separate DHCP Pool for yoru second network, but I doubt it.

Regardless, if you can set your router up with interfaces directly connected to Network 1 and Network 2, the device will already be aware of the two networks as they are directly connected, and you should not need to setup static or dynamic routes.

Static and Dynamic routes just tell routers where to send traffic that does not belong directly to an IP scheme of a directly-connected network.




It may also be possible to buy two consumer routers and connect the INTERNET/WAN port of one to a newtork port on another. That would assign it a DHCP provided IP from the first, and it should automatically route the traffic. I would, however, recomend putting the DHCP on another IP range because overlapping IPs would be a definite problem. From there, you would need to turn off the fire-wall on the second router unless you want NAT and SPI on your own network(s).

The big thing about consumer equipment is that you cannot usually configure each interface on an individual level. At most, you tend to have dumb switches that at most have a management IP for a Web GUI and can connect your DSL or Cable Modem.



It is probably easiest with 9 computers/servers/printers to just buy a single switch and plug them all into the same LAN.

Good Luck
 

·
Super Moderator
Joined
·
82,234 Posts
I understand that you want to keep the two networks (mostly) separate.

Change the IP address range on one of them.

To allow internet access on one of the "isolated" computers use a second NIC to connect to the network that has internet access. Of course, this would also give that computer access to the other computers on that network; if that is a problem you would need to use appropriate file/folder permissions or a 3rd party firewall.

This would also be one way to give a "isolated" computer access to the printer.

Is your printer connected to the router or directly connected to one of the computers?
 

·
Retired Moderator
Joined
·
106,726 Posts
I wonder if you could use a USB printer switch and two print servers? It's a kludge, but it would solve the problem of isolating the networks.

The right way to do this is with a more intelligent gateway that supports ACL's and would allow you to configure the access rights properly between the networks.
 

·
Registered
Joined
·
208 Posts
Any intelligent network equpment such as a Router will support gatways and even switches will do ACLs if they are intelligent and have a full-featured Command Line Interface (probably not the case for a small 5 to 8 port switch)

If I set something like this up for a corporate network, I could just make an ACL that says one network cannot get Internet traffic. I.e. Deny poort 80 TCP for a particular network with an Extended ACL
 

·
Trusted Advisor
Joined
·
6,958 Posts
I'd like to know if there is a functional reason or requirement to keep the one group of computers on their own subnet. The simplest solution would be to merge both environments and set up a firewall rule to block the statically assigned IP PCs from having internet access. This is provided your router supports this. If it doesn't support this, you can get creative by maybe setting a time constraint which is normally used as a parental control to not allow any of the static PCs from ever having internet access.

If you are going to spend money to add an additional router to support a second subnet, I would spend a little extra and get a SMB router which supports additional secondary IP subnets. An example of a router which does this is the Netgear FVS 338. You can then keep both subnet schemes and have one router handle the traffic between subnets. The FVS 338 has provisions to configure both inbound and outbound firewall rules. This again conforms to keeping the hardware foot print as simple as possible. The only draw back to this setup is that you don't have full layer 2 isolation. To have full layer 2 isolation between subnets while using a single router, you would have to either have a router with at least 3 physical interfaces or a router which supports 802.1Q VLAN tagging which then necessitates a managed switch.
 
1 - 7 of 7 Posts
Status
Not open for further replies.
Top