How To Lock One Computer Out of LAN?

Discussion in 'Windows 10 Help and Support' started by abrogard, Oct 8, 2016.

  1. abrogard

    abrogard Active Member

    Joined:
    Mar 5, 2015
    Messages:
    30
    Likes Received:
    0
    I want to lock one computer out of our home LAN - yet let it still access the wifi so's it can get the internet.

    How can I do that?

    The purpose is to avoid any contamination it might pick up being spread across the LAN.
     
  2. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,412
    Likes Received:
    364
    You would need a second access point or switch and a firewall.

    There are other tricks you can use to do it, but they can be "fixed" and result in the device accessing your other system.
     
    #2 Neemobeer, Oct 8, 2016
    Last edited: Oct 8, 2016
  3. abrogard

    abrogard Active Member

    Joined:
    Mar 5, 2015
    Messages:
    30
    Likes Received:
    0
    a second access point means in fact a different line?

    I currently have a telstra broadband router which is one wifi access point, isn't it? The main one. The 'one line'.

    And I have my old wireless router in switch mode feeding into that Telstra thing. Uses the same line of course. Telstra goes down there's no internet access for my old one either.

    But are you saying I could perhaps do something with that setup?

    And 'firewall' ? You mean at the computer in question? All the computers in our lan have firewalls and avira. I doubt we need protection against determined attacks - we're just an anonymous home lan - no more potentially valuable to hackers than any other.
     
  4. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,412
    Likes Received:
    364
    No, you only need one network connection. It would be laied out like this. Both LAN segments would be allowed out the firewall. Guest LAN would only be allowed out to the Internet and blocked to Main LAN.
    LAN.
     
  5. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,538
    Likes Received:
    316
  6. BIGBEARJEDI

    BIGBEARJEDI Honorable Member
    Premium Supporter

    Joined:
    Jan 28, 2013
    Messages:
    1,795
    Likes Received:
    219
    Well, the problem here is that the GUEST account in W10 is no more. :noway: Microsoft did away with that. But, there are other ways to accomplish what neemo is essentially telling you. You can go into Network and Sharing Center via Control Panel, go to Advanced sharing settings and turn off Network Discovery in the Private(current) Profile. You should also turn off both File and Printer Sharing too. And lastly, if you have Homegroups setup on one of your other windows computers on your LAN, under Homegroup connections, you can "use user accounts and passwords to connect to other computers".
    Under Guest or Public section you should Turn off network discovery (even though there is no Guest account), and Turn off file and printer sharing too.
    And lastly, under All Networks, turn off Public Folder sharing, make sure Media Streaming is Disabled, and make sure that Password protected sharing is turned on.

    Turning off these various options via the Homegroup settings should take care of restricting most of the other devices on your LAN to the computer that you want limited access on the LAN to (Internet access only, no LAN access). However, if you still need to share drives/folders/printers between other computers on your LAN, you're in for some work. Homegroups makes all of this really easy, but you have to install it on one or more of your other computers (not the one with the limited access). Ideally, you should be running Homegroups on at least a W7 or a W8.1 machine, to which you can join your W10 machines to.

    If you don't use Homegroups, you'll have to setup drive/folder/printer sharing on each and every computer, like we did back in WinXP. It's very time consuming, but it can be done as back in the day we had no other way to do this unless you had money to buy multiple routers and switches as neemo suggested. If you plug a wifi router into the modem in neemo's diagram, and then connect the one restricted computer to that router, it would then have a protected path through your LAN on a separate subnet from the rest of your computers and your home LAN. This takes some advanced networking skills, so unless you wish to pay a network Tech to come out and set this up for you,:cash: you would be best advised to stick with the Homegroups setup I outlined above where you can control access to individual computers to/from individual devices on your LAN with simple radio on/off switches you can click with your mouse.

    I've set up the exact scenario with WinXP, Vista, and W7 machines in several Customer home environments, and it takes days or weeks versus the minutes it would take to use the Homegroups method. But, that's of course up to you. Some people are more willing and able to take on a challenge like this if they have some computer skills.

    In case you wish to go the old school route and disable your Homegroups to control your LAN networking, and put in a router or a switch to separate out your restricted user there is a plethora of "how-to" articles and books about how to do this. You can look at the excellent Networking for Dummies series; some of the articles are on line so that will help you get started. Personally, I'd recommend getting the book as it's a $20 investment. I usually charge $500 or more to do it this way.

    Oh, and finally, and this is very important, make sure that the limited access user/computer is setup with a LIMITED or STANDARD USER account, and not an ADMIN or Owner account on that computer. Otherwise, it's possible for them to defeat your LAN restrictions. It's very unlikely that someone with that level of skills can hack your LAN across a subnet, but it is possible. Limiting their Account on that computer restricts them from changing your LAN settings and makes it extremely difficult to do.:iee: However, a determined Hacker can still do it, and while teaching Computer Forensics at a local college, we actually teach how that can be done in order to defend against it.

    Best of luck,:encouragement:
    <<<BIGBEARJEDI>>>
     
  7. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,538
    Likes Received:
    316
    the guest account I'm talking about is in the gateway and not windows or linux... the wifi manager looks at the Mac address of the system when giving out the DHCP address, yes the default setting will be to put admin and guest accounts on the same Lan but thats not fixed in stone... if the one computer is on its own Lan (itself and the gateway only) then it has access to the internet + perhaps a stick share but can not see the other Lan

    vmware and hyper-v systems also allow you to cut up a network and ime that works well with simple home senarios
     
  8. abrogard

    abrogard Active Member

    Joined:
    Mar 5, 2015
    Messages:
    30
    Likes Received:
    0
    Well thanks for all that. I will try to understand it all.

    I do not understand Neemobeer's diagram. I don't understand where the firewall is set up. On the diagram it looks to be an entity of it's own. Common to both LANs. So what device has set it up? The modem?

    Now Bigbearyedi's very detailed discussion. That leaves me a tad confused, too. I think you're talking about setting up all these Homegroup things on the computer I want to isolate? In that case it is currently not a win10 machine but win7 ult. We also have XP and 10 on the LAN.

    We don't need to share files if it comes to that, comes to a hassle. We can do without. More and more I use sneakernet because usb stick seems the best thing nowadays and we use email a lot - send files to each other that way is handy. They're filed and saved and locatable, too.

    I currently have a wifi router plugged into the Telstra modem/router. I was saying that. But it is in 'switch mode'. I kinda think it was Bigbearyedi in some other forum - Whirlpool? - who showed me how to do that.

    Would that be an easier and quicker way? To put the boys on that router? Nope. Reading again your post I think you're saying it would be quite difficult but get 'networking for dummies' and I might be able to do it - but it takes even an expert like you days even weeks to do!

    Hmmm. For the moment I'll go to his machine and do the Homegroup thing or the equivalent for win7.
     
  9. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,538
    Likes Received:
    316
    why?
    I'll let him explain it but this diagram is what I would do
    network.
     
  10. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,412
    Likes Received:
    364
    Yes the firewall would be a separate box, either a dedicated firewall appliance or a computer with 3 network cards. You would setup access control rules on the firewall, basically if the device is connected to the guest router, when it comes to the firewall, the firewall would look at the traffic and if it's heading to the internet it would be allowed, but if it is trying to go to the main LAN it will be blocked. I will admit this setup is overkill more the majority of home users and does require some knowledge of networking and firewalls. Many wireless routers do support a guest network as USS suggested which should be more that adequate for a home network.
     

Share This Page

Loading...