MadModder

The Shop => CNC => Topic started by: awemawson on December 03, 2016, 07:09:50 AM

Title: Stopping a PC accessing the Internet ?
Post by: awemawson on December 03, 2016, 07:09:50 AM
I have a PC running Windows 7 driving my plasma cutter table. At the moment it is 'stand alone' ie NOT on my local network as I don't want external interference from the likes of Microsoft poking up dates at it. However I DO want to communicate with it from other PCs on my local network.

As the Plasma PC uses Ethernet to talk to it's various drivers and torch height controller, it is set up currently as 192.168.10.154 so is on a different 'sub net' from the rest of my local network which is 192.168.1.XXX

The plasma PC has only one Ethernet card as do my other PC's.

Is it possible to run two subnets on one ethernet card so that the 192.168.10.XXX CANNOT access the outside world and the 192.168.1.XXX CAN ?

Any help appreciated
Title: Re: Stopping a PC accessing the Internet ?
Post by: Pete. on December 03, 2016, 07:29:48 AM
I'm sure you can't run one (standard) adpater on two separate subnets but you can block access to the internet from it in your router.

You used to be able to only bind a non-routable protocol like netbeui to the adapter which will only communicate on the local network but I don't know if that is an option nowadays. I'm sure it must be somehow, or something similar.
Title: Re: Stopping a PC accessing the Internet ?
Post by: David Jupp on December 03, 2016, 09:43:51 AM
One option would be to add an extra Ethernet port to the PC (internal card or USB/Ethernet adaptor)  each can be on separate sub-net.

As long as http isn't used for comms between units that need to talk, then maybe consider using the PC firewall settings to block this (and any other ports Microsoft might use for updates).

As already mentioned - you may well be able to set the router to isolate certain machines from the internet.
Title: Re: Stopping a PC accessing the Internet ?
Post by: sparky961 on December 03, 2016, 09:55:33 AM
I'm sure I accomplished this using the "hosts" file, but do you think I can find a good example now? Of course not.

I suspect I redirected all domains I could think of (.com, .net, .uk, .biz, etc) to the local loopback interface. This doesn't stop direct IP requests, just causes domain name lookups to fail.

If you're interested in this method there are enough keywords  above to get you started Googling on your own.
Title: Re: Stopping a PC accessing the Internet ?
Post by: woodguy on December 03, 2016, 10:52:59 AM
I do it using wireless for local net connections. Just stuck in a wireless usb adapter and done.
Title: Re: Stopping a PC accessing the Internet ?
Post by: PK on December 04, 2016, 03:30:40 AM
Just set the default gateway to something that isn't a gateway and make sure the routing and remote access service is disabled.

You may or may not want to disable DNS using the same approach, but this could cause some latency as requests time out..
Title: Re: Stopping a PC accessing the Internet ?
Post by: stvy on December 05, 2016, 12:43:29 PM
For the pc you don't want on the internet simply omit the gateway field of the network settings.

The IP address and the subnet mask define the loca network and this if you use the same network settings for all your pc's means they will all talk locally across that network. A gateway is only needed to get off your local network.

You may however find that some of your windows services and programs do not like being unable to connect to internet resources. I have seen windows update amongst others use almost 100% of a CPU core alone when the machine has no access to the internet. Effectively it consumes a whole CPU core whilst it works out to give up and unfrotuantely it tries again soon after. A multi core CPU gets around this.

Steve
Title: Re: Stopping a PC accessing the Internet ?
Post by: Pete. on December 05, 2016, 02:55:21 PM
Could you avoid that by assigning 127.0.0.1 as the gateway or will it be too clever?
Title: Re: Stopping a PC accessing the Internet ?
Post by: awemawson on December 05, 2016, 03:11:26 PM
mysteriously, munging the gateway address still allowed the pc to connect to the interweb - I even deleted it with the same result.

admittedly I didn't do any 'release all' 'renew all' type commands so perhaps the gateway address persists until the lease expire  :scratch:
Title: Re: Stopping a PC accessing the Internet ?
Post by: David Jupp on December 06, 2016, 02:52:51 AM
To force changes to Ethernet adaptor settings to take effect, I usually disable the adaptor then re-enable.  There may be more subtle methods, but this is easy to remember.
Title: Re: Stopping a PC accessing the Internet ?
Post by: NeoTech on December 06, 2016, 02:56:15 AM
Easiest way of having the ethernet controller not bleeding into your routed network is to run it in its own network.

