[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 511
  • Last Modified:

Isolating LAN from Wireless

I have a lan which uses

172.16.1.XXX
255.255.255.0

On that lan - there is a Linksys wireless router, in fact,  that router serves as the main router for my network.

That wireless requires a MAC ID in order to use it, only one person, the Boss,  uses it.

Now, I want a Wireless Access Point upstairs for guests to use, and do not want them to be able to see the
172.16.1.xxx LAN.

My plan is to put a Linksys Access Point upstairs...It has an IP of 192.168.1.254
can I leave that IP address and use 255.255.0.0 for the subnet and allow people to connect wireless without seeing my other network?

All my other LAN pcs have fixed IP addresses.

0
jimmysupport
Asked:
jimmysupport
  • 12
  • 11
  • 8
2 Solutions
 
Scotty_ciscoCommented:
You can run multipule segments on the same link medium be it wireless, wired ect.  If I am reading this correct you can do it for certain things but I don't think with the equipment you are mentioning will completely Isolate the other network and still be able to use it.



---------             ------------
linksys1----------- linksys 2|--------Guest users
--------              ------------

ok linksys1 is where the CEO connects and linksys 2 is gues users you can put them on seperate ranges and use the wan port to NAT all requests from the users but a smart person could get to the network.

OK so if I am missing something here let me know.

Thanks
Scott
0
 
jimmysupportAuthor Commented:
How smart? How would the person get to 172.16.1.XXX?

0
 
Scotty_ciscoCommented:
not very... now if you put the CEO behind linksys #2 and used the guests on linksys #1 and connected the CEO router AP to the wan port of his and a standard port... just knowing the address would be enough or pinging the broadcast address would do it.

Thanks
Scott
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
just-one-itCommented:
Are you connecting the new access point to the same router as the lan you want to protect?  How will you assign IP addresses to the wireless users?  What you should do is use a wireless router, not just an access point, and connect the router to your broadband router (such as a dsl modem or t1 router) with a seperate public ip.  That way the wireless guests will be on a seperate network.  This will require you to have 2 public ip's.
0
 
jimmysupportAuthor Commented:
You have lost me...
Linksys 1 is a router, has a WAN port and 4 other standard ports.
It has a wireless also...only access is by MAC filter.
It acts as my gateway for the LAN.

The AP has only one port.

How could I connect the CEO's AP to a WAN port and a standard port...?
What WAN port - I only have one WAN port and it connects to the DSL modem. It is on the Linksys Router.

What address will be broadcast?


0
 
Scotty_ciscoCommented:
ok then you do not have what you need to do it you would need 2 wan ports to do what I recomend one wan port connected to the DSL and the second wan port connected to one of the 4 standard ports that way your protected behind the firewall built on the router.

Thanks
Scott
0
 
jimmysupportAuthor Commented:
just-one-it:

Yes, I am connecting to the same router as the lan I want to isolate.
I am figuring, since I only have one public IP available...that I will be sure all of the LAN pcs have a static IP below or above the range of the DHCP.

I thought the wireless people would be on 192.168.1.XXX or whatever number I assigned the AP with sub net 255.255.0.0 and that would keep them out of other shared resources.

The AP does not seem to have the option to have DHCP, it can be an AP or  wireless repeater...

0
 
just-one-itCommented:
You will not be able to isolate the two networks with the access point then.  You will have to have a router for that.  
0
 
Scotty_ciscoCommented:
the AP is basically a wireless hub and is dumb and can not filter or block things.... so whatever connects to the AP will not be able to be protected so you need another router or something.

Thanks
Scott
0
 
jimmysupportAuthor Commented:
I have a router. I tried using it over and over...but couldn't get it to do the job....went and bought a fancy N type,
tried again.

I could get it to work - but as soon as I enabled WEP (or any security) could no longer access the Internet.

How would I use the router?
0
 
just-one-itCommented:
You would connect the wan port of the router to your other linksys router.  You can either set the wan ip to be dynamic, which is the default on most soho routers, or you could configure a static ip in the 172.16.1 range.  The defaule settings for the router should hand out a dhcp address to wireless clients in the 192.168 range on most routers.  Thats all you should have to do, beyond enabling some type of encryption for the wireless.  I would recommend using WAP or WAP2 as WEP is fairly insecure.
0
 
Scotty_ciscoCommented:



                             -----------------------                    --------------------
====internelt dsl---wan port ROUTER 1--lan port ---- wanport router 2-----lan port---------
                            ------------------------                    ---------------------

ok so you nat the first router outside to the 192.168.1.x guest network then you assign the wan port from router 2 a IP address out of that 192.168.1 network and nat the 172.16.x.x network to the 192.168.1.x address

thanks
Scott
0
 
jimmysupportAuthor Commented:
The AP is connecting to a router...therefore isn't that router affording protection for the guests?

I understand then, why it can't stop people from seeing the LAN...no matter what its IP is - they will be using the same network as the inside folks.

Static IPs won't make any difference either...I think I understand what you are saying.

0
 
Scotty_ciscoCommented:
no because you could not have 2 IP address ranges on linksys routers you could on a cisco or maybe some other more expensive type device but the AP will only pass traffic it will not filter it.

