Solved

Isolating LAN from Wireless

Posted on 2006-07-12
31
420 Views
Last Modified: 2013-11-09
I have a lan which uses

172.16.1.XXX
255.255.255.0

On that lan - there is a Linksys wireless router, in fact,  that router serves as the main router for my network.

That wireless requires a MAC ID in order to use it, only one person, the Boss,  uses it.

Now, I want a Wireless Access Point upstairs for guests to use, and do not want them to be able to see the
172.16.1.xxx LAN.

My plan is to put a Linksys Access Point upstairs...It has an IP of 192.168.1.254
can I leave that IP address and use 255.255.0.0 for the subnet and allow people to connect wireless without seeing my other network?

All my other LAN pcs have fixed IP addresses.

0
Comment
Question by:jimmysupport
  • 12
  • 11
  • 8
31 Comments
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096082
You can run multipule segments on the same link medium be it wireless, wired ect.  If I am reading this correct you can do it for certain things but I don't think with the equipment you are mentioning will completely Isolate the other network and still be able to use it.



---------             ------------
linksys1----------- linksys 2|--------Guest users
--------              ------------

ok linksys1 is where the CEO connects and linksys 2 is gues users you can put them on seperate ranges and use the wan port to NAT all requests from the users but a smart person could get to the network.

OK so if I am missing something here let me know.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096114
How smart? How would the person get to 172.16.1.XXX?

0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096126
not very... now if you put the CEO behind linksys #2 and used the guests on linksys #1 and connected the CEO router AP to the wan port of his and a standard port... just knowing the address would be enough or pinging the broadcast address would do it.

Thanks
Scott
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096251
Are you connecting the new access point to the same router as the lan you want to protect?  How will you assign IP addresses to the wireless users?  What you should do is use a wireless router, not just an access point, and connect the router to your broadband router (such as a dsl modem or t1 router) with a seperate public ip.  That way the wireless guests will be on a seperate network.  This will require you to have 2 public ip's.
0
 

Author Comment

by:jimmysupport
ID: 17096260
You have lost me...
Linksys 1 is a router, has a WAN port and 4 other standard ports.
It has a wireless also...only access is by MAC filter.
It acts as my gateway for the LAN.

The AP has only one port.

How could I connect the CEO's AP to a WAN port and a standard port...?
What WAN port - I only have one WAN port and it connects to the DSL modem. It is on the Linksys Router.

What address will be broadcast?


0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096268
ok then you do not have what you need to do it you would need 2 wan ports to do what I recomend one wan port connected to the DSL and the second wan port connected to one of the 4 standard ports that way your protected behind the firewall built on the router.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096286
just-one-it:

Yes, I am connecting to the same router as the lan I want to isolate.
I am figuring, since I only have one public IP available...that I will be sure all of the LAN pcs have a static IP below or above the range of the DHCP.

I thought the wireless people would be on 192.168.1.XXX or whatever number I assigned the AP with sub net 255.255.0.0 and that would keep them out of other shared resources.

The AP does not seem to have the option to have DHCP, it can be an AP or  wireless repeater...

0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096294
You will not be able to isolate the two networks with the access point then.  You will have to have a router for that.  
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096299
the AP is basically a wireless hub and is dumb and can not filter or block things.... so whatever connects to the AP will not be able to be protected so you need another router or something.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096302
I have a router. I tried using it over and over...but couldn't get it to do the job....went and bought a fancy N type,
tried again.

I could get it to work - but as soon as I enabled WEP (or any security) could no longer access the Internet.

How would I use the router?
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096312
You would connect the wan port of the router to your other linksys router.  You can either set the wan ip to be dynamic, which is the default on most soho routers, or you could configure a static ip in the 172.16.1 range.  The defaule settings for the router should hand out a dhcp address to wireless clients in the 192.168 range on most routers.  Thats all you should have to do, beyond enabling some type of encryption for the wireless.  I would recommend using WAP or WAP2 as WEP is fairly insecure.
0
 
LVL 12

Assisted Solution

by:Scotty_cisco
Scotty_cisco earned 200 total points
ID: 17096318



                             -----------------------                    --------------------
====internelt dsl---wan port ROUTER 1--lan port ---- wanport router 2-----lan port---------
                            ------------------------                    ---------------------

ok so you nat the first router outside to the 192.168.1.x guest network then you assign the wan port from router 2 a IP address out of that 192.168.1 network and nat the 172.16.x.x network to the 192.168.1.x address

thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096323
The AP is connecting to a router...therefore isn't that router affording protection for the guests?

I understand then, why it can't stop people from seeing the LAN...no matter what its IP is - they will be using the same network as the inside folks.

Static IPs won't make any difference either...I think I understand what you are saying.