192.168.1. is the common routed network. But the uncommon one that is open for use is 10.10.10.  and if it sits in a completely different network with a 255.255.255.0 netmask and a 10 series broadcast adress it will not bleed into your other network.
Title: Re: Stopping a PC accessing the Internet ?
Post by: hanermo on December 08, 2016, 11:27:09 AM
Stve post # 14 has the answer.

If You donīt have a gateway defined, the PC will not be able to access the internet.
Just leave it blank.

Also, you can be on many subnets at the same time.
Your CNC machine can be on say 10.10.1.0 - network address, and your PCs on another.

If your primary IP address is on the non-internet connected one, even the more clever programs wont be able to use it.

Do this:
/cp/network/properties/add ip address
e.g. 192.168.1.254 as a secondary ip to your plasma PC.
It will then see network shares, and can share files, but wont be able to access the internet.
The solution is perfectly safe.

Some rare mac-based stuff like auto-finding printers/pokeys autoconfig/csmio-ip-s autoconfig did not work, in the past, with 2 ip addresses.
I donīt know if they have fixed these bugs.

Title: Re: Stopping a PC accessing the Internet ?
Post by: awemawson on December 08, 2016, 11:54:00 AM
There isn't a post #14  yet - do you mean post #6 :scratch:

Yes but see post #8 above  :scratch:

BTW my actual gateway / router is 192.168.1.254 so probably not a good idea to add it it to the Plasma PC - but I assume you mean an address in the 192.168.1.XXX rather than that specific one ?

Can't do much testing at the moment as the specific PC is being mechanically embodied in the plasma table at the moment.
Title: Re: Stopping a PC accessing the Internet ?
Post by: stvy on December 08, 2016, 06:43:25 PM
Andrew,

If your PC still got off of its local network and out on to the internet then it must have still had the gateway set. No question. If you take out the gateway and have that applied it cannot get out.

If you are getting your IP via a DHCP server then you are going to constantly get a gateway after every renewal if that is specified within the scope of the DHCP servers configuration. One way around this is to set this PC up with a static. If it is always connected and on there is no risk that the DHCP server will issue that same address out to another DHCP client. A correctly implemented DHCP client and server protocol involves the server first checking if an IP is free before issuing it.

You can be sure if a gateway is configured in windows using the command (run the "cmd" program) and type:

# route PRINT

if you have a gateway in place this will list it.

You can double check the running settings of the network with

# ipconfig /all

and you can see the entries.


If you do have some software that still finds its way on to the internet then this software is not written following the standards. Some software will discover a gateway by trying every valid address on a network until it succeeds and cache it. If you have something doing things like that then uninstall it from a PC that is dedicated to this type of work as you can not guarantee any behaviour with it.


Pete,

127.0.0.1 is a special IP address. It means the localhost. You should not put that as the gateway. Best practice is if you don't want a gateway set don't set one. Having an empty field is perfectly acceptable.






Regards,
Steve
 
Title: Re: Stopping a PC accessing the Internet ?
Post by: Pete. on December 09, 2016, 01:18:26 AM
Pete,

127.0.0.1 is a special IP address. It means the localhost. You should not put that as the gateway. Best practice is if you don't want a gateway set don't set one. Having an empty field is perfectly acceptable.

Regards,
Steve
 

I think you might have to disable upnp or something to stop the gateway being discovered if the field is left blank.
Title: Re: Stopping a PC accessing the Internet ?
Post by: stvy on December 09, 2016, 12:49:57 PM
Pete,

If the software is written according to the standards it will not auto discover. The windows and linux network implementations do not auto discover gateways. The nearest you get is a DHCP server telling a DHCP client.

Regards,
Steve
Title: Re: Stopping a PC accessing the Internet ?
Post by: Bee on December 11, 2016, 05:30:55 PM
Which actual router do you have? are you with Virgin, BT, or some other ISP. Either way the answer is in the child safety or parental control set up. You can put restrictions in the outside access on routers to stop children getting 'out' while still allowing them to get to the local music and picture server. Look at the 'filters' section used for port forwarding which normally has controls based on the PC MAC address.
Title: Re: Stopping a PC accessing the Internet ?
Post by: awemawson on December 11, 2016, 06:03:53 PM
It's a BT Home Hub and it has the parental controls, but the hardware on the (Russian) torch height controller is forcing it to use 192.168.10.xxx whereas my network is the conventional 192.168.1.xxx

