30 posts in this topic

Oh wow OK so potentially others connected to the UHGUEST network could see the computers in our own CHR Network? I've secured our own wireless network "CHR Network" with a password so only we can access that. I'll look for an option to deselect file and printer sharing. Off the top of my head I can only ever remember seeing it under the "Set up a home or small office network" wizard.

How would I go about finding what the DHCP range is for ICS as I'm not sure? I think I've observed computers being given random IP addresses rather than sequential ones. I'll check when I'm back in tomorrow though. Also, is there a DHCP client list I can view to see what computers are connected? Just in case we get an intruder that somehow finds the hidden wireless network and guesses the password. I'd also be interested in seeing the IPs of all the PCs on our small network.

Oh OK so I see from that KB article that I can use the registry to change or see what the IP range is for ICS then so I'll take a peek at that as well. I'm pretty sure that the UHGUEST network pretty much blankets the whole of the hospital and is used by a LOT of people and clinical use as well. In fact I think it's cause upset with the company that run the bedside entertainment units but that's a whole different thing altogether which I dare not get involved with.

There is a disclaimer before you start using the Internet as you have to log in through a hospital trust branded web page on advising not to use credit card details etc. I'm just leaving the server logged in to that page to save others having to do it and I don't think they'd want everyone knowing the login details anyway.

I'll get back to you all tomorrow once I'm there again as this is quite interesting now really!


Share this post

Link to post
Share on other sites

Yeah your ICS setups up a nat, so unless a box on your now 192.168.0 network initiated a conversation with a IP on 192.168.216 they can not talk to your boxes.

But your server that is doing the NAT has an IP on the 192.168.216 network, and if he was sharing his files to that network - then yes it would be possible for someone to access them. Doesn't sound like you have any security setup on your shares, but even if you did - not something I would be comfortable with as the only security between your files and any of the 1000's of users on the guest network with many of them in the hospital with nothing to do but play on the network ;)

Just right click and go to properties on your wireless card and you will see how to unbind the files and print sharing from that interface.

I would be the first one to point out a double nat being a bad setup, but in this case it makes sense. Normally it is not something you want - but in this case you DO want it! Because it isolates your network from the guest. Just like in your home setup your NAT router isolates your boxes from the public internet where bad stuff happens ;) Unless you on purpose forward traffic inside, or start the conversation with the box on the internet.

In this case think of 192.168.216 as the internet, you don't want your boxes directly connected to it.

Share this post

Link to post
Share on other sites

OK so no one is going to try and communicate with a computer on the outside network so that's one problem out of the way. I'm not sharing files on the server to the outside network so that's OK as well right? I'll be sure to look at those properties for the wireless adaptor. Hey I'm just chuffed that it all works myself, big time!

Now I'm really going to throw the boat out here with this next question. I'd like to enable remote desktop connection on one of the computers on our network so that I can access it from home. Can this be done? I found a guide but given that there's the Trusts network and then ours... ARGH!

Anyway this is the guide... http://www.datamation.com/mowi/article.php/3805016/Set-Up-Your-Network-for-Many-Remote-Desktop-Connections.htm

Many thanks!

Share this post

Link to post
Share on other sites

Clearly your NOT getting it, I have clearly explained the setup so I am not sure how else to go about it - yes it is a DOUBLE NAT! Because he does not control that Wireless network he is using for internet, and there are OTHER users on it!! I would have to assume a LOT, if they setup a /22 mask.

He has file shares on his SERVER that before where only shared with his boxes connected to his isolated router be it wired or wireless. So now he is leveraging the OPEN guest wireless network for internet access.. Why in the world would he want to use that network as his own via a bridge??

I agree with you double nat is normally not something you want to do.. But in this CASE, it is the best option because there could be hostiles on that 192.168.216.x/22 network. Now if he controlled that 216 network, and the clients that connected to it, and was ok with them having access to his shares, then sure bridge would be an option.

Yes if he so desired he could just bridge and let all his boxes get IPs from the UHGuest router - and now his boxes would be open to all the other possible 1000 other clients on that network.. You would hope that they atleast have Wireless Isolation on.. But if they did, then his wireless clients would not be able to talk to his other wireless clients.

This maintains his previous isolated network, while leveraging the GUEST network as path to the internet.

So setup a VPN on the server for access to the file shares or use a firewall or get another box to do the wireless and NIC bridge with ACL switch to block access to file shares ports or get some more bad boys so that wireless for internet wired for file shares or add another NIC in the PC's and another switch for file shares and the other NIC for internet on the other switch with the server doing the bridge with one NIC and wireless and another NIC for the file shares.

But ICS double NAT is cheap so we leave it at that.

Share this post

Link to post
Share on other sites

"I'm not sharing files on the server to the outside network"

So you undid the bindings on the wireless nic on your server?

"I'd like to enable remote desktop connection on one of the computers"

Not unless you had control of the hospital router at the NAT point to the internet, remote desktop not going to work. Your not going to be able to allow inbound unsolicited traffic in this sort of setup. You will have to use something like teamviewer or logmein -- they maintain a connection to the internet, and then you can remote in. I know teamviewer is free for noncommercial use - so don't see an issue with using it since your volunteer setup I thought that is what you said in the video.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.