candle_86 wrote:

Now What I want to do is disable these machines ability to be browsed from the home network, but I want them to have internet access and access to my FTP server ect. So how would i filter it so my computer doesn't forward internal network requests to these machines.
...
But how would i segment these machines but still allow them internet access?

So are you trying to prevent other wired or wifi computers from browsing your PC's?

So, first, I would say, if you're trying to prevent access from other wired hosts, you'll have to turn off file sharing on all the PC's individually. This is because any other computer plugged into your switch is on the same subnet and LAN as your PC's... meaning they are peers. There would be no central place to block that access other than the PC's themselves.

If you're trying to prevent internet users or other wifi users from browsing your PC's, I don't think you have to worry. Windows' Internet Connection Sharing includes a stateful NAT firewall that should prevent other computers outside of your LAN from making unsolicited connections to your LAN PC's.

im trying to prevent other users not on my switch from browsing, ive got another IT guy that is renting a room in this house I am, and I've caught him inside my computer twice now, land lord doesn't care and I'm just generally annoyed. my Windows connection sharing firewall is not preventing him being able to see my other computers.

I'd try getting some miniITX Atom and use pfSense as a dedicated router... Or get an WiFi router, install Open-WRT (make sure you get a well supported router) and use it as a WiFi-client. This should isolate your personal network well.

alexanrs wrote:

I'd try getting some miniITX Atom and use pfSense as a dedicated router... Or get an WiFi router, install Open-WRT (make sure you get a well supported router) and use it as a WiFi-client. This should isolate your personal network well.

ill right ill try that, thank you.

candle_86 wrote:

im trying to prevent other users not on my switch from browsing, ive got another IT guy that is renting a room in this house I am, and I've caught him inside my computer twice now, land lord doesn't care and I'm just generally annoyed. my Windows connection sharing firewall is not preventing him being able to see my other computers.

I'm not a lawyer, but this may actually be criminal depending on your jurisdiction and what he's actually doing. Might be something to look into; if "IT guy" won't respond to the threat of legal action (assuming there actually is some avenue here), maybe "land lord" will (there may also be some aspect of renter's rights in your jurisdiction that can compel "land lord" to care). Just a thought more than anything else.

In terms of isolating your equipment, a router of some sort is the best bet. Set it up to treat the LAN as if it were the open web (with appropriate firewalls and whatnot), and it should isolate fairly well. Also remember to globally kill outbound 139 and 445 at the router (to (at least help) work around SMB Redirect attacks, which all versions of Windows are vulnerable to - if you kill it on local machines it can cause problems for internal SMB shares).

If you're tied to receiving the Internet thru WiFi then a thick client could make sense, otherwise some sort of embedded/net device would probably be fine (what I mean here is, you could go into Best Buy and just get "a router"). There's plenty of custom firmware options for embedded devices, like OpenWRT, HyperWRT, Tomato, etc. There's also plenty of router/gateway distros for thick clients, like pfSense, SmoothWall, IPFire, OPNsense, etc. If you go the thick client route, an Atom is a good choice for power efficiency, but if you have some older machine it will probably work fine too - you won't need significant processing power for such a small network.

Some other things to consider: WiFi is inherently unsafe, so if you can switch to a wired connection that would be advantageous. Even if you have your own router, the WiFi connection can be cracked, whereas if you're all wired, that wiring has to be violated in some way (e.g. "IT guy" breaks into your apartment/condo/whatever-it-is to attach to the wiring, and at that point it IS a criminal offense, and you also probably have bigger problems than him snooping your PCs 😵). Wired also tends to perform better. 😊

Finally, instead of sharing an ISP with "IT guy" can you simply procure your own connection? I'd still hook it up thru a router of some sort, but it'd be otherwise separate from this other person.

obobskivich wrote:

I'm not a lawyer, but this may actually be criminal depending on your jurisdiction and what he's actually doing. Might be someth […]
Show full quote

candle_86 wrote:

im trying to prevent other users not on my switch from browsing, ive got another IT guy that is renting a room in this house I am, and I've caught him inside my computer twice now, land lord doesn't care and I'm just generally annoyed. my Windows connection sharing firewall is not preventing him being able to see my other computers.

I'm not a lawyer, but this may actually be criminal depending on your jurisdiction and what he's actually doing. Might be something to look into; if "IT guy" won't respond to the threat of legal action (assuming there actually is some avenue here), maybe "land lord" will (there may also be some aspect of renter's rights in your jurisdiction that can compel "land lord" to care). Just a thought more than anything else.

In terms of isolating your equipment, a router of some sort is the best bet. Set it up to treat the LAN as if it were the open web (with appropriate firewalls and whatnot), and it should isolate fairly well. Also remember to globally kill outbound 139 and 445 at the router (to (at least help) work around SMB Redirect attacks, which all versions of Windows are vulnerable to - if you kill it on local machines it can cause problems for internal SMB shares).