As previously mentioned, I can't experiment until this PC gets finally fixed into the Plasma Table, which won't happen for a week or two, BUT I have got myself a USB - WiFi dongle that hopefully will let this PC exist on both subnets, then I can use the parental control trick perhaps.
Title: Re: Stopping a PC accessing the Internet ?
Post by: mfletch on December 12, 2016, 04:05:44 AM
first you can just turn off windows updates second use windows firewall to stop Internet explore excessing the Internet
Title: Re: Stopping a PC accessing the Internet ?
Post by: NeoTech on December 13, 2016, 07:51:29 AM
It's a BT Home Hub and it has the parental controls, but the hardware on the (Russian) torch height controller is forcing it to use 192.168.10.xxx whereas my network is the conventional 192.168.1.xxx

As previously mentioned, I can't experiment until this PC gets finally fixed into the Plasma Table, which won't happen for a week or two, BUT I have got myself a USB - WiFi dongle that hopefully will let this PC exist on both subnets, then I can use the parental control trick perhaps.

Adjust your netmask so it exlude the 10 network then. Not letting the 10 network to slip out.. its what netmasks are for. Telling what parts of the networks is accessible.
Properly configured network and it should not let it self roam your network. usually commercial routers and such is really loosely configured for ease of use but can be restricted.

Most obvious would be to tell the DHCP not to give those networks gateway adresses. Or just not use DHCP in those parts of the network and restrict netmask so it will not broadcast wide in the  C network (A.B.C.D - is the usual definition of a network).
Title: Re: Stopping a PC accessing the Internet ?
Post by: awemawson on December 13, 2016, 08:01:52 AM
Thank you all for the various suggestions - however

I think several of the more recent contributors have perhaps not taken in the actual need - I want to access this machine from my 192.168.1.xxx network yet prevent it accessing the net AND still have 192.168.10.xxx connectivity for the 'Purelogic' ethernet break out board and torch height controller that are the "raison d'etre" of the PC.

...I think, (but have yet to be able to test) - adding USB WiFi link to the 192.168.1.xxx network with suitable constraints 'should' do it  :scratch:
Title: Re: Stopping a PC accessing the Internet ?
Post by: DMIOM on December 13, 2016, 08:19:24 AM
Andrew, just one query - EMC?  I was a little worried when the PC was mounted in the fresh air and I wondered if, as its not in a complete Faraday cage, it might suffer with interference from the plasma discharge?  I'd be concerned about the implications of a USB WiFi dongle or similar (i) for the interference to the link, although I guess less important if its only used for downloading DXFs etc. prior to cutting; (ii) if the USB device/cable will provide a route for interference to get back into the PC, as the PC's +5v rail is used to supply +5v to connected USB devices and the cable might act like a receiving antenna.

Dave
Title: Re: Stopping a PC accessing the Internet ?
Post by: awemawson on December 13, 2016, 08:38:07 AM
Dave,

The Compac USSF has a well shielded case and every thing hanging off it uses screened cable. I think it'll be ok but time will tell ...... :scratch:
Title: Re: Stopping a PC accessing the Internet ?
Post by: PK on December 13, 2016, 04:06:15 PM
Thank you all for the various suggestions - however

I think several of the more recent contributors have perhaps not taken in the actual need - I want to access this machine from my 192.168.1.xxx network yet prevent it accessing the net AND still have 192.168.10.xxx connectivity for the 'Purelogic' ethernet break out board and torch height controller that are the "raison d'etre" of the PC.

...I think, (but have yet to be able to test) - adding USB WiFi link to the 192.168.1.xxx network with suitable constraints 'should' do it  :scratch:

Could you not just set the net mask to 255.255.240.0 ?
That would make 192.168.1.xxx and 192.168.10.xxx the same network.

PK
Title: Re: Stopping a PC accessing the Internet ?
Post by: awemawson on December 13, 2016, 04:34:07 PM
Don't know PK - I'll try that when it's back together - thanks for the suggestion  :thumbup:
Title: Re: Stopping a PC accessing the Internet ?
Post by: awemawson on February 10, 2017, 06:11:53 AM
Well I'm delighted to be able to report that at last I've got a workable solution to this issue. Very many thanks to all that offered suggestions, much appreciated.