0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096333
no because you could not have 2 IP address ranges on linksys routers you could on a cisco or maybe some other more expensive type device but the AP will only pass traffic it will not filter it.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096352
Scotty_cisco - Does your last note mean I cannot have 172.16.1.XXX 255.255.255.0 on the first Linkysys Router
and 10.10.10.XXX with 255.255.0.0 on the Second Linksys N Router?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 2

Expert Comment

by:just-one-it
ID: 17096359
If you have two routers, you can have two ranges.  But, if you have one router and one access point, then you only have one network.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096366
the problem is that without a NAT or a router to talk from a 10.10.10.xx to a 172.16.1.xx network because basic IP networking they are in different cities as it were with no bridge connecting the roads between the 2 cities.

Make sense?

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096374
OK - I will forget the Access Point - if I can figure how to make the two routers work.

So I have two routers...both Linksys
I will use those two ranges
I will connect the WAN port of the Second Router to a Lan port on a switch ( or does it need to be actually in the first router)?
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096383
As long as the switch is connected to the router, that is fine.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096385
no check out the upper figure ...

router 1 lan port to router 2 wan port were router 1 is connected to your internet connection by it's wan port

0
 

Author Comment

by:jimmysupport
ID: 17096399
Internet Connects to Wan Port on Router 1
Router 1 connects to lan port on switch
Ethernet Cable from Lan Switch Connects to WAN port on Router 2
Plus another Cable connects to a LAN port on router2 to a LAN Port on a Switch

Do I have that right?
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096407
That would work.... yes

Thanks
Scott
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096408
No, you shouldnt need to connect anything to the LAN port of router2 as it is for wireless access, right?
0
 

Author Comment

by:jimmysupport
ID: 17096441
Ok - which is right - cable to LAN port or no?

Tomorrow, I will be doing this on an island, 13 miles off the coast, I have to be sure one way or the other will work.
May I turn back to the Access Point for a moment (it is my backup if I can't get the routers to work).

Does it need to be plugged into the router directly, or can it be on a switch upstairs?

Can I simply set it to get its IP from DHCP on router 1 or do I have to give it a static IP?

Do I have to take Wireless  MAC filtering off of the Router 1?
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096452
think we're confused here .... there is no AP any more there is 2 networks if there are going to be lan hosts behind the second router then yes the lan port on router 2 MUST be connected to the switch for the non wireless hosts.

Thanks
Scott

you can allow the second router to get a dhcp address and router and the mac filtering will need to be off if your guests will be connecting to that one.

0
 

Author Comment

by:jimmysupport
ID: 17096476
Using two routers - two networks, but there will be ONLY WIRELESS off router 2

So, I only need the lan port connected - if I need a wired connection to that network...right?

Router 2 is a Wireless Router I am going to try and use it to provide wireless to the upstairs area.
That is all  it needs to do.

But, if I allow it to get its address from DHCP downstairs, how will I allow it to give out 10.10.10.xxx 255.255.0.0
because its IP would come from the 172.16.1.xxx network?

I thought I would tell it that its Gateway was 172,16.1.1 and its DNS was 172.16.1.1
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096495
the DHCP server on the first floor router will provide this information dynamically to the upstairs router... or you need to statically set it if you want to do it that way.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096550
Let me review - I think I have it:

Two Networks:
Do the physical connections as mentioned above (eliminate the cable from standard lan port to switch from Router 2)

Allow the downstairs Router 1 to be the Gateway and DNS for router 2.
assign the wan port from router 2 an IP address out of the 172.16.1.1 network

nat the first router (172.16.x.x network) to the 10.10.10.x  guest network

allow Router 2 to dhcp addresses to the guests...who will be able to log on with a WEP passkey. (WEP is good enough).

0
 
LVL 2

Accepted Solution

by:
just-one-it earned 300 total points
ID: 17097261
I dont think you will need to do any kind of nat for this to work.  Think of it this way: the 2nd router is acting as if it were the only device in the network.  It thinks router1 is its internet provider.  So, it will assign ip's to hosts connected to it and forward the traffic from those hosts to the internet, which is really router1 which then in turn forwads the traffic out the rest of the world.

It will look something like this:

                     [Internet Router]
                            |
                            |
                {Router1}-------{Router2}
                    |                   |
                  |                   |
              [Switch]            [Wireless]
                  |                   |            
                  |                   |
      (172.16 network)      (10.0.0.0 network)

0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17097275
Sorry, that diagram didn't come out so well.  I meant for it to show router2 connected to router1.  It should only be connected to router1 via it's Wan port.  If you plan to connect wired hosts to router2, then make sure they are connected to it directly or on a switch which is not connected to the 172.16 network.  That way you keep the networks seperate.
0
 

Author Comment

by:jimmysupport
ID: 17102084
I went to the Island and did what Scotty and just-one-it said to do, using two routers and it worked great.
Thanks so much for the quick help...saved my 61 year old neck!
This is the best $50 I ever spent!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now