If you're tied to receiving the Internet thru WiFi then a thick client could make sense, otherwise some sort of embedded/net device would probably be fine (what I mean here is, you could go into Best Buy and just get "a router"). There's plenty of custom firmware options for embedded devices, like OpenWRT, HyperWRT, Tomato, etc. There's also plenty of router/gateway distros for thick clients, like pfSense, SmoothWall, IPFire, OPNsense, etc. If you go the thick client route, an Atom is a good choice for power efficiency, but if you have some older machine it will probably work fine too - you won't need significant processing power for such a small network.

Some other things to consider: WiFi is inherently unsafe, so if you can switch to a wired connection that would be advantageous. Even if you have your own router, the WiFi connection can be cracked, whereas if you're all wired, that wiring has to be violated in some way (e.g. "IT guy" breaks into your apartment/condo/whatever-it-is to attach to the wiring, and at that point it IS a criminal offense, and you also probably have bigger problems than him snooping your PCs 😵). Wired also tends to perform better. 😊

Finally, instead of sharing an ISP with "IT guy" can you simply procure your own connection? I'd still hook it up thru a router of some sort, but it'd be otherwise separate from this other person.

current situation is this, I rent a room in someones house to save money, as im single and simply prefer roommates since my last apartment got broken into in broad daylight, and a 65in TV, my desktop, my Xbox, my PS3, my Genesis, n64 and Microwave walked out the door, on a Saturday at 11am. None of the neighbors noticed they claim. So I simply do not wish to live by myself for security reasons. My landlord pays for the internet connection, and thus it is wifi, i can pay for a mobile hotspot, but its expensive and has limited bandwith, as for a wired connection, that wouldn't solve the problem of access to my other computers, my main windows 8 box hasn't been touched by him, he likes playing around inside my windows me and 2000 boxes, he hasn't harmed them, but he has moved things around, and even replaced my wallpaper. I'd block his connection but he uses the DHCP so id have to block all address besides 192.168.137.1-5 as well as 192.168.0.1 which is the router and when i tried that it didn't work so well.

candle_86 wrote:

im trying to prevent other users not on my switch from browsing, ive got another IT guy that is renting a room in this house I am, and I've caught him inside my computer twice now, land lord doesn't care and I'm just generally annoyed. my Windows connection sharing firewall is not preventing him being able to see my other computers.

Sounds like something could be misconfigured. That being said, the suggestion of loading pfsense is a good one. When you say you've caught him inside your computer twice now, can elaborate more on what you observed to determine he was in fact "in your computer"? It would be fairly difficult to casually catch someone browsing a shared folder. If he's using RDP or VNC and you see him controlling your desktop, that would be dramatically more serious.

candle_86 wrote:

current situation is this, I rent a room in someones house to save money, as im single and simply prefer roommates since my last apartment got broken into in broad daylight, and a 65in TV, my desktop, my Xbox, my PS3, my Genesis, n64 and Microwave walked out the door, on a Saturday at 11am. None of the neighbors noticed they claim. So I simply do not wish to live by myself for security reasons. My landlord pays for the internet connection, and thus it is wifi, i can pay for a mobile hotspot, but its expensive and has limited bandwith, as for a wired connection, that wouldn't solve the problem of access to my other computers, my main windows 8 box hasn't been touched by him, he likes playing around inside my windows me and 2000 boxes, he hasn't harmed them, but he has moved things around, and even replaced my wallpaper. I'd block his connection but he uses the DHCP so id have to block all address besides 192.168.137.1-5 as well as 192.168.0.1 which is the router and when i tried that it didn't work so well.

With a separate connection you'd want a router, which would eliminate the connectivity problems for other machines (it would take the 'net in, and kick out a LAN; just like landlord's router is doing right now). It would also be separated from this guy. I wouldn't do a mobile hotspot though. If you went with a stand-alone router, like alexanrs suggested, it'd do effectively the same thing, but connect to the landlord's network as another "hop" before going out to the Internet. Currently that's what you're trying to have the Win8 box (Kirk) do with ICS, and it may simply be a matter of better configuring the firewall rules there to get what you want.

Question on your current configuration, however:

You have the WiFi connection hooked up to the landlord's network, and then you're using what to generate the output for your personal network? ICS? Or did you bridge the connections?

It should be setup via ICS, and ideally you selected "Public" for the landlord's network, and "Private" for your internal ring of machines. In principle this should secure your "internal network" of machines (e.g. Spock, McCoy, etc) via the ICS Firewall on your gateway machine (Kirk). I'd also kill UPnP (or restrict it; if you need it for some functionality on the landlord's network).

