We have 6 PC's in our office. 2 of which connect to the home office over VPN. The other 4 never connect to home office. When either of the 2 make that VPN connection then their (home office) devices show up under our windows network. I thought about just putting those 2 PC's on their own network by configuring Vlans on our router. However, all 6 PC's need access to a NAS Drive and network printer. Does anyone know how I can keep the home office devices from showing up in windows network when either of those 2 PC's make the VPN connection while still allowing all of our computers access to the shared NAS and Printer?
Shared Devices over Vlans
- Thread starter tcross41
- Start date
Solution
06yfz450ridr
Honorable
- Nov 28, 2012
- 2,610
- 5
- 13,460
you can disable the automatic search for network folders and printers , also their should be some group policy setting you could active to block them from seeing them i believe
Thanks for replying. Can I connect devices over different subnets (VLANS) using their IP address while not being able to browse to each other through Windows Explorer? So, for example, non VPN PC's along with the NAS and Printer would be on VLAN1 (192.168.1.1) and the 2 VPN PC's would be on VLAN2 (191.168.2.1). Under that scenario would VLAN2 computers be able to access the NAS by \\192.168.1.50\shared folder name, and the printer by configuring the port to 192.168.1.60 while also keeping all of the many users on the other side of the home office VPN from seeing all of our shared devices when they click on their windows network?
06yfz450ridr
Honorable
- Nov 28, 2012
- 2,610
- 5
- 13,460
as long as you have a 255.255.0.0 subnet for your network you should be able to access the NAS and the printers since they are still in the range. Here at my office we have multiple subnets with a 255.0.0.0 address and we are able to access the servers and nas which are on one subnet, printers are one one subnet, and the computers are set on another. It all just depends if thats how the network is setup. I believe since they are esentially on the same network you will be able to see the printers unless you choose which users have the rights under group policy etc to see the printers. But i believe that if you diasable that service i mentioned on the computers they will not automatically be able to see all the devices on the newtwork and will need to either browse to a certian ip address etc but that can be easily obtained using an ip scanner and if they know what subnet its on etc... to much hastle for an average user to set out on to search for a printer but isnt that hard to do
choucove
Distinguished
- May 13, 2011
- 756
- 0
- 19,360
Unfortunately, this method is only the "cheap fix" by basically hiding the network connections, but they still are accessible. This might be good enough for what you are needing to, but if you are in any way required to follow HIPAA compliance, or have any kind of sensitive data (customer credit card, personal, or financial information, or employee records) then you have to do something different as this simply isn't actually fixing the problem. It's like putting a newspaper over the dog's mess.
If you need to set up multiple networks and VLANs, then you need to properly segment things out and use access controls or a firewall access rule to allow or deny traffic between network VLANs. I'd also recommend looking into what it would take to set up a site-to-site VPN tunnel instead of having both of the two computers connect through VPN simultaneously to your home office. Not only is this often less secure, but it uses up more network resources and can be harder to administrate. Even a simple Sonicwall TZ 105 is capable of running up to four separate internal networks or VLANs, and multiple remote-to-site or site-to-site tunnels. Additionally, you can specifically set VPN traffic to allow access to only specific VLANs if you want.
Here is how I would recommend doing it.
Set up your computers that do NOT connect to the home office in VLAN101:
Default Gateway: 192.168.1.1
Subnet Mask: 255.255.255.192
Network Range; 192.168.1.2 - 62
Next set the computers that DO need access to the home office through VPN to VLAN102:
Default Gateway: 192.168.1.65
Subnet Mask: 255.255.255.192
Network Range: 192.168.1.66 - 126
Then set your printers and servers to a third shared VLAN103:
Default Gateway: 192.168.1.129
Subnet Mask: 255.255.255.192
Network Range: 192.168.1.130 - 190
In your router or firewall, you will block all network traffic originating from VLAN101 to VLAN102, and block all traffic originating from VLAN102 to VLAN101. However, allow all traffic from VLAN101 and VLAN102 to go to VLAN103 and vice versa. This will allow your separate VLANs to securely communicate to ONLY the right shared devices without actually communicating to one another. Then, if you set up your VPN rules properly you can restrict all VLAN traffic to only the VLAN102 network.
