How to Separate wireless internet from Network

L

lone wolf

Gawd
Joined
Feb 4, 2003
Messages
705
Hello All

I have a client that wants to add wireless internet to their conference room downstairs. The wireless router that currently is in use is a WRT54G v2, on the second floor. The signal is excellent from the router to the conference room. Their concern is that they currently use the wireless in their office for their own laptops. So what is the best path to take to ensure that when someone connects to the wireless that they won't be able to access their network, just have internet only? I looked on the router but could not find a DMZ anywhere, I'm not that familiar with that router. A New router is also an option, but nothing too pricey.

thanks in advance
 
lone wolf said:
Hello All

I have a client that wants to add wireless internet to their conference room downstairs. The wireless router that currently is in use is a WRT54G v2, on the second floor. The signal is excellent from the router to the conference room. Their concern is that they currently use the wireless in their office for their own laptops. So what is the best path to take to ensure that when someone connects to the wireless that they won't be able to access their network, just have internet only? I looked on the router but could not find a DMZ anywhere, I'm not that familiar with that router. A New router is also an option, but nothing too pricey.

thanks in advance
Click to expand...

For starters DMZ will not help you. It is there place an ip infront of the firewall.
Second the only way I can see that working is to connect the lan to wan side of the router instead of on the switch, then within the firewall rules block access to the local lan.
Ie Local Lan on 10.10.10.255
set up the router to dhcp on 192.*.*.* and in firewall rules block acess to 10.10.10.*.

it has been a while since i worked on the WRT series routers but I am pretty sure you can block access to ip's.

Hope that helps.
 
You have to ask them what the point of needing wireless in the conference room but having it separate from their LAN really is.

I personally find that somewhat of a strange request without any real benefits.

simplest solution (although a bit lame) would be for them to pay for business cable and just have that installed in the conf room, buy any soho 2nd router and set that up in the conference room, problem solved and for $50/month you have wireless internet in there. $600/year is not a whole lot plus you could leave it unsecured without whole lot of worries, it would be physically separate from your LAN and it sounds like since they are without a fulltime IT person it might be a good choice for them (I suppose clients come in and want to use it or something???

personally I hate the whole idea of it from a security standpoint, but it's not my LAN :)
 
Many newer business grade wireless routers 'n APs, such as some of the newer products from Linksys, support multiple SSIDs and VLAN'ing by SSID.

Or if they have a managed switch on their network..VLAN the port the AP goes to.
 
We have had this request several times, the reasoning (in our case) is to allow outside vendors to access the internet. i.e. a vendor comes in and they want direct access to the internet to demonstrate their application, and/or they just want wireless internet access in general, and we do not want to provide credentials for access on a adhock nature. There are a few good reasons / uses for it.

What Yeoldstonecat says is very true and you can certainly do it with Cisco wireless access points. We have this set up in a few areas to offer different authentication schemes with different SSID's.

You need to find out why.. If it is for the above reason, buying an expensive AP that supports multiple SSID's, VS just buying a second inexpensive AP (depending on channel limitations) may be a better route.

Do you have any more details?

I wouldn’t suggest this, but I did want to pass the info along. DD-WRT 2.4 "untested alpha unstable" (aftermarket firmware for the WRT54G) does support multiple SSID's.
 
zrac said:
You have to ask them what the point of needing wireless in the conference room but having it separate from their LAN really is.

I personally find that somewhat of a strange request without any real benefits.

simplest solution (although a bit lame) would be for them to pay for business cable and just have that installed in the conf room, buy any soho 2nd router and set that up in the conference room, problem solved and for $50/month you have wireless internet in there. $600/year is not a whole lot plus you could leave it unsecured without whole lot of worries, it would be physically separate from your LAN and it sounds like since they are without a fulltime IT person it might be a good choice for them (I suppose clients come in and want to use it or something???
Click to expand...

This is for a conference room that will probally be used maybe at the most 10-20 times a year, with one maybe 2 persons connecting, so I can't justify spending the $600 a year for a dedicated line. Yes it is a simple solution, if the room was being used daily then this is the best choice. The client owns the building and wants to provide the tenants the convience of using the internet if needed. A wireless solution is the best way to go, since most persons using the room would have a laptop.


YeOldeStonecat said:
Many newer business grade wireless routers 'n APs, such as some of the newer products from Linksys, support multiple SSIDs and VLAN'ing by SSID.

Or if they have a managed switch on their network..VLAN the port the AP goes to.
Click to expand...

Today while shopping for a new router I found this one Linksys WRV200 it seems to fit the bill on what I was looking for, I did a search on the and found that you have some firsthand experience with these. I haven't seen much, some not so good reviews on the Egg, but some other places. Is this one worth it?

I wish they had a managed switch! that would be so easy to set a VLAN on that
 
I am interested to hear feedback from Stonecat on that Linksys AP as well.

I looked closely at the manual, and I could not see a way of segregating the traffic. I suspect this would be important. With a Cisco AP you can create a different VLAN as well as apply access lists, to help keep the traffic segregated. i.e. With this AP how do you say clients connecting to this SSID can only access the Internet?

EDIT - The other thing I noticed that made me wonder about the quality of the manual is they said

"SSID. There are several things to keep in mind about the SSID:
1. Disable Broadcast
2. Make it unique
3. Change it often"

#3 makes no sense to me. This really makes the S small in SOHO. Not very manageable from a client perspective.
 
You must log in or register to reply here.
Back
Top