How to add computer to LAN with access to one workstation?
February 6, 2007 10:34 AM   Subscribe

Best way to add a computer to LAN that is only connected to one workstation?

We have a network of XP machines, and I'd like to add an existing win98 box (in the warehouse) and have it only communicate with one workstation on the LAN (win2000). Would it be best to add an extra network card to that one workstation, or can I slip a router in there instead (I have an extra router). The reason is we don't want the guys in the back using that win98 box to connect to anything, but we want to dump files onto it from the office.
posted by imaswinger to Computers & Internet (5 answers total) 2 users marked this as a favorite
 
An easy way without any special wiring or new hardware would be to purposely 'misconfigure' the tcp-ip settings of the 98 box. Either have your dhcp server provide specific settings to this one machine or manually configure it. Don't set dns (use a hosts file), configure the subnet mask so that it's only able to see the other pc, and/or don't specify a gateway or specify the other pc as a gateway.

I suppose 'the guys in the back' could figure out the right settings to get around this but generally if they think it's just setup not to work they wont put the effort into messing with it (not to mention, needing a clue about how to configure tcpip)
posted by dirtylittlemonkey at 10:52 AM on February 6, 2007


Uninstall the microsoft file and printer sharing. Install an FTP server (or ssh for windows or under cygwin). Dump your files using FTP or SFTP. Pick a strong password.


Is this just going to be used as a server? Then you dont even need a display. Put in VNC and remove the monitor, mouse, and keyboard. The 'boys' aint getting far without a monitor.

Now if you need all the microsoft stuff, yeah it would be dead simple to multihome your server, put it on a different subnet, and configure your router/firewall to not route packets from, say, 192.168.x.x. to 10.x.x.x. The former being your network and the latter being your little special network for the two machines. Multihoming 2000 machines, from what I remember, can be tricky so expect to do some troubleshooting.

Depending on the equipment you have you might be able to pull off a VLAN too but this starts to become a bit more complex.
posted by damn dirty ape at 12:18 PM on February 6, 2007


Response by poster: The monitor is needed because the computer is used as a floppy emulator for loading files on to a CNC machine. They want a 'one-way' connection where they can send files to it, but nothing else.
I thought of the 'misconfiguring' idea, but being a 98 box I don't like the idea of it being connected directly to the LAN.
Can I put the two computers behind the extra router I have and it only route one of the ips to the regular LAN (maybe simply put the win2000 in the DMZ)? I don't think that'd be a problem. thanx again.
posted by imaswinger at 12:40 PM on February 6, 2007


Best answer: If your Win98 box ends up on the same switched Ethernet network as the rest of your LAN, it's going to be very easy for anybody with the slightest smidgin of networking knowledge to mess with its network settings and give it the ability to connect to whatever, whenever. So it does need its own little LAN.

Putting a router between the main LAN and the Win98 machine do what you want, provided the router is configured to drop packets from the Win98 side unless those are responses to connections initiated from the main LAN side. This would give you the ability to talk to the Win98 machine from anywhere on your main LAN, or you could restrict by source address to make communication possible only from your Win2k box.

You don't want your Win2k box on the same side of the router as the Win98 box, because that means the Win98 box can simply pretend to be the Win2k box and get to anything the Win2k box can get to.

Walling the Win98 box off behind a router will stop it being able to announce its NetBIOS name to the Win2k box, so you won't be able to browse it under Entire Network; when you want to open one of its shares, you'll have to do it explicitly by IP address, like \\192.168.223.1\SharedDocs. If you want to do \\CNCbox\SharedDocs instead, you'd need to add an LMHOSTS entry for it on the Win2k box.

Putting a second network card in the Win2k machine and running a point-to-point link from there to the Win98 machine would allow those two machines to talk freely to each other and browse each other's network shares without any special setup. You wouldn't use TCP/IP at all on that link - NetBIOS running straight on top of Ethernet will support all the file sharing stuff you need, and it isn't routeable. Even if some clever-dick installs TCP/IP on the Win98 box, it won't be able to get a connection through to the rest of the LAN if you avoid installing TCP/IP on the Win2k network connection forming the other end of the link. Even if you did do that, the Win98 box still wouldn't be able to get out unless you also turned on Internet Connection Sharing (basically, routing) in the Win2k box as well. It should be plenty secure enough, and easier to administer than a router-based solution.

You would of course be able to see any of the Win2k box's own shared folders or printers from the Win98 box, but ISTM that this is more likely to be useful than problematic. If the Win2k box is properly set up, the Win98 box would need a valid username and password to get to that stuff anyway.
posted by flabdablet at 3:46 PM on February 6, 2007


Response by poster: excellent, thanx.
posted by imaswinger at 9:47 AM on February 7, 2007


« Older Sensible Syndication Suggestions?   |   When to give an allowance? Newer »
This thread is closed to new comments.