I eventually got a working set up using a USB WiFi adaptor. Initially I was trying with an unbranded one - the driver loading software didn't work and when I came to remove the device, the metal bit of the adaptor remained in the USB socket and had to be extracted using fine needle point pliers  :bang:

The break through came when I bought a 'named brand' that worked first time. To be in control of it's IP address and to prevent it discovering a gateway off my network I've had to give it a fixed IP address outside the DHCP range of my router - this lets me leave the gateway address blank. There is however a down side in that this PC cannot join my 'Homegroup', as Windows 7 INSISTS that members must use DHCP and if you kick off the Homegroup Troubleshooter blow me if it doesn't alter it to DHCP  :bang:

As the fixed IP address is outside the range controlled by DHCP on my router I cannot use Parental Control time restrictions on this PC as was suggested as the router is unaware of the machine, however not having a gateway address is I think sufficient safety in this instance.

So my 'CNC Plasma Table PC', which is physically built into the table, is now operating on two networks. 192.168.1.xxx via the WiFi adaptor which is my home network, and 192.168.10.xxx via the inbuilt network controller which is the network that the Russian Pure Logic ethernet break out board and torch height controller use.

I can now transfer files generated in the warmth of the house or my heated workshop, into the (currently) freezing cold welding shop without having to take a Thumb drive (*) :clap:

(* which I was everlastingly leaving plugged in so the PC tried to boot off it !)
Title: Re: Stopping a PC accessing the Internet ?
Post by: awemawson on February 11, 2017, 02:34:53 PM
There is something distinctly odd about the way Win7 handles local networing and naming of devices on the network. As I said above, I can transfer files to shared directories I've 'opened up' on my plasma PC, which shows up by name under the local network using Windows Explorer (NOT Internet Explorer!) However, if I open up a 'command prompt' and ping the Plasma PC by name I get rapid responses, but saying that the replies are from the MAC address of the PC. If I ping it by IP address  it uses the PC name for the address  :scratch: :bang: :scratch:

Doesn't really matter as I can achieve what I originally wanted to do, but rather odd.
Title: Re: Stopping a PC accessing the Internet ?
Post by: awemawson on February 11, 2017, 03:02:21 PM
This gets even more weird  :bugeye:

If I look at Windows Explorer on the  Plasma PC and try and examine Home Groups, it says the machine is NOT a member of the home group, and as stated earlier if I run the Home Group troubleshooter it changes the IP address to a DHCP derived one.

However if I look at Home Groups from another PC on the network, the Plasma PC is there not only under Network BUT ALSO AS A MEMBER OF THE HOME GROUP  :bang: I can open and read directories and files perfectly normally.

(But it looks as though I gave duff gen in the previous post - I was using the wrong PC name and IP address when pinging- you can't get the staff  :ddb: )
Title: Re: Stopping a PC accessing the Internet ?
Post by: seadog on February 13, 2017, 04:19:44 PM
It could be your AV software of firewall causing the issue Andrew. Disconnect your adsl and then disable the AV and try again. If that doesn't work try the firewall. Or try both if no joy.

You never know.
Title: Re: Stopping a PC accessing the Internet ?
Post by: awemawson on February 27, 2017, 05:54:11 AM
I ended up accepting that to get easy communications to the Plasma PC it had to be a member of the Homegroup, and hence getting it's IP address by DCHP.

However this allowed it to show up on the Router 'Parental Control' table, and I've been able to stop it having access to the internet that way. But even that wasn't entirely straight forwards  :bang:

The router allows me to block access with start times and end times in half hour increments. But this meant that there is no way to stop at least one half hour slot of access, however once the time is set up, you THEN have access to another box to tick for permanent blocking  :scratch:
Title: Re: Stopping a PC accessing the Internet ?
Post by: David Jupp on February 27, 2017, 06:48:26 AM
May just be an awful user interface on the router - but doesn't ticking 'permanent' block access all the time, regardless of time settings?
Title: Re: Stopping a PC accessing the Internet ?
Post by: awemawson on February 27, 2017, 06:56:36 AM
Yes Dave, which is exactly what I wanted  :thumbup:

But the programmer neglected to bring the tick box up on the screen until the other time setting boxes had been completed and applied - so as you rightly say, an awful user interface.

It never ceases to amaze me how some programmers don't think about these things. I've been using 'Inkscape' a lot recently, so have got used to one idiosyncrasy it has - you kick the program off by double clicking it's screen icon, then ABSOLUTELY NOTHING happens for what seems ages as it loads itself up BUT PUTS NOTHING ON THE SCREEN to tell you it's loading. The delay is quite long enough for you to think perhaps you failed to click properly so do it again, then you get two instances of it running  :bang: :bang:

How hard is it just to pop a 'loading' message up as a first action  :scratch: