Seperate home networks

T

tunaman

2[H]4U
Joined
Apr 10, 2002
Messages
2,150
I have a small business at my house and have 5 computers set up on a small network. I want to use wireless access with my laptop just for browsing if I am sitting my ass on the couch. However, this wireless network CANNOT see my other network as I have a lot of printer shares and open file shares on the network that store a lot of condidential material. How can I set this wireless network up to access the internet, without being able to access the other network. My current setup is as follows, but for the wireless network, it cannot access the internet as of now.

Internet -> Linksys router -> Network -> Linksys WR54TG wireless router

The wired network can access the internet no problem, but the wireless network cannot. I need to fix that. I have tried both straight thru and crossover cables to no avail.

Any ideas?
 
I'm confused. You don't want the laptop to see the rest of the network for what reason? Are you afraid that some can steal your signal and use it to see the rest of the network, thereby gaining access to the confidential information? Or are people going to be using your laptop besides yourself, and those are the ones you want blocked?

If its the signal that you want protected then you need to enable WEP on the wireless router. You also should have that router connected through an uplink port to the other router...not running through the rest of the network.

I suppose you could run the laptop on a different workgroup than the rest of the network, but that can be gotten around easily. One problem that you are dealing with is that those home routers are very basic and offer zero security options of the type you need.

If security is a big problem then you need to password protect those open shares on your network.
 
The first thing that comes to mind is to use a managed switch to set up some VLANs. It's been a while since I've worked with that stuff so I don't know if this is quite possible. Anyway, what I'm thinking is to set up two VLANs - one with all your wired stuff and the other with your wireless bridge, and the port that goes to your internet connection would be a member of both VLANs. Like I said, there's a good chance that's not possible. I'm pretty sure you could do this with a few NICs and ipchains, though. Actually, that might be the easiest way. Essentially you could have the wireless network and the wired network on different subnets, and just don't provide a route between the two. Though ipchains probably has something better that provides equivalent functionality. I'm pretty tired, though, so this post might not be completely valid. :) Yeah, now that I think about it, a box running ipchains is probably the easiest solution.
 
Just replace your primary router with one that will disable LAN traffic. My speedstream router will allow/disallow either internet or LAN activity or both on the client. I'd guess many budget router/AP's have this functionality.
 
I'd just remove the First Router, and if the wireless router has a lan ports just use them for the wired. Will save you alot of hassle and time
 
I want to have a wired network AND a wireless network in my house. I only have 1 cable modem connection so I need both the wireless router and the wired router to go through that 1 connection. The wired network CANNOT be accessible by the wireless connection. I need open shares on the wired network because I have a server with all of my data on it and all of the client computers need to access that information across the network. Because these files contain confidential information on my clients, the wireless connection needs to be seperate. It does NOT need access to printers nor to the server, but it DOES need access to the internet. How can I setup these 2 routers so that they can both access the internet, but they still remain seperate network segments that cannot talk to each other?

I thought about the idea of the Vlan, but that still does not fix my problem. I have only 1 IP address from my ISP with no others available. If I put a managed hub before each router they would both have access to the cable modem and both would be trying to pull an IP address from the cable modem which of course will not work.

There has to be a way to do this, even with cheapo routers.

The problem I am having right now is that if I daisy chain the routers, the 2nd router which doesn't have WAN access, automatically takes over as DHCP server for the network. Because it doesn't have WAN access it kills internet for both networks. If I turn DHCP off on the 2nd daisy chained router, the 1st router with WAN access works great, but the computers accessing the wireless router and even computers plugged into this router cannot get an IP address so no internet access. Any ideas on what might be going on here.


And for the person that mentioned WEP, considering that it can be hacked in under a minute using easily downloaded software, I would expose myself to liability if I used that for security.
 
Where in the world are you getting WEP can be cracked in under a minute? Not true. Not a steel door but plenty for most LAN's. Yours might not be most but that's why they came up with WPA. More robust and harder to crack, as long as you use a long password, 20 characters or more.

Some SOHO routers will have RIP, which would allow you to do what you want, though you'd still need to configure ACL's or whatever mechanism is available to stop traffic other than internet.

Why are no more IP's available. Doesn't sound like any provider I've ever come across. That would certainly be the easiest to manage.
 
Well, I was exxagerating on the 1 minute, but I have seen it done rather quickly on a very active AP. If I use an ACL that only allows specific MAC addresses onto the wireless network, is there any security issues with that? Can random unwanted people still get onto the network and view files? Can a MAC address be spoofed?
 
I'd be inclined to just buy a another router and plug in the other two behind that.

With so few PCs I'd just switch off DHCP and statically assign IPaddys (which makes it a little harder for would be wireless hackers).

On wireless security, the wrt54g (and most others) can be significantly hardened compared to earlier wireless stuff.

