Networking – How to block a particular computer behind a NAT


I run a small hostel and have the following network configuration:

Router1 ( ─┬─ ( Ubuntu Samba+SSH Server
                       ├─ (192.168.1.X) Router 2 ( ─┬─ (192.168.2.X) GuestPC1
                       ├─ (192.168.1.X) AdminPC1                ├─ (192.168.2.X) GuestPC2
                       ├─ (192.168.1.X) AdminPC2                ├─ (192.168.2.X) GuestPC3
                       :                                        :
                       :                                        :
                       └─ etc.                                  └─ etc.

192.168.1.X is the ADMIN network which we'd like to keep private from the GUEST network (192.168.2.X) save for some shared Samba folders on

All computers on both networks get their IP addresses via DHCP, except for the Samba+SSH Server which uses static IP.

I noticed that the GuestPC's are able to access the Ubuntu Samba+SSH Server, despite configuring ufw to allow only

After researching a bit on the Internet, it seems that connections from the GuestPC's are able to masquerade on my ADMIN network because of NAT on Router 2. Thus, given only the above ufw rule, GuestPC's are able to fully access the Samba and SSH services without restriction.

My question is, what is the proper way of preventing the GUEST network (192.168.2.X) computers from accessing the ADMIN network (192.168.1.X)? Is there a better way than setting Router 2 to static IP and blocking its IP using ufw on the Ubuntu server?

Best Answer

  • You can reverse network1 and network2, ie have your Office network behind the second router, and have that, and the guests plug into the first router. That is probably the simplest solution (and viable, assuming you don't have an issue with double-nat, which you are doing any way).

    As your network stands, you can't block access to the server using rules on your (internet connected) router - as the traffic never goes there. You could possibly block it from your secondary router.

    You don't specify where you are using this ufw rule (or what it is), but if you want to prevent guests accessing your SAMBA server you have at least a couple of alternatives [ assuming you don't modify your network as per my first suggestion ]

    1. Get rid of NAT on your second router. In addition to turning off NAT you will need to push a route for from your first router to your second router. This will allow you to identify the second network by its IP range and block it on router 2.


    2. Change the WAN interface on router2 to a static IP address, and block that on the Ubuntu server (and/or router 2).