Helping people with computers... one answer at a time.

It's common to have computers that are used for sensitive things sharing a network with less trustworthy users. Understanding protection is important.

We're a family where the adults use the Internet for serious reasons but we can't take a chance on having our children screw things up - intentionally or by accident. How should we set up our home network?

Normally, we think of threats as being "out there" on the internet. The problem is that not all of them are. As much as we might know and do to protect ourselves, sometimes the threat is nearby, right in our own home.

In the children's bedroom.

The good news is that you can protect yourself from the kids. You just have to look at your network a tad differently.

First we need to group the computers in your home into two distinct buckets:

  • Computers you trust. These are the computers you control and can safely assume are being used by individuals who understand the basics of keeping a computer safe on the internet.

  • Computers you don't trust. These are the computers that are being used by people who are less computer savvy, don't understand safety, and are likely to do things that they shouldn't, resulting in frequent infections of malware.

"... one side of a router is trusted ... and the other side ... is not"

In a nutshell, each of these groups needs their own network.

I've talked a lot about routers and how they protect you from the internet; the threats "out there". A more simplistic way to think of it is simply this: one side of a router is trusted - the local LAN side where you plug in your computers - and the other side, the WAN or internet side, is not. Normally, we plug that other side into the internet, but it doesn't have to be that way. You can use this concept to protect yourself from that other network in your own home as well.

Now since we're going to assume that there's a group of computers we can actually trust (I'll call it the "parents" side), and a group we cannot (the "kids") the risk we're looking at is one sided. We need to protect the parents from the kids, but not the other way around.

That actually makes life a tiny bit easier.

I'm also going to assume that your ISP is only going to give you one IP address, as is typical.

You'll need two routers. Here's the configuration:

Router Setup for Parents Protecting Themselves from the Kids

"Router A" protects everyone from the internet. The local side of router A, or the local network or LAN, connects to the kids' computers, and gives them internet connectivity, and if appropriate, connectivity to each other.

But from the parents' computer, Router A's LAN is not trust worthy. It may not have direct internet threats on it, but it does have threats - namely the kids. So we treat that as unsafe and use a second router to protect ourselves from that.

"Router B" protects the parents' computers from Router A's LAN. The kids' computers on router A have no way to independently connect to the computers hidden behind router B. That is the protection of a NAT router, and that's what's protecting the parents from the kids.

About the only recommended configuration change to the routers would be to have them assign IP addresses from different ranges. Perhaps one might assign from 192.168.0.X and the other 192.168.1.X.

In this scenario, the kids are not necessarily protected from the parents. In fact, with proper configuration, the parents' computers might well be able to connect to the kids' computers. (This can get complicated and can be fragile, so I'm not going to get into details here.). The important point to realize is that ultimately the protection is one-way in this configuration. Parents are protected from kids, kids are not protected from parents.

For absolute bi-directional safety, protecting both parents and kids from each other, you'll need three routers. You can see that scenario play out in How do I protect users on my network from each other?.

Also note that computers that share a network are not necessarily protected from each other. The parents' computers, for example, are within a trusted network, and are not protected from each other.

Finally, a comment I expect is that this is overkill, and why not just use a good software firewall on the parents' computers?

In my opinion, the protection of a NAT router is absolute. By definition, it prevents network based threats from traveling from the untrusted side to the trusted side, simply by virtue of the fact that no computer on the untrusted side can connect to a computer on the trusted side. (Unless you explicitly configure the router to allow it, of course.) Software firewalls offer no significant additional protection for incoming connections, take up resources, and can themselves be compromised by malware.

A NAT router based solution is inexpensive, and effective.

Article C3505 - September 18, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

September 23, 2008 5:57 AM

maybe the adults should just have trust and faith and understand, and just just try and lock them out

Ken B
September 23, 2008 7:38 AM

I also find it useful to install remote-access software (such as TightVNC) which allows me to see what's happening on the kids' computers at any time.

September 23, 2008 8:23 AM

Protection against your children is more than just having routers to stop them (or malicious software they accidentally download) from accessing your computer. There are also other legal issues. My ex's oldest liked surfing for porn and he couldn't understand that if he went to the wrong site (e.g. child porn) that he could get me into legal trouble using my computer to surf. Most people don't think of this. Even with what I did to lock down his account, he was still able to surf for porn at times...

September 23, 2008 9:16 AM

The suggestion given if u hav more than one PC.But the better solution for guys like me who have only one PC will be to recommend some parental control softwares.I am bit disappointed with leo's reply

Parental control software, which I've discussed in earlier articles, is intended to solve a different problem. This article specifically addresses the situation where you have multiple computers in the house, someo of which you trust, others which you do not.
- Leo

September 24, 2008 5:12 AM

If you go back to origin of the question it was all about network protection NOT website and surfing protection Hence the LAN & WAN explanations.......WELL Illustrated Leo

Michael Horowitz
September 24, 2008 9:23 AM

I agree with Leo that this is a good thing to do and expanded on it a bit on my blog
A second router protects adults from kids

September 24, 2008 10:07 AM

What do you do if you need to access shared files across the Parent - Children network? All my Installation files for drivers/software are stored on my Windows Share on my computer (Parents) but it needs to access by all other computer for installing. Same goes for my media (music + anime) that is stored on Parent computer windows share.

Is there simple way to allow access to windows share only under router B (Parents router)? My network internal isn't really setup for LAN safety, though I already do have 2 routers. I just have LAN connect to one of switch port (LAN) of 2nd router instead of using WAN port. Would nice to do so if I knew easy solution for file sharing.

Not really. In a sense, either you're protected or your not. Opening up for file sharing is breaks a hole in that protection. There are (somewhat complex) solutions but by the time you put them in place you're actually better off not having the additional router and using software firewalls everywhere instead. It's not as bulletpoof, and thus there is additional risk, but it's also not as complex to share files.

If you feel you need protection from your kids computer(s), I wouldn't set up file sharing, but rather look at other alternatives like moving USB drives around (which has risk, as infections can travel) or burning stuff to DVDs.

- Leo
September 27, 2008 1:05 AM

Might be worth doing an article on the benefits of using Linux for Internet/email/Office doc useage, Leo. IMHO, Ubuntu (and probably other flavors) are ready for prime-time, and by adding ClamAV, you won't pass on infected email attachments to hapless Windows users.

October 11, 2008 9:13 PM

Couldn't you accomplish the same thing by assigning static local IP addresses and using two different subnets?

October 24, 2008 6:20 AM

What if the kids computer get infected with spyware? Wouldn't malware that is Sophisticated enough might be able to use ARP poisoning to route all your traffic (from both routers) through the infected machine and harvest sensitive information. Probably won't compromise stuff like banking which is encrypted, but certainly it could steal stuff like email passwords that are sent in the clear.

Len Schaffner
September 27, 2011 11:08 AM

Use the software that public libraries use. i.e.
DeepFreeze. Kids can do anything on the one and only computer. After the computer is rebooted the computer returns to the original configuration. Nothing is save from the previous session. There are several versions of DeepFreeze by
Choose the one that is best for your needs.

September 27, 2011 5:59 PM

I use this same configuration for my business clients to allow visitors (IE customers or sales reps) access to the Internet, while preventing access to their internal network. Also, some wireless routers now offer a "Guest Wireless" feature that allows access to the Internet, but isolates guests from the "private" network; an option if your kids', or guests', computers have WiFi.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.