1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Router isolation

Discussion in 'Networks & Internet Connectivity' started by MikeOCUK, 6 Mar 2006.

  1. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    I know on most new routers you can specify 'wireless isolation' so anything on wireless can only access the internet and nothing else on the network.


    My question is. Are the any routers (without going to cisco or very expensive brands) that you can setup something similar on the LAN ports. I basically want to connect a series of Access points into 1 of the router ports, but under no circumstances can people access each others machines. Web access only.
     
  2. Basher

    Sgarrista

    Joined: 18 Oct 2002

    Posts: 8,566

    You could do that using VLANS. How much are you looking to spend?
     
  3. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    are you sure becuase surely the wireless access points wouldnt allow vlans (must use the netgear wg602.

    budget is around £200 tops for the router.
     
  4. Basher

    Sgarrista

    Joined: 18 Oct 2002

    Posts: 8,566

    Sorry, you didn't mention in your orignal post you needed to use those AP's.

    You should be able to set it up where each AP is in a different VLAN and this will be transparent to the AP itself.
     
  5. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    yes, but surely people connecting to the same AP would still be able to see each other?
     
  6. Basher

    Sgarrista

    Joined: 18 Oct 2002

    Posts: 8,566

    How about implementing a firewall?
     
  7. Skilldibop

    Wise Guy

    Joined: 28 Sep 2005

    Posts: 1,284

    Location: London

    Subnets and ACLs. Far easier. set the ACLs that subnet x can only access the web and no other local ip addresses. Then any shared network resources and users can beon another subnet. Most business level routers will do that. Plug a Cisco 1700 or something into the switch and make it default gateway. It'll then control access to the net however you tell it to.
     
  8. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    yes i can do that, but not restrict access to people on the same access point. there is 4 access points with open access (this setup can not be changed). i can restict access to other subnets etc, but not to people on the same access point. The access points dont seem to have the 'wireless isolation' option as some new routers have.
     
  9. Skilldibop

    Wise Guy

    Joined: 28 Sep 2005

    Posts: 1,284

    Location: London

    erm... you don;t ahve to. Each PC has an IP address. If you deny it access to it's own subnet outbound on E0 then it won't get as far as the APs.

    Really it doesn't matter if they can "see" eachother, it's the ability to access eachother you want to restrict surely...

    Your only other alternative really if the APs are the first network hardware they hit is to ditch the APs for Wireless routers.
     
    Last edited: 6 Mar 2006
  10. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    so what device would be restricting this access? wireless devices dont go through the router if working off the same access point. any rules set on the router are ignored by the AP.
     
  11. OllyM

    Soldato

    Joined: 16 Aug 2004

    Posts: 6,218

    Location: New Jersey, USA

    I don't think you're going to be able to do it with that Netgear hardware...
     
  12. Skilldibop

    Wise Guy

    Joined: 28 Sep 2005

    Posts: 1,284

    Location: London

    Unless the logical addressing scheme means they must be routed.
    but as i said, seeing eachother cannot cause any harm, acessing eachother can. So provided you secure your net resources properly i don't really see an issue here.
     
  13. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    who else makes access points that are highly configurable?

    I know the netgear WAG range can set up vlans etc, but still wont do what I need it to, and at £170 each it becomes expensive :|
     
  14. Skilldibop

    Wise Guy

    Joined: 28 Sep 2005

    Posts: 1,284

    Location: London

    there's isn't an "access point" that will do what you want. To "hide" the rest of the network from a PC you need to use ACLs or some similar method (like Vlan) which requires a separate VLan per PC or separate subnet per PC. In that case, you need wireless routers not wirelss access points.
     
  15. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    ye, bit stupid they dont do this really.

    The most likely use of wifi isolation would be in a big area, which you would need access points for, not just a single router.
     
  16. Skilldibop

    Wise Guy

    Joined: 28 Sep 2005

    Posts: 1,284

    Location: London

    They can't really do it. To do it would violate the standards that make up the TCP/IP protocol suite. the whole point of TCP/IP is that within a subnet communication is free, outside that needs to be routed. That's a fact of life. you either need a separate VLAN or subnet for each PC, OR acquire some software that hides both your IP and MAC address. Though i have no idea if such software exists or what impact it's likely to have on internet access.

    lets go back to the original problem. Why are you trying to hide everyone from everyone else?
     
  17. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    people come into the building for conferances etc, there are multiple conferences at the same time. everybody is worried that if they join our network people from other companies can access there laptops.
     
  18. Skilldibop

    Wise Guy

    Joined: 28 Sep 2005

    Posts: 1,284

    Location: London

    i'd allocate a subnet to each conference room. Then tell them connect to network X. If they don't do what you say how can they expect you to keep their data secure.
    Don't break your back bending over backwards for users. Users want the earth, whether you can give it or not

    But to do this you will still probably need to upgrade your access points or replace them with routers.

    It's possible you can manage it using some sort of VPN but that's getting a bit complex now.
     
    Last edited: 6 Mar 2006