Solved

Provide public hotspot keeping private network secure

Posted on 2006-06-23
6
265 Views
Last Modified: 2013-12-14
Hello Experts,

A small office wants to provide internet for visitors without exposing their computers.  They have DSL intenet service.  Will this work?

Use the DMZ port to put a wireless router on the internet.  Both routers use NAT.


           Internet
                 |
           DSL Modem / Router
              |DMZ               |
       Wireless             Office
       Router              Network
              |
          Public
         Hotspot

I think it should be okay to put a second router in the DMZ of the first router.  Here is the big question ... Will this keep the  public hotspot visitors out of the office network?

Thanks,

Ed
0
Comment
Question by:testbenchdude
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:ECNSSMT
ID: 16973378
if both networks are behind NATed Routers, the only thing that either networks will see would possibly be traffic with only the IP address of the other NATed router's WAN interface.  So if you were (able to) to stick a sniffer somewhere between the two NATed routers going egressing to the internet; you would think that there are two really chatty IP addresses only; you will not be able to even guess as to what is behind the IP address.

Regards  
0
 

Author Comment

by:testbenchdude
ID: 16973584
Hi ECNSSMT,

I've been reading that the DMZ feature of consumer routers is only intended for routing to a single PC and does not necessarily provide isolation from other sytems.  I am now thinking about a three router solution.  Also, NAT is not an option for the office because I'm told we'll need to provide VPN access.  So I'm kicking this up a notch.

               Internet
                    |
          DSL Modem / Router  
           (192.168.0.x)
            |                        |
     Wireless                   Wireless
     Router                      Router
     (192.168.16.x)          (192.168.32.x)
      DHCP                      DHCP
          |                          |
     Public                       Office
    Hotspot                     Network

This makes 3 subnets at 192.168.0.x, 192.168.16.x, 192.168.32.x

I believe this would allow for the future addition of many more subnets at:
192.168.48.x
192.168.64.x
192.168.80.x
      ....
192.168.240.x

If I did my math correct this gives me 16 subnets with 4096 devices per subnet.  I can't imagine ever needing that many addresses.

I'm thinking a subnet mask of 255.255.240.0 would be proper for all subnets???

The wireless router for the hotspot will be NAT.  This keeps the office people out of the public network.  But the office will not be using NAT.  I'm assuming that because of the different subnets that it will not be possible for a computer on the hotspot to be able to connect to a computer in the office.  Correct?

I'll post more info about VPN routing when I have it.
0
 
LVL 14

Accepted Solution

by:
ECNSSMT earned 250 total points
ID: 16975984
253 devices per this subnet. with 192.168.16.0 being reserved for network, 192.168.16.255 being reserved for broadcast and an ip address 192.168.16.X being reserved for the inside NATed address used as the default gateway.

Also, there is a big difference between the SOHO/consumer routers and the Enterprise models.  On the SOHO side, you have the theoretical limit of a class C subnet (255 ip addresses, with 252 IP addresses usable for devices).  Depending on the amount of traffic you have, you may quickly run out of usable bandwidth before you get to that 253 device limit.  So per the SOHO router with the added assistance of a switch; I can definitely say that it can easily handle 10 office users casually accessing the internet; at some point when you get to 30 user you may begin to see latency.  You may want to start to look into higher end devices like a L3 Switch from Netgear that can provide the segregation on one box.  Its going to be $$$ though.

If you use a subnet mask of /20 (255.255.240)
starting at 192.168.0.0, 192.168.16.0,192.168.32.0... you can get your 4095 ip addresses (or 4092 usable; with e.g. 192.168.0.0 being the network, 192.168.15.255 being the broadcast for this subnet and an ip address as the default gateway).  But this implies that you get a router that can do better than a /24 SM (255.255.255.0).

Using 3 SOHO routers will be a bit of a pain, but its do-able.  And with the SOHO router you are only have the capability of allocating a subnet with a max number of 255 IPs per subnet.  In almost all small businesses; this is ample space, when though the outgoing traffic will reach the max capacity way before you hit 253 devices.

>The wireless router for the hotspot will be NAT.  This keeps the office people out of the public network.  But the office will not be using NAT.  
All the SOHO routers will be using NAT to translate between the "inside" private address and the "outside" public address.  NAT was one of the methodologies used to resolve the IP V4 -  IP address shortage that was looming back in 1994;  now sharing 1 public IP address between many devices with private IP addresses is a common place practice.

>I'm assuming that because of the different subnets that it will not be possible for a computer on the hotspot to be able to connect to a computer in the office.  Correct?

The subnets in general are just a means to segregate your layer 2 frame traffic; if it needs to go outside your subnet, Layer 3 headers are provided per frame traffic and the packet is then routed towards its correct destination; but just think of it as segregating the traffic.  

If the user on the NATed wireless hotspot knows the IP address of the not-NATed office PC and there was a means enabled for logging into that PC; it could be done.  However conversely, the non-NATed office PC will not be able specifically see or readily access a user on the wireless hot spot because that user is behind a NATed Router.  Again a NATed device takes an IP address & port assignment on one side and associates it with an IP address on the otherside; there is no way for any device to look at a router's NAT table to determine what is what.  So, not correct.  But the slight consolation is that users are usually interested in getting to the internet to do their thing and hacking are left to the hackers....

The VPN part will be interesting to say the least and a well plan infrastructure especially in this case will be needed.

Regards
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:testbenchdude
ID: 17012543
Hi ECNSSMT,

After further reflection on the public hotspot I've decided it causes too many headaches to keep a public wi-fi and a secure office network on the same DSL modem.

I've recommended my client to subscribe for a second DSL service.  In our area a basic 256K DSL package costs about $25 per month.  This second DSL circuit will be set up as a dedicated service to provide the public hot spot.  (The office next door may be willing to split the cost so we may only be looking at around $12.50 per month)

Now with the hotspot headache out of the way I can look into the VPN issue for the office network.  This office has 4 employees.  Two of these employees want the ability to map shares on the office file server (Linux) as a drive on their home PC.  This is necessary to be able to use a certain accounting software program that allows multiple accountants to share the same up-to-date client information.  

All of the desktop computers are running Windows XP Home and there is a single Linux based NAS device being used for file sharing.

For VPN I've started reading up on some popular SOHO VPN routers (Linksys BEFVP41, SnapGear Lite+, ZyWall 10).  So far the SnapGear looks attractive.  

Besides the two simultaneous home users it would be good to plan for a roaming system to connect from any clients office using IPSec software.  I've read that Microsofts ipseccmd utility can be difficult and annoying to use so I've got much learning to do here as well.

Ed
0
 

Author Comment

by:testbenchdude
ID: 17012620
I have closed this question.  "Provide public hotspot keeping private network secure"

For this situation my recommended solution is two DSL circuits.  One DSL circuit for a secure office network.  The other DSL circuit for a public hotspot.

Drawbacks
... monthly cost
... duplicate hardware

Advantages
... very simple implementation
... public visitors do not degrade office bandwidth
... no hacker risk from public hotspot

Once I learn more about the VPN issues I will post a new question.

Ed
0
 
LVL 14

Expert Comment

by:ECNSSMT
ID: 17031249
Thanks for the points.

Just a heads up though with the SOHO router based VPNs, it will utilize the internet connection and anyone expecting to use the internet during its operation may be sadly disappointed.  For SOHO classs stuff, you may be looking at a server based solution, or RDP.  But if you don't mind seeing for yourself you can get at second hand Netgear from http://www.justdeals.com/Items/FVS114NAR?. <$50

Regards,
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question