If you need to set up multiple networks and VLANs, then you need to properly segment things out and use access controls or a firewall access rule to allow or deny traffic between network VLANs. I'd also recommend looking into what it would take to set up a site-to-site VPN tunnel instead of having both of the two computers connect through VPN simultaneously to your home office. Not only is this often less secure, but it uses up more network resources and can be harder to administrate. Even a simple Sonicwall TZ 105 is capable of running up to four separate internal networks or VLANs, and multiple remote-to-site or site-to-site tunnels. Additionally, you can specifically set VPN traffic to allow access to only specific VLANs if you want.
Here is how I would recommend doing it.
Set up your computers that do NOT connect to the home office in VLAN101:
Default Gateway: 192.168.1.1
Subnet Mask: 255.255.255.192
Network Range; 192.168.1.2 - 62
Next set the computers that DO need access to the home office through VPN to VLAN102:
Default Gateway: 192.168.1.65
Subnet Mask: 255.255.255.192
Network Range: 192.168.1.66 - 126
Then set your printers and servers to a third shared VLAN103:
Default Gateway: 192.168.1.129
Subnet Mask: 255.255.255.192
Network Range: 192.168.1.130 - 190
In your router or firewall, you will block all network traffic originating from VLAN101 to VLAN102, and block all traffic originating from VLAN102 to VLAN101. However, allow all traffic from VLAN101 and VLAN102 to go to VLAN103 and vice versa. This will allow your separate VLANs to securely communicate to ONLY the right shared devices without actually communicating to one another. Then, if you set up your VPN rules properly you can restrict all VLAN traffic to only the VLAN102 network.
06yfz450ridr
Honorable
- Nov 28, 2012
- 2,610
- 5
- 13,460
ahh i see you use sonicwalls as well,they are very handy esp how you explained it. I didnt even think of reccommending a sonicwall at the time
This is a good suggestion. Thank you. I should have clarified about the Home office VPN. Both of those PCs are sent to us with pre-loaded software (including the vpn client). So I have no control over how that VPN connection is made. The solution you suggest will keep our other PCs separated, but the NAS would still be available through vlan103. I guess there is no way around that. I plan to do the following:
1. Implement your suggestion.
2. Disable UPnP on the NAS. This will keep it from showing up just by clicking on network.
3. Set IP access filters on NAS.
That should be good enough, unless there is something else you would suggest. For example, I know the home office VPN assigns an IP in the 10.?.?.? range for those connections. Would there be a way to set a firewall policy to restrict that range from communicating over the LAN? Or does that tunnel bypass any router policies?
choucove
Distinguished
- May 13, 2011
- 756
- 0
- 19,360
Since the computers are making the actual VPN connection, it shouldn't really have anything to do with your router settings. Only the computer itself should be the end of the VPN tunnel, so you shouldn't be able to control network access anywhere except for the computer itself. Still, if you set up the two groups of computers in separate VLANs, and set firewall access rules specifically to deny traffic between those two VLANs, then your other group of computers should not be able to see anything in that other VLAN including the VPN connection information. Use the third VLAN for shared devices such as servers and printers. Then you can allow each VLAN to have access to this shared VLAN network but they will still not be able to access each other.
TRENDING THREADS
-
-
News Microsoft updates Windows 11 24H2 requirements, CPU must support SSE4.2 or the OS will not boot- Started by Admin
- Replies: 14
-
-
-
Question New Build GPU help- ASRock Steel Legend OC Radeon RX 7900 GRE - Keeps turning off
- Started by bp240
- Replies: 6
-
Question How can I make my AMD GPU scale *all* resolutions to 1080p, even resolutions that are "supported" by my TV?
- Started by Sol33t303
- Replies: 7
Facebook
Twitter
Instagram