Blocking him (and anyone else on the landlord's LAN) via the firewall shouldn't be too hard either. Firstly, there's no reason to block 192.168.137.x addresses because that's the "internal ring" (e.g. Spock to Kirk - he isn't connected as a peer to Spock, he's connected as a peer to Kirk, so blocking Spock's peers is irrelevant), but you could block (from Kirk) everything except the gateway and DHCP server (they may have separate addresses - run tracert and ipconfig and figure out exactly where things are going). So for example say the gateway is 192.168.0.1, and the DHCP server is at 192.168.1.1, block everything else from 192.168.0.2 -> 192.168.0.255, and 192.168.1.2 -> 192.168.1.255, all ports (0-65535), inbound/outbound, all the time. It should absolutely kill connectivity to anything on the landlord's network beyond the gateway. You would want to set this as a rule for Public Networks, and then configure the WiFi adapter as being on a Public Network.

I would also create another outbound rule that blocks ports 139 and 445 while you're in there, to protect against SMB Redirect attacks (http://www.bit-tech.net/news/bits/2015/04/14/ … direct-to-smb/1 for more); if you lock those internally (e.g. you create a firewall rule on Spock) it will cause connectivity problems with local services (e.g. if McCoy is acting as a local file-server, Spock will have connectivity issues there; blocking it at the network gateway (e.g. Kirk) will allow internal features to work but still provide security from external threats).

Finally, remember if you take Kirk somewhere else and plug it into another network that you have this rule, because it will probably mess with connectivity in other environments. For example if you drag it over to a friend's house for a LAN party and want to hook up to their home network, you would need to disable this rule (or select that connection as a Private Network). 😊

As a side note: I enjoy using the Star Trek character names for this discussion. 😀

yes using ICS, I have the wifi network configured as public, but UPnP turned on, as the router constantly drops kirk if I disable it. I will try those firewall rules out though, thats a good idea. As for the DHCP server, I run static on my landlords connection to his wifi router, it simplifies my life.

And yea I like the names, I have a laptop but its not on my internal network, its name is Sulu, because it acts a little funny 🤣.

candle_86 wrote:

yes using ICS, I have the wifi network configured as public, but UPnP turned on, as the router constantly drops kirk if I disable it. I will try those firewall rules out though, thats a good idea.

The "internal ring" should not be configured as Public, if that wasn't clear (I realized after posting that part of my advice was hedged into a question...). 😊

And yea I like the names, I have a laptop but its not on my internal network, its name is Sulu, because it acts a little funny 🤣.

I'm using norton, it has worked well for me, how does this rule look?

as for internal security, i just need them to talk to internet and kirk, kirk hosts the FTP I use to get files to 9x OS's that don't let me specify a username/password for normal //kirk/ browsing

I don't actually know if Norton can function as a replacement for the ICS Firewall; that may be part of your problem. Does it allow you to specify rules for different networks/adapters?

obobskivich wrote:

I don't actually know if Norton can function as a replacement for the ICS Firewall; that may be part of your problem. Does it allow you to specify rules for different networks/adapters?

it does not

candle_86 wrote:

obobskivich wrote:

I don't actually know if Norton can function as a replacement for the ICS Firewall; that may be part of your problem. Does it allow you to specify rules for different networks/adapters?

it does not

That may be part of the issue you're having, especially with establishing rules that create conflicts for other machines. Try disabling Norton and using the Windows ICS Firewall instead. 😊

obobskivich wrote:

candle_86 wrote:

obobskivich wrote:

I don't actually know if Norton can function as a replacement for the ICS Firewall; that may be part of your problem. Does it allow you to specify rules for different networks/adapters?

it does not

That may be part of the issue you're having, especially with establishing rules that create conflicts for other machines. Try disabling Norton and using the Windows ICS Firewall instead. 😊

cant without uninstalling norton first, it wont let me enable the windows firewall grrr

If I understand this correctly, your router and wireless NIC ip range is in 192.168.0. You are then bridging it on the "main" machine with 192.168.137 network, the range of your wired NIC. As long as you and the the other guy connect using the same wifi, both machines will be visible on the network and you would have to rely on software to cut access.

Easiest solution I can think of: get an access point that has to capability to create VLANS. Receive the connection on the 192.168.0 (common wifi range) and assign all its ports to a VLAN on a different range. Use MAC filtering on the access point (to cut off other connections to it) and you're done.

OMG, I can't actually believe Symantech would sell a firewall that is worse (and less flexible) than Windows' built in solution.

As a mentor long ago told me, "Never send in a server to do a router's job." A lot has changed since then, but the sentiment is still true. A dedicated router platform, even if it's built on PC hardware (like a pfSense box) would serve you better and be far more flexible and secure than Windows ICS+Firewall.

If I were you, I'd move the wifi NIC (unless it's built-in) to an older box that could serve as a pfSense/router box. Then leave your main machine as wired only and allow the router platform to do all the routing+security.

I believe pfSense even has a bootable LiveCD (or LiveUSB) image that could get you going.

Friends don't let friends use ICS!

The simple answer, use a router, put your private stuff inside the router - if there is already a router, then put your private network on the inside of ANOTHER router, using that for your personal wifi - alternatively, some routers can split networks, so there can be a "guest" wifi and your main one - the "guest" networks do not have access to router settings, and are only routed to outside.