Creating two networks

[Graham M]

Yep thats no problem, if you wanted to view them from outside using my method you would have to forward the port required from the first router to the cafe router and then from the cafe router to the camera(s)

[popper]

Quote:

Originally Posted by DaiNasty

How would you handle DHCP on a twinned setup like that?

pritty simple , you just need to remember not to use the same Ip ranges on both the second and 3rd routers (or 4th/5th etc) or the master net<===>router/gateway gets confused as it trys to sort out the incomeing and outgoing packets from both.

but in this case its even easyer, as he wants only fixed IPs for the office router (so that DHCPd can be turned off)and so only needs to make sure the single cafe router DHCPd doesnt use the same office IP range or it might give out an already fixed IP thats in use by an office PC.

the office LAN side might use 192.168.0.* and so the cafe might use 192.168.1.* or 10.0.0.* for its LAN side DHCPd range , it doesnt matter as long as your master router can route all the traffic to were it needs to go.

so a good plan of your sections is a very good thing to write down so you dont forget and assign duplicate Ip ranges that might one day come back and bite your master router/gateway.

---------- Post added at 13:11 ---------- Previous post was at 12:48 ----------

Quote:

Originally Posted by Graham M

Yep thats no problem, if you wanted to view them from outside using my method you would have to forward the port required from the first router to the cafe router and then from the cafe router to the camera(s)

or OC depending on how these cafe cams work (we are assuming IP lan connected video cams at the moment) then you could also probably use that Mtunnel+VLC and stream them on different 224.0.0.1:7777 :7778 etc to any VLC client on the office side.

but iv not found any good IP streaming video app that takes several MultiCast IP video feeds as input and turns them into a single multi stream Picture in Picture video outgoing stream.

although VLC can probably do it, but you need to be a CLI/shell wize to work that VLC shell magic, so if you work it out, tell us the full working line command .

[Uncle Peter]

For good measure I wouldn't fancy going down the route of giving either the office or cafe clients free reign over the connection or relying on the crude firewall implentations in these domestic routers so going forward it might be worth looking at squid/iptables or ISA (depending on which camp you're in) behind the master/wan router. It'll fit in nicely with your 3 router setup.

[popper]

also another thing to consider installing in the master/router1 section is a bandwidth control app (yes thats STM but YOUR in control of how it gets used, when and for what, and your the one paying for your service so thats fine) so that the cafe users dont inadvertently take all the limited upload/download bandwidth away from the office LAN use, or the office from the cafe if you prefer....

you could use one of the 3rd party firmwares for the wireless router and use the throttling app that way if you prefer, but on the linux firewall PC is probably better and easyer to control/log etc.

you could even probably make a slax booted USB2 key and put these firewall/STM apps etc on that if you dont want a HD/cd installed and have a junk PC that usb/network boots.

[Azmandius]

So much information and help i get from you fellows that it takes me some time to digest it .
So, i decided to clarify one more time (for my self actually ) what devices i have and how do i have connected them, and is it right or not.

In the attached image you can see the final current network architecture which shows that actually office computers together with cafe cash computer and video camera device are in the network n#1, and only wireless internet connection for cafe users makes the network n#2.
That is how i want it.
In this case which suggestion is best, Graham's or Zeph's?

Up to the Wireless Router everything is working already fine, with static IPs (as should be).
All i need to do now is to make wireless internet possible for cafe via dynamic IPs and stop cafe visitors from being able to see my local network IPs/machines (unless they physically connect to the hub in the cafe via regular wire).

Thank you and sorry for being a dummy.

[Graham M]

No not a good idea, because with a bit of ingenuity you could easily access the office PCs from the Cafe network oh and Graham IS Zeph

[Azmandius]

Quote:

Originally Posted by Graham M

No not a good idea, because with a bit of ingenuity you could easily access the office PCs from the Cafe network

via wireless only?

Quote:

Originally Posted by Graham M

oh and Graham IS Zeph

Oops...

[Graham M]

Quote:

Originally Posted by Azmandius

via wireless only?

Yep it's still the same network.

[Azmandius]

I think now i got it.
As long as wireless device is touching LAN area directly in any way, hacking office PCs is very probable, right?

[popper]

Quote:

Originally Posted by Graham M

No not a good idea, because with a bit of ingenuity you could easily access the office PCs from the Cafe network oh and Graham IS Zeph

Nope, not any more he's not, not since he offered to become a MOD , he's only Zeph when he's playing online games.

assuming your going to put a linux firewall and throttling app on there some time, your short one router and one old PC good enough to install /CD/network/or USB boot the linux and apps IF your going for the 3 router way.

these pictures are a good thing to clarify stuff ,perhaps we need a sticky with generic pictures we can cut and paste into paint and pop in this and other slightly more advanced networking threads were its needed to make it clearer Mr MOD

[Uncle Peter]

Quote:

Originally Posted by Azmandius

I think now i got it.
As long as wireless device is touching LAN area directly in any way, hacking office PCs is very probable, right?

It's possible but probable? depends who comes into your cafe

I didn't realise that it was a public cafe. I originally thought it was a chillout place for employees.

[popper]

Quote:

Originally Posted by Azmandius

I think now i got it.
As long as wireless device is touching LAN area directly in any way, hacking office PCs is very probable, right?

yep, thats right, to be clear, if its touching any other LAN section other than its own (wireless) section, it can be hacked as in see the data for that other LAN section by anyone willing to go to the trouble of running wireshark etc.

the WAN-to-LAN routing NAT stops that cold, unless you open up the ports and forward them on purpose to other sections on them open ports.

as in, port forwarding your master router to pass gaming ports to your cafe for instance but it cant get past the router2 WAN-to-LAN NAT so your fine.

make it go on the WAN section and have that linux firewall/throttler on the master router1

net<===> master-router1/gateway<===> firewall/throttler/other apps<===> router2/3/4/5 sections were you can put your wireless and other bits etc.

[Azmandius]

Quote:

Originally Posted by Uncle Peter

I originally thought it was a chillout place for employees.

Sorry, forgot to mention its a public esoteric shop with a public chillout cafe.

---------- Post added at 18:32 ---------- Previous post was at 16:56 ----------

As a conclusion i should understand that the best secure way for me is:

I still want to make sure i will be able to push cash PC data and video camera stream through that cafe router towards the office PC for administration. If so how will i do that?

[Graham M]

Connect the Cash PC to the Office router and forward the ports for the video camera?

[Uncle Peter]

Quote:

Originally Posted by Azmandius

I still want to make sure i will be able to push cash PC data and video camera stream through that cafe router towards the office PC for administration. If so how will i do that?

The easiest way to do it is just run a cat5 patch from your office lan to a switch or hub in your cafe area and plug the cash pc and camera host into that. Saves messing about with port forwarding rules although the physical connection could theoretically be compromised.