Solved

Isolating LAN from Wireless

Posted on 2006-07-12
31
414 Views
Last Modified: 2013-11-09
I have a lan which uses

172.16.1.XXX
255.255.255.0

On that lan - there is a Linksys wireless router, in fact,  that router serves as the main router for my network.

That wireless requires a MAC ID in order to use it, only one person, the Boss,  uses it.

Now, I want a Wireless Access Point upstairs for guests to use, and do not want them to be able to see the
172.16.1.xxx LAN.

My plan is to put a Linksys Access Point upstairs...It has an IP of 192.168.1.254
can I leave that IP address and use 255.255.0.0 for the subnet and allow people to connect wireless without seeing my other network?

All my other LAN pcs have fixed IP addresses.

0
Comment
Question by:jimmysupport
  • 12
  • 11
  • 8
31 Comments
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
You can run multipule segments on the same link medium be it wireless, wired ect.  If I am reading this correct you can do it for certain things but I don't think with the equipment you are mentioning will completely Isolate the other network and still be able to use it.



---------             ------------
linksys1----------- linksys 2|--------Guest users
--------              ------------

ok linksys1 is where the CEO connects and linksys 2 is gues users you can put them on seperate ranges and use the wan port to NAT all requests from the users but a smart person could get to the network.

OK so if I am missing something here let me know.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
Comment Utility
How smart? How would the person get to 172.16.1.XXX?

0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
not very... now if you put the CEO behind linksys #2 and used the guests on linksys #1 and connected the CEO router AP to the wan port of his and a standard port... just knowing the address would be enough or pinging the broadcast address would do it.

Thanks
Scott
0
 
LVL 2

Expert Comment

by:just-one-it
Comment Utility
Are you connecting the new access point to the same router as the lan you want to protect?  How will you assign IP addresses to the wireless users?  What you should do is use a wireless router, not just an access point, and connect the router to your broadband router (such as a dsl modem or t1 router) with a seperate public ip.  That way the wireless guests will be on a seperate network.  This will require you to have 2 public ip's.
0
 

Author Comment

by:jimmysupport
Comment Utility
You have lost me...
Linksys 1 is a router, has a WAN port and 4 other standard ports.
It has a wireless also...only access is by MAC filter.
It acts as my gateway for the LAN.

The AP has only one port.

How could I connect the CEO's AP to a WAN port and a standard port...?
What WAN port - I only have one WAN port and it connects to the DSL modem. It is on the Linksys Router.

What address will be broadcast?


0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
ok then you do not have what you need to do it you would need 2 wan ports to do what I recomend one wan port connected to the DSL and the second wan port connected to one of the 4 standard ports that way your protected behind the firewall built on the router.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
Comment Utility
just-one-it:

Yes, I am connecting to the same router as the lan I want to isolate.
I am figuring, since I only have one public IP available...that I will be sure all of the LAN pcs have a static IP below or above the range of the DHCP.

I thought the wireless people would be on 192.168.1.XXX or whatever number I assigned the AP with sub net 255.255.0.0 and that would keep them out of other shared resources.

The AP does not seem to have the option to have DHCP, it can be an AP or  wireless repeater...

0
 
LVL 2

Expert Comment

by:just-one-it
Comment Utility
You will not be able to isolate the two networks with the access point then.  You will have to have a router for that.  
0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
the AP is basically a wireless hub and is dumb and can not filter or block things.... so whatever connects to the AP will not be able to be protected so you need another router or something.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
Comment Utility
I have a router. I tried using it over and over...but couldn't get it to do the job....went and bought a fancy N type,
tried again.

I could get it to work - but as soon as I enabled WEP (or any security) could no longer access the Internet.

How would I use the router?
0
 
LVL 2

Expert Comment

by:just-one-it
Comment Utility
You would connect the wan port of the router to your other linksys router.  You can either set the wan ip to be dynamic, which is the default on most soho routers, or you could configure a static ip in the 172.16.1 range.  The defaule settings for the router should hand out a dhcp address to wireless clients in the 192.168 range on most routers.  Thats all you should have to do, beyond enabling some type of encryption for the wireless.  I would recommend using WAP or WAP2 as WEP is fairly insecure.
0
 
LVL 12

Assisted Solution

by:Scotty_cisco
Scotty_cisco earned 200 total points
Comment Utility



                             -----------------------                    --------------------
====internelt dsl---wan port ROUTER 1--lan port ---- wanport router 2-----lan port---------
                            ------------------------                    ---------------------

ok so you nat the first router outside to the 192.168.1.x guest network then you assign the wan port from router 2 a IP address out of that 192.168.1 network and nat the 172.16.x.x network to the 192.168.1.x address

thanks
Scott
0
 

Author Comment

by:jimmysupport
Comment Utility
The AP is connecting to a router...therefore isn't that router affording protection for the guests?

I understand then, why it can't stop people from seeing the LAN...no matter what its IP is - they will be using the same network as the inside folks.

Static IPs won't make any difference either...I think I understand what you are saying.

