Solved

Isolating LAN from Wireless

Posted on 2006-07-12
31
425 Views
Last Modified: 2013-11-09
I have a lan which uses

172.16.1.XXX
255.255.255.0

On that lan - there is a Linksys wireless router, in fact,  that router serves as the main router for my network.

That wireless requires a MAC ID in order to use it, only one person, the Boss,  uses it.

Now, I want a Wireless Access Point upstairs for guests to use, and do not want them to be able to see the
172.16.1.xxx LAN.

My plan is to put a Linksys Access Point upstairs...It has an IP of 192.168.1.254
can I leave that IP address and use 255.255.0.0 for the subnet and allow people to connect wireless without seeing my other network?

All my other LAN pcs have fixed IP addresses.

0
Comment
Question by:jimmysupport
  • 12
  • 11
  • 8
31 Comments
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096082
You can run multipule segments on the same link medium be it wireless, wired ect.  If I am reading this correct you can do it for certain things but I don't think with the equipment you are mentioning will completely Isolate the other network and still be able to use it.



---------             ------------
linksys1----------- linksys 2|--------Guest users
--------              ------------

ok linksys1 is where the CEO connects and linksys 2 is gues users you can put them on seperate ranges and use the wan port to NAT all requests from the users but a smart person could get to the network.

OK so if I am missing something here let me know.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096114
How smart? How would the person get to 172.16.1.XXX?

0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096126
not very... now if you put the CEO behind linksys #2 and used the guests on linksys #1 and connected the CEO router AP to the wan port of his and a standard port... just knowing the address would be enough or pinging the broadcast address would do it.

Thanks
Scott
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 2

Expert Comment

by:just-one-it
ID: 17096251
Are you connecting the new access point to the same router as the lan you want to protect?  How will you assign IP addresses to the wireless users?  What you should do is use a wireless router, not just an access point, and connect the router to your broadband router (such as a dsl modem or t1 router) with a seperate public ip.  That way the wireless guests will be on a seperate network.  This will require you to have 2 public ip's.
0
 

Author Comment

by:jimmysupport
ID: 17096260
You have lost me...
Linksys 1 is a router, has a WAN port and 4 other standard ports.
It has a wireless also...only access is by MAC filter.
It acts as my gateway for the LAN.

The AP has only one port.

How could I connect the CEO's AP to a WAN port and a standard port...?
What WAN port - I only have one WAN port and it connects to the DSL modem. It is on the Linksys Router.

What address will be broadcast?


0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096268
ok then you do not have what you need to do it you would need 2 wan ports to do what I recomend one wan port connected to the DSL and the second wan port connected to one of the 4 standard ports that way your protected behind the firewall built on the router.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096286
just-one-it:

Yes, I am connecting to the same router as the lan I want to isolate.
I am figuring, since I only have one public IP available...that I will be sure all of the LAN pcs have a static IP below or above the range of the DHCP.

I thought the wireless people would be on 192.168.1.XXX or whatever number I assigned the AP with sub net 255.255.0.0 and that would keep them out of other shared resources.

The AP does not seem to have the option to have DHCP, it can be an AP or  wireless repeater...

0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096294
You will not be able to isolate the two networks with the access point then.  You will have to have a router for that.  
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096299
the AP is basically a wireless hub and is dumb and can not filter or block things.... so whatever connects to the AP will not be able to be protected so you need another router or something.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096302
I have a router. I tried using it over and over...but couldn't get it to do the job....went and bought a fancy N type,
tried again.

I could get it to work - but as soon as I enabled WEP (or any security) could no longer access the Internet.

How would I use the router?
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096312
You would connect the wan port of the router to your other linksys router.  You can either set the wan ip to be dynamic, which is the default on most soho routers, or you could configure a static ip in the 172.16.1 range.  The defaule settings for the router should hand out a dhcp address to wireless clients in the 192.168 range on most routers.  Thats all you should have to do, beyond enabling some type of encryption for the wireless.  I would recommend using WAP or WAP2 as WEP is fairly insecure.
0
 
LVL 12

Assisted Solution

by:Scotty_cisco
Scotty_cisco earned 200 total points
ID: 17096318



                             -----------------------                    --------------------
====internelt dsl---wan port ROUTER 1--lan port ---- wanport router 2-----lan port---------
                            ------------------------                    ---------------------

ok so you nat the first router outside to the 192.168.1.x guest network then you assign the wan port from router 2 a IP address out of that 192.168.1 network and nat the 172.16.x.x network to the 192.168.1.x address

thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096323
The AP is connecting to a router...therefore isn't that router affording protection for the guests?

I understand then, why it can't stop people from seeing the LAN...no matter what its IP is - they will be using the same network as the inside folks.

Static IPs won't make any difference either...I think I understand what you are saying.

0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096333
no because you could not have 2 IP address ranges on linksys routers you could on