Router isolation

Associate
Joined
23 Jun 2004
Posts
354
Location
stoke-on-trent
I know on most new routers you can specify 'wireless isolation' so anything on wireless can only access the internet and nothing else on the network.


My question is. Are the any routers (without going to cisco or very expensive brands) that you can setup something similar on the LAN ports. I basically want to connect a series of Access points into 1 of the router ports, but under no circumstances can people access each others machines. Web access only.
 
Soldato
Joined
18 Oct 2002
Posts
9,158
Sorry, you didn't mention in your orignal post you needed to use those AP's.

You should be able to set it up where each AP is in a different VLAN and this will be transparent to the AP itself.
 
Associate
Joined
28 Sep 2005
Posts
1,282
Location
London
Subnets and ACLs. Far easier. set the ACLs that subnet x can only access the web and no other local ip addresses. Then any shared network resources and users can beon another subnet. Most business level routers will do that. Plug a Cisco 1700 or something into the switch and make it default gateway. It'll then control access to the net however you tell it to.
 
Associate
OP
Joined
23 Jun 2004
Posts
354
Location
stoke-on-trent
yes i can do that, but not restrict access to people on the same access point. there is 4 access points with open access (this setup can not be changed). i can restict access to other subnets etc, but not to people on the same access point. The access points dont seem to have the 'wireless isolation' option as some new routers have.
 
Associate
Joined
28 Sep 2005
Posts
1,282
Location
London
erm... you don;t ahve to. Each PC has an IP address. If you deny it access to it's own subnet outbound on E0 then it won't get as far as the APs.

Really it doesn't matter if they can "see" eachother, it's the ability to access eachother you want to restrict surely...

Your only other alternative really if the APs are the first network hardware they hit is to ditch the APs for Wireless routers.
 
Last edited:
Associate
OP
Joined
23 Jun 2004
Posts
354
Location
stoke-on-trent
so what device would be restricting this access? wireless devices dont go through the router if working off the same access point. any rules set on the router are ignored by the AP.
 
Associate
Joined
28 Sep 2005
Posts
1,282
Location
London
so what device would be restricting this access? wireless devices dont go through the router if working off the same access point. any rules set on the router are ignored by the AP.
Unless the logical addressing scheme means they must be routed.
but as i said, seeing eachother cannot cause any harm, acessing eachother can. So provided you secure your net resources properly i don't really see an issue here.
 
Associate
OP
Joined
23 Jun 2004
Posts
354
Location
stoke-on-trent
who else makes access points that are highly configurable?

I know the netgear WAG range can set up vlans etc, but still wont do what I need it to, and at £170 each it becomes expensive :|
 
Associate
Joined
28 Sep 2005
Posts
1,282
Location
London
there's isn't an "access point" that will do what you want. To "hide" the rest of the network from a PC you need to use ACLs or some similar method (like Vlan) which requires a separate VLan per PC or separate subnet per PC. In that case, you need wireless routers not wirelss access points.
 
Associate
Joined
28 Sep 2005
Posts
1,282
Location
London
They can't really do it. To do it would violate the standards that make up the TCP/IP protocol suite. the whole point of TCP/IP is that within a subnet communication is free, outside that needs to be routed. That's a fact of life. you either need a separate VLAN or subnet for each PC, OR acquire some software that hides both your IP and MAC address. Though i have no idea if such software exists or what impact it's likely to have on internet access.

lets go back to the original problem. Why are you trying to hide everyone from everyone else?
 
Associate
OP
Joined
23 Jun 2004
Posts
354
Location
stoke-on-trent
people come into the building for conferances etc, there are multiple conferences at the same time. everybody is worried that if they join our network people from other companies can access there laptops.
 
Associate
Joined
28 Sep 2005
Posts
1,282
Location
London
i'd allocate a subnet to each conference room. Then tell them connect to network X. If they don't do what you say how can they expect you to keep their data secure.
Don't break your back bending over backwards for users. Users want the earth, whether you can give it or not

But to do this you will still probably need to upgrade your access points or replace them with routers.

It's possible you can manage it using some sort of VPN but that's getting a bit complex now.
 
Last edited:
Back
Top Bottom