Thanks
Scott
0
 
jimmysupportAuthor Commented:
Scotty_cisco - Does your last note mean I cannot have 172.16.1.XXX 255.255.255.0 on the first Linkysys Router
and 10.10.10.XXX with 255.255.0.0 on the Second Linksys N Router?
0
 
just-one-itCommented:
If you have two routers, you can have two ranges.  But, if you have one router and one access point, then you only have one network.
0
 
Scotty_ciscoCommented:
the problem is that without a NAT or a router to talk from a 10.10.10.xx to a 172.16.1.xx network because basic IP networking they are in different cities as it were with no bridge connecting the roads between the 2 cities.

Make sense?

Thanks
Scott
0
 
jimmysupportAuthor Commented:
OK - I will forget the Access Point - if I can figure how to make the two routers work.

So I have two routers...both Linksys
I will use those two ranges
I will connect the WAN port of the Second Router to a Lan port on a switch ( or does it need to be actually in the first router)?
0
 
just-one-itCommented:
As long as the switch is connected to the router, that is fine.
0
 
Scotty_ciscoCommented:
no check out the upper figure ...

router 1 lan port to router 2 wan port were router 1 is connected to your internet connection by it's wan port

0
 
jimmysupportAuthor Commented:
Internet Connects to Wan Port on Router 1
Router 1 connects to lan port on switch
Ethernet Cable from Lan Switch Connects to WAN port on Router 2
Plus another Cable connects to a LAN port on router2 to a LAN Port on a Switch

Do I have that right?
0
 
Scotty_ciscoCommented:
That would work.... yes

Thanks
Scott
0
 
just-one-itCommented:
No, you shouldnt need to connect anything to the LAN port of router2 as it is for wireless access, right?
0
 
jimmysupportAuthor Commented:
Ok - which is right - cable to LAN port or no?

Tomorrow, I will be doing this on an island, 13 miles off the coast, I have to be sure one way or the other will work.
May I turn back to the Access Point for a moment (it is my backup if I can't get the routers to work).

Does it need to be plugged into the router directly, or can it be on a switch upstairs?

Can I simply set it to get its IP from DHCP on router 1 or do I have to give it a static IP?

Do I have to take Wireless  MAC filtering off of the Router 1?
0
 
Scotty_ciscoCommented:
think we're confused here .... there is no AP any more there is 2 networks if there are going to be lan hosts behind the second router then yes the lan port on router 2 MUST be connected to the switch for the non wireless hosts.

Thanks
Scott

you can allow the second router to get a dhcp address and router and the mac filtering will need to be off if your guests will be connecting to that one.

0
 
jimmysupportAuthor Commented:
Using two routers - two networks, but there will be ONLY WIRELESS off router 2

So, I only need the lan port connected - if I need a wired connection to that network...right?

Router 2 is a Wireless Router I am going to try and use it to provide wireless to the upstairs area.
That is all  it needs to do.

But, if I allow it to get its address from DHCP downstairs, how will I allow it to give out 10.10.10.xxx 255.255.0.0
because its IP would come from the 172.16.1.xxx network?

I thought I would tell it that its Gateway was 172,16.1.1 and its DNS was 172.16.1.1
0
 
Scotty_ciscoCommented:
the DHCP server on the first floor router will provide this information dynamically to the upstairs router... or you need to statically set it if you want to do it that way.

Thanks
Scott
0
 
jimmysupportAuthor Commented:
Let me review - I think I have it:

Two Networks:
Do the physical connections as mentioned above (eliminate the cable from standard lan port to switch from Router 2)

Allow the downstairs Router 1 to be the Gateway and DNS for router 2.
assign the wan port from router 2 an IP address out of the 172.16.1.1 network

nat the first router (172.16.x.x network) to the 10.10.10.x  guest network

allow Router 2 to dhcp addresses to the guests...who will be able to log on with a WEP passkey. (WEP is good enough).

0
 
just-one-itCommented:
I dont think you will need to do any kind of nat for this to work.  Think of it this way: the 2nd router is acting as if it were the only device in the network.  It thinks router1 is its internet provider.  So, it will assign ip's to hosts connected to it and forward the traffic from those hosts to the internet, which is really router1 which then in turn forwads the traffic out the rest of the world.

It will look something like this:

                     [Internet Router]
                            |
                            |
                {Router1}-------{Router2}
                    |                   |
                  |                   |
              [Switch]            [Wireless]
                  |                   |            
                  |                   |
      (172.16 network)      (10.0.0.0 network)

0
 
just-one-itCommented:
Sorry, that diagram didn't come out so well.  I meant for it to show router2 connected to router1.  It should only be connected to router1 via it's Wan port.  If you plan to connect wired hosts to router2, then make sure they are connected to it directly or on a switch which is not connected to the 172.16 network.  That way you keep the networks seperate.
0
 
jimmysupportAuthor Commented:
I went to the Island and did what Scotty and just-one-it said to do, using two routers and it worked great.
Thanks so much for the quick help...saved my 61 year old neck!
This is the best $50 I ever spent!
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 12
  • 11
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now