Adding a Seperate Network For Wireless

C

Carlosinfl

Loves the juice
Joined
Sep 25, 2002
Messages
6,633
My company wants to add a WAP in the conference room for visitors that come on site. The only problem is that we CAN'T have wireless on LAN so they proposed to have a separate uplink / Internet connection to the WAP that does not touch our wired network. Currently right now we have a T3 coming into the building which is our wired LAN. I really don't know where to start or what would be the best way to get or price out a separate LAN for just 5 people connecting via a WAP. Obviously a separate T1 or something is in my opinion over-kill so does anyone know or can recommend a best practice here?
 
Do they not want ANY lan access at all? Like the connections don't even route throught the lan?

If they just want to isolate the users, I know dd-wrt has the "wireless isolation" mode. This keeps wireless users from seeing the lan or each other. They only get access to the WAN port. So you can set the specific wireless router on a special subnet or something alone those lines.
 
Carloswill said:
My company wants to add a WAP in the conference room for visitors that come on site. The only problem is that we CAN'T have wireless on LAN so they proposed to have a separate uplink / Internet connection to the WAP that does not touch our wired network. Currently right now we have a T3 coming into the building which is our wired LAN. I really don't know where to start or what would be the best way to get or price out a separate LAN for just 5 people connecting via a WAP. Obviously a separate T1 or something is in my opinion over-kill so does anyone know or can recommend a best practice here?
Click to expand...

Get something like a business DSL or business cable service them.
 
Do you guys have a hardware firewall? You can always just set up a DMZ on the firewall.

EDIT: A DMZ is basically a connection on a firewall that you can connect a WAP to, that allows internet connection but you can block all connection on the other LAN.
 
I'd tackle that by using port based VLANs.
Example..
Router into port 1 on managed switch.
VLAN #1 with ports 2-20 on managed switch, with port 1 as a member, plus your office networks PCs here.
VLAN #2 with ports 21-23 on managed switch, with port 1 as a member, plug your access points into this....and they cannot get to any rosources on your business network.

DMZs on entry level and mid-ranged routers are different..all it means is all 65,000 + ports are wide open, not protected by NAT. It doesn't separate that node from the rest of your network....so it's actually far worse.security wise.
 
We just use a wireless router and for that and put the wireless network in a different subnet/ip range. I can't see paying for another internet connection no more than ours is used, but you gotta do what you gotta do I guess. I guess DSL would be the cheapest route for you depending on who your carrier is.
 
You don’t need a dedicated connection for that. VLAN or firewall with solid rule sets will be fine. You only have to put a route entry that says, that network is completely blocked from communicating with the LAN network besides the gateway and tell the gateway, that route can’t reroute back to the LAN.
 
2dirty said:
We just use a wireless router and for that and put the wireless network in a different subnet/ip range. I can't see paying for another internet connection no more than ours is used, but you gotta do what you gotta do I guess. I guess DSL would be the cheapest route for you depending on who your carrier is.
Click to expand...

That can actually get slipped past quite easily..anyone behind that wireless router can actually find and access stuff on your primary network. Not through network places..because netbios won't pass, but through start/run...can still get to it all. Basic NAT routers allow anything out, just not in..by default. Trojans 'n worms can do the same.
 
That is why I like to stock on min-itx motherboards for these types of occasions. Small embedded PC works great. Some of them have two ports and one pci slot. You can also use the usb port for wi-fi. Since you mentioned T3, I'm going to assume your company is a mid-size. You probably have VLAN already implemented. I would go with the VLAN suggestion others have pointed out.
 
At home i run an IPCOP box that has a separate subnet for wireless users using wlan-ap. using this by default all will not allow any traffic from the Blue (wireless) subnet to access the green (wired) subnet. However they both use the same internet connection.

Not sure if this helps but maybe it'll give you an idea.
 
YeOldeStonecat said:
That can actually get slipped past quite easily..anyone behind that wireless router can actually find and access stuff on your primary network. Not through network places..because netbios won't pass, but through start/run...can still get to it all. Basic NAT routers allow anything out, just not in..by default. Trojans 'n worms can do the same.
Click to expand...

True, I'm well aware of that, but the only people that use it are trusted and with wpa2 encryption enabled nobody gets on without me knowing since I'm the only one with the key.
 
I just setup a WatchGuard firewall appliance. It had a "trusted" network and an "optional" network. policies are put in place so that both networks can get out, but they don't talk to each other. sounds like something you are looking for. I picked a used one up for 75 bucks recently.
 
Depending on how CAN'T your CAN'T is, I'd say go with business DSL, it's pretty cheap and the whole thing should be relatively painless to set up. Otherwise, the DMZ idea would functionally be off your network, but I could see people complaining.
 
Another VLAN FTW vote. If you don't have any managed network gear, well... start there, lol.

Buying a separate internet connection is an awful way to go about addressing this issue (that's putting is nicely). Although thank you to those of you who are suggesting it as it makes the rest of us look extra competent at our jobs. :p
 
You must log in or register to reply here.
Back
Top