Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Wireless Access to Customers

Posted on 2006-05-31
Medium Priority
Last Modified: 2010-03-19
We have internet access through our LAN, so we want to give customers access to the internet using our connection via wireless connectivity.  However we don't want them to be able to see, ping or do anything except get out on the internet.  What is the easiest way to achieve this.  We are using a US Robotics AP.

Question by:geohix
LVL 88

Accepted Solution

rindi earned 500 total points
ID: 16800549
Use a separate network segment for the access point which is outside your normal lan.

Assisted Solution

Mad_Jasper earned 500 total points
ID: 16800578
VLANs and access-lists are one way.

With my  former employer, the public had wireless access that was on a separate VLAN. We used a Cisco 3560 POE switch dedicated for the public use. We used VLAN trunking to an interface on our router that blocked access via access-list from that subnet to our internal network.

Internal Network Switch -------------- Router ----------- ISP                                      |
Public Access Switch ----------------------|

The access-lists as well as the lack of routes directing traffic from the network to the network prevented access to our internal network.

We were on a limited budget and I am certain that there are a dozen better ways to do this. But, this was effective and relatively inexpensive.

Expert Comment

ID: 16800597
BTW. We used the Cisco 3560 POE switch because we did not have electrical outlets near our APs. The same results can be achieved with a much less expensive switch, i.e., an HP or NetGear.
LVL 27

Assisted Solution

pseudocyber earned 500 total points
ID: 16800865
Easiest - parallel non-connected network mentioned by rindi - we do this with DSL lines.

Medium security & complexity - Mad Jasper's solution.  However it could be broken with a vlan flooding attack internally.

Most complex, best security - 802.1x authentication with GRE tunneling to your Internet edge.

Assisted Solution

JJT2750 earned 500 total points
ID: 16801673
Have you got a DMZ port off of your router?  If you do plug the AP into the DMZ port and forward all traffic from the AP to the Internet don't allow it to come back inside.  

If you have more than 1 Ap configure the AP plugged into the router as the base AP and configure your other APs for a wireless back haul to the base AP keeps the traffic off of your Lan.

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question