These things make it safer:

Change the default admin password (everyone knows what it is).
Disable SSID broadcast and it will no longer actively broadcast it's presence.
Disable DHCP so it won't hand out addresses to strangers and change the IP Range it uses from the default (everyone know what it is).
Restrict wireless access by MAC address.
Turn off the ability for wireless clients to change the router config (may require firmware upgrade).
Use WPA, it's much, much tougher than WEP (128bit encryption vs. 40bit, dynamic keys).
 
MartinX said:
Change the default admin password (everyone knows what it is).
Disable SSID broadcast and it will no longer actively broadcast it's presence.
Disable DHCP so it won't hand out addresses to strangers and change the IP Range it uses from the default (everyone know what it is).
Restrict wireless access by MAC address.
Turn off the ability for wireless clients to change the router config (may require firmware upgrade).
Use WPA, it's much, much tougher than WEP (128bit encryption vs. 40bit, dynamic keys).
Click to expand...

All of these tips, with the exception of the last one, are pointless and only make it more frustrating for the end user to use their network. Anyone who is attempting to hack a WEP or WPA key will know how to fix any of the above mentioned things.

To address the OP, an IPCop box with three NIC cards would be the best fix for you in this situation. Three NICs, segregated traffic, robustness and security of Linux...you just can't go wrong.

Seriously, this is the best solution for you. It is even more free if you have an old machine lying around.
 
another vote for ipcop

im using it and love it

my blue has wep, then on ipcop it has mac address control access lists, and it seperates the networks as youd like

another bonus, is i can put dmz pinholes so only 1 ip on the blue can for example access remote desktop on my lan segment, or ftp, or file shares....its really sweet and very secure

its worth a look into if youre up for it
 
couldn't u just change the ip address of the wifi router, so its likea 192.168.2.x network and have the other as 192.168.1.x, just have teh dns handled by the other?

any idea if that idea would work?
 
Does your Wireless router support Wireless Isolation? If so that may be a option consider...
 
i say

Internet > wireless router > wired router > network

then your wireless router can get to the internet, without going through the wired network, cause the second router would protect that network... plug the second (wired) routers WAN port into the wireless router and you should be good to go
 
I agree with Flecom, but to give a bit more detail:

Internet > Wireless Router (192.168.1.0) > Wired router (192.168.2.0) > SoHo Network.

So the Wired Router's WAN port will be assigned an IP like 192.168.1.2, and the LAN DHCP would then be 192.168.2.100 - 192.168.2.150.

The Wireless router would get its WAN IP from the ISP, and the LAN IP would be 192.168.1.1. DHCP on the wireless would be set to 192.168.1.100 - 192.168.1.150.

This setup should work, then the SoHo network should be able to get out, but not be seen by the wireless clients or your home computers because they would be plugged into the first router.

Otherwise the IPCop box with 3 NICs would work just as well.

Someone also mentioned VLANS, those would require a mangaged switch and would also work.

Internet > Router > managed switch > Wireless or Soho Switch.
The port that the wireless is on has its own VLAN, the port that the SoHo network is on would have its own VLAN, so they would not see each other. You wouldn't need a second IP from your ISP, the IPs could be internal IP addresses. Let the router do all the work.
 
Check out DD-WRT - it supports VLANs on the hardware you already have... well depending on what version of the WRT54G you have.

With DD-WRT you can put wireless on one Vlan and the ethernet switch on another (i think you can even break up Vlans for each of the 4 switch ports) If you need two seprate wireless lans - you can do that with the beta version V24 - I have WPA on the same vlan as my switch, but a Free/open vlan that can only see the internet.

My protected network gets 192.168.X.X IPs and the unprotected network gets 10.X.X.X IP's... I can't ping across the two + they both have internet access.

This wasn't all set up via the GUI... my bro who is a linux hobbist and networking guy (job) did some stuff via command line/telnet to make it all work

I think the seprate vlans for wired and wireless can all be done on the config page without any additonal command line needed.
 
ktwebb said:
Where in the world are you getting WEP can be cracked in under a minute? Not true. Not a steel door but plenty for most LAN's. Yours might not be most but that's why they came up with WPA. More robust and harder to crack, as long as you use a long password, 20 characters or more.
Click to expand...

WEP can absolutely be cracked in under a minute in that you no longer need only IV's to crack the WEP key; however I don't think the discussion is allowed here.
 
Another option is to get a switch that can do vlan. Then you can create 2 separate networks on the same connection.
 
Would'nt the easiest option for the OP to just put the laptop on a DMZ and enable WPA? Pretty straightforward and all new routers can support both.
 
a2vr6 said:
Would'nt the easiest option for the OP to just put the laptop on a DMZ and enable WPA? Pretty straightforward and all new routers can support both.
Click to expand...

no becuase the laptop is still on the same LAN which is what he dosent want
 
i would think the easiest thing to do would be to have your inbound port to the wired network have some sort of rule that blocks any traffic from the wireless networks' IP range (which you can define)... should be short, simple, and effective.
 
You must log in or register to reply here.
Back
Top