Quote:
Originally Posted by Mike Davies
I'm looking into just adding a specfic route to get to one address at the moment.
|
Routes are not security barriers.
The way you describe your setup, you have two routers: The router from your ISP (the "Internet router") and a PC running a wireless hotspot.
Since the hotspot users on the 10.1.239.0/24 network access the Internet via your internal LAN (192.168.1.0/24), they already have full access to all computers on the LAN. Or to be exact, they have the same access to the LAN as they do the Internet.
The reason this works at all, is that the AP-managing PC is NATing traffic from the WLAN behind its own address in the 192.168.1.0/24 network. Otherwise, the ISP router wouldn't know where to send the reply packets, since it knows nothing about the 10.1.239.0/24 network.
The reverse, however, is not true: Any attempt to reach an address in the 10.1.239.0/24 network from 192.168.1.0/24 will go to the ISP router, which will either discard the packet or attempt to forward it to the upstream router at the ISP, where it will be summarily dropped.
Adding a route to a PC on the 192.168.1.0/24 network may or may not enable it to reach a host on the 10.1.239.0/24 network, depending on how the AP-managing PC is configured. And in any case, if that PC gets its IP via DHCP, there's an excellent chance the route will stop working at some indeterminate point in the future if/when the PC gets assigned a new IP.
The proper way to design a multi-zone network is to connect each network to a separate interface on a firewall. In a pinch, you could route outbound traffic from a secure zone through a less secure zone, assuming that the traffic is encrypted and/or not of a sensitive nature, but doing it the other way around just isn't a good idea.
Is the "hotspot PC" running Linux? If so, it could easily be used as a firewall.