Problem solve Get help with specific problems with your technologies, process and projects.

Restricting access between two LANs

We have two LAN's on two different subnets. The ISP has a Cisco router, which currently comes into another router, which handles LAN-A. LAN-B is on a pier-to-pier network with only a hub connecting it. LAN-A's router (Netopia R9100) cannot act as a bridge. The objective is for me to have LAN-B gain Internet access (Cisco router) and ensure that there's no 'connections' between LAN-A and LAN-B.

Is there any other separate device or gateway that'll let me route LAN-B out to the Internet using a different subnet than LAN-A?
After reading a couple of times your question, it is still not 100% clear to me the exact layout of your network, so I'll proceed with a suggestion which should cover you, or at least help you find a way which you can resolve your problem.

You have two networks (LAN A & B) which are connected between them and both require Internet access, but without any of the two LAN's 'seeing' each other.

In your case, LAN A is directly connected to the Internet while LAN B is connected via a hub to LAN A and you require to restrict access between the two LANs, allowing only Internet traffic.

To accomplish this, without compromising any possible security policies, you will require, as you have correctly noted, some type of a Gateway between the two LANs. This Gateway could be a Microsoft server or a Linux machine (my choice) using IPTables (packet filtering).

If you have in hand some type of firewall device where you are able to apply access policies, then that will also do the job.

The rules you need to apply will be fairly straight forward:


The key here is the way you are going to apply your policies/rules. Most firewall/gateway products will read your rules starting from the beginning and will stop until a match is found.

For example, if we have 25 set of rules, the firewall will start from rule number 1 until a match is found -- if it finds that rule 13 is a match for the type of packet that's traversing the firewall, then it will either deny or allow the packet depending on the rule and stop processing the rest of the rules.

So, coming back to our example, you must make sure the first rule denies access between the two LANs:

  1. deny to
  2. deny to
  3. allow to

Here we are restricting both sides from accessing each other (1,2) and the last command tells the firewall to allow anyone from the network (LAN B) to access any network.

At this point, you might have following question: Why is the third rule applied only for LAN B?

Remember that the firewall is between the two networks and its purposes is to allow LAN B to connect to the Internet, but deny any access between the two networks. This is also the reason we have the third rule.

Since LAN A has it's own gateway/firewall for the Internet, we do not require any additional rules for LAN B's network!

If the above scenario hasn't quite answered your question, look at it as an example and try to see how you can use the "logic" I'm using here, to suite your scenario.

In addition, if you would like more information on different scenarios of firewall setups, you can visit for more information and illustrations.

Good luck!

This was last published in February 2004

Dig Deeper on Network Infrastructure