1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

wifi / network security

Discussion in 'Networks & Internet Connectivity' started by MikeOCUK, 19 Jan 2006.

  1. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    just after other peoples opinions before i go ahead with what iv got planned.

    ADSL connection comes in and goes to a router, then off to a switch, then a number of pcs are connected to the switch.

    we need to have wireless internet access, using a number of access points. however it will be sharing the existing connection. however there needs to be some security between wifi access and the pcs already in place. basically they shouldnt be able to access the pcs at all.
    How would you go about doing this?
     
  2. derbyjake

    Gangster

    Joined: 8 Nov 2005

    Posts: 425

    Location: Derbyshire UK

    well how i have mine setup is, ill break it down to simplify it as i have 3 lines

    but

    ROUTER -------- Which i have segmented the 5 network ports, ie 3 virtual lans,

    virtual lan 1 goes to server,

    virtual lan 2 goes to wireless acsess point thus connected to wireless clients,

    Then on my router i enable restricted network acsess,

    this means when someone connects wireless to the lan, they go straight to a page in the browser which needs them to login with a valid username/password if they dont no net acsess simple as,

    in this situation they also dont get acsess to the wired pcs or the other virtual lans

    although i have an advanced not home router, so you probley wudnt be able to do it on a home router
     
  3. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    no i know howto do it ike you said, but im on about standard home use netgear products :-/
     
  4. tolien

    Caporegime

    Joined: 16 May 2003

    Posts: 25,368

    Location: ::1

    Router that performs NAT would do it. Connect WAN port to network port on your machine [Edit: I meant switch], and the wireless machines would be on the wireless LAN segment.
    NAT'll see that file sharing etc gets broken, you could use a firewall to see to anything else. Problem (mostly) solved.
     
    Last edited: 19 Jan 2006
  5. Burbleflop

    PermaBanned

    Joined: 7 May 2003

    Posts: 4,247

    Location: Away from here

    Have a look for an AP that does wireless isolation, I believe that does what you're asking.
     
  6. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    not quite sure on that?
    i was thinking of plugging a seperate wireless router into the existing router, would this do the trick.

    tolien im not quite understanding you! 'Connect WAN port to network port on your machine'

    there are a few wired machines that need to be seperatre from the wifi.
     
  7. tolien

    Caporegime

    Joined: 16 May 2003

    Posts: 25,368

    Location: ::1

    That's what I was suggesting.

    I meant switch :p
     
  8. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    ok, so if i plug a cable router into the existing router, it will hopefully run on a seperate subnet, get the newly added router to run DHCP for the wifi clients. this way they should only be able to get internet access, and nothing on the other subnet connected to the original router.
     
  9. Skilldibop

    Wise Guy

    Joined: 28 Sep 2005

    Posts: 1,284

    Location: London

    What router are you using for internet access? If it'll do ACLs then set a rule to prevent the wireless network being routed to the wired one. You should have some sort of IP filtering i would think. Just stop hosts from network x.x.1.x from accessing network x.x.2.x.
    Alternatively if you can't do that you can bag a Cisco 2500 router off ebay for bugger all these days. That's what i'd use, the proper job. Hang that off your switch and set it as default gateway for everything.
     
  10. Skiddley

    Mobster

    Joined: 1 Aug 2003

    Posts: 3,760

    :D 25xx...might need something more meaty than one of those relics, they don't even do FE.
     
  11. Skilldibop

    Wise Guy

    Joined: 28 Sep 2005

    Posts: 1,284

    Location: London

    Why do you need FastEthernet for net access of probably no more than 8Mbit? If the router is gateway it only goes near it if it's headed to another network, else it'll bounce around within the switch.
     
  12. Skiddley

    Mobster

    Joined: 1 Aug 2003

    Posts: 3,760

    Are you the same guy who thought 640K would be loads of memory? :D
     
  13. Skilldibop

    Wise Guy

    Joined: 28 Sep 2005

    Posts: 1,284

    Location: London

    No, I'm a dude with a CCNA who looks after 4 hospitals' IT including 4 Cisco routers.
     
  14. Skiddley

    Mobster

    Joined: 1 Aug 2003

    Posts: 3,760

    CCIP ;)
     
  15. Skilldibop

    Wise Guy

    Joined: 28 Sep 2005

    Posts: 1,284

    Location: London

    Then you should know i'm right :p infact you should be able to tell me the intricasies of why i am right :)
     
  16. Skiddley

    Mobster

    Joined: 1 Aug 2003

    Posts: 3,760

    He is right, but if the switch is half decent it should support ACLs itself without the need for forwarding the traffic through some dodgy ol' router. Anyway, those with 2X ethernet are rare and setting up 'router on a stick' is just greif that you don't need.

    I'd just go with the VLAN option, much more elegent, and no need for packet inspection to satisfy your ACL logic - I.e., better performance.

    Skidd.
     
  17. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    wow guys, were all going a little offtrack here.
    unfortunately i wont know the make or model of the existing equipment until i go to fit the wifi equipment, so iv got to go in with a plan that will work no matter what.
    so do we agree adding a wireless cable router to the existing router will work here?
     
  18. Skiddley

    Mobster

    Joined: 1 Aug 2003

    Posts: 3,760

    bodge *cough*
     
  19. derbyjake

    Gangster

    Joined: 8 Nov 2005

    Posts: 425

    Location: Derbyshire UK

    ive seen it done before if you want it totaly seperate then it will work
     
  20. MikeOCUK

    Gangster

    Joined: 23 Jun 2004

    Posts: 355

    Location: stoke-on-trent

    bodge maybe, but the job requirements changed after i had qouted, and i cant aford to loose the customer.