Hi, I have set up a NAT Router between two VLANs in my lab. The NAT works fine for all of the clients, but I would like to block access to the proxy servers on the public side of the network. (I don't want people to be able to access the Internet).I have tried defining "invalid" static routes, but that doesn't seem to work. I tried using Windows firewall, but it is like the NAT has precedence over the Firewall, and clients go right through.Can anyone tell me what I may need to do to accomplish this?

The whole purpose of NAT is to allow machines behind the NAT to share the NAT router's connection. If the NAT router can access the Internet, the machines behind it can also. If you did not want this to happen, why did you use NAT in the first place? Just configureRRAS as a LAN router and set the necessary static routes tohave VLAN to VLAN routing.Bill

Hi Bill, I would like to just set a static route but I don't think I am able to. I don't have control over the external routers or the switches, so I am unable to create return routes. It is possible that I am just doing it wrong...

Ignoring VLANs for the moment, this is basically the problem. Ifyou have a network which has a network connection and you want to add another network on different subnet, you have two basic options. The simplest option is NAT. Putting a NAT router between the two segmentsallows the "new" subnet access to the existing subnet and to the Internet. That setup looks like this. Internet | router 192.168.1.1 | LAN1 192.168.1.x dg 192.168.1.1 | 192.168.1.254 dg 192.168.1.1 NAT 192.168.21.1 dg blank| LAN2 192.168.21.x dg 192.168.21.1 This lets the machines in the inner subnet connect to machines in the outer subnet and to the Internet. Machines in the outer subnet cannot connect to machines in the inner subnet because they are on the wrong side of the NAT. To set up LAN routing between the two subnets without giving them Internet access is not easy. Simplysetting up a LAN router (as opposed to a NAT router)is no use because traffic will never get to it. If you put a static route on the "public" router, the inner subnet will have Internet access (because the router knows how to route traffic to the inner subnet). The best idea would be to put a static route on each machine in the outer subnet that you need to "see" from the inner subnet. Internet | router 192.168.1.1 | LAN1 192.68.1.x dg 192.168.1.1 {static route 192.168.21.0 255.255.255.0 192.168.1.254} | 192.168.1.254 dg 192.168.1.1 LAN router 192.168.21.1 dg blank | LAN2 192.168.21.x dg 192.168.21.1 The machines in the inner subnet will be able to route to the machines in the outer subnet which have the static route (and vice versa) but the inner subnet will not route to the Internet. You do not need access to any routers or switches (but you do need to be able to add the static route to the target machines in the outer subnet).Bill