0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
no because you could not have 2 IP address ranges on linksys routers you could on a cisco or maybe some other more expensive type device but the AP will only pass traffic it will not filter it.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
Comment Utility
Scotty_cisco - Does your last note mean I cannot have 172.16.1.XXX 255.255.255.0 on the first Linkysys Router
and 10.10.10.XXX with 255.255.0.0 on the Second Linksys N Router?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 2

Expert Comment

by:just-one-it
Comment Utility
If you have two routers, you can have two ranges.  But, if you have one router and one access point, then you only have one network.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
the problem is that without a NAT or a router to talk from a 10.10.10.xx to a 172.16.1.xx network because basic IP networking they are in different cities as it were with no bridge connecting the roads between the 2 cities.

Make sense?

Thanks
Scott
0
 

Author Comment

by:jimmysupport
Comment Utility
OK - I will forget the Access Point - if I can figure how to make the two routers work.

So I have two routers...both Linksys
I will use those two ranges
I will connect the WAN port of the Second Router to a Lan port on a switch ( or does it need to be actually in the first router)?
0
 
LVL 2

Expert Comment

by:just-one-it
Comment Utility
As long as the switch is connected to the router, that is fine.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
no check out the upper figure ...

router 1 lan port to router 2 wan port were router 1 is connected to your internet connection by it's wan port

0
 

Author Comment

by:jimmysupport
Comment Utility
Internet Connects to Wan Port on Router 1
Router 1 connects to lan port on switch
Ethernet Cable from Lan Switch Connects to WAN port on Router 2
Plus another Cable connects to a LAN port on router2 to a LAN Port on a Switch

Do I have that right?
0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
That would work.... yes

Thanks
Scott
0
 
LVL 2

Expert Comment

by:just-one-it
Comment Utility
No, you shouldnt need to connect anything to the LAN port of router2 as it is for wireless access, right?
0
 

Author Comment

by:jimmysupport
Comment Utility
Ok - which is right - cable to LAN port or no?

Tomorrow, I will be doing this on an island, 13 miles off the coast, I have to be sure one way or the other will work.
May I turn back to the Access Point for a moment (it is my backup if I can't get the routers to work).

Does it need to be plugged into the router directly, or can it be on a switch upstairs?

Can I simply set it to get its IP from DHCP on router 1 or do I have to give it a static IP?

Do I have to take Wireless  MAC filtering off of the Router 1?
0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
think we're confused here .... there is no AP any more there is 2 networks if there are going to be lan hosts behind the second router then yes the lan port on router 2 MUST be connected to the switch for the non wireless hosts.

Thanks
Scott

you can allow the second router to get a dhcp address and router and the mac filtering will need to be off if your guests will be connecting to that one.

0
 

Author Comment

by:jimmysupport
Comment Utility
Using two routers - two networks, but there will be ONLY WIRELESS off router 2

So, I only need the lan port connected - if I need a wired connection to that network...right?

Router 2 is a Wireless Router I am going to try and use it to provide wireless to the upstairs area.
That is all  it needs to do.

But, if I allow it to get its address from DHCP downstairs, how will I allow it to give out 10.10.10.xxx 255.255.0.0
because its IP would come from the 172.16.1.xxx network?

I thought I would tell it that its Gateway was 172,16.1.1 and its DNS was 172.16.1.1
0
 
LVL 12

Expert Comment

by:Scotty_cisco
Comment Utility
the DHCP server on the first floor router will provide this information dynamically to the upstairs router... or you need to statically set it if you want to do it that way.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
Comment Utility
Let me review - I think I have it:

Two Networks:
Do the physical connections as mentioned above (eliminate the cable from standard lan port to switch from Router 2)

Allow the downstairs Router 1 to be the Gateway and DNS for router 2.
assign the wan port from router 2 an IP address out of the 172.16.1.1 network

nat the first router (172.16.x.x network) to the 10.10.10.x  guest network

allow Router 2 to dhcp addresses to the guests...who will be able to log on with a WEP passkey. (WEP is good enough).

0
 
LVL 2

Accepted Solution

by:
just-one-it earned 300 total points
Comment Utility
I dont think you will need to do any kind of nat for this to work.  Think of it this way: the 2nd router is acting as if it were the only device in the network.  It thinks router1 is its internet provider.  So, it will assign ip's to hosts connected to it and forward the traffic from those hosts to the internet, which is really router1 which then in turn forwads the traffic out the rest of the world.

It will look something like this:

                     [Internet Router]
                            |
                            |
                {Router1}-------{Router2}
                    |                   |
                  |                   |
              [Switch]            [Wireless]
                  |                   |            
                  |                   |
      (172.16 network)      (10.0.0.0 network)

0
 
LVL 2

Expert Comment

by:just-one-it
Comment Utility
Sorry, that diagram didn't come out so well.  I meant for it to show router2 connected to router1.  It should only be connected to router1 via it's Wan port.  If you plan to connect wired hosts to router2, then make sure they are connected to it directly or on a switch which is not connected to the 172.16 network.  That way you keep the networks seperate.
0
 

Author Comment

by:jimmysupport
Comment Utility
I went to the Island and did what Scotty and just-one-it said to do, using two routers and it worked great.
Thanks so much for the quick help...saved my 61 year old neck!
This is the best $50 I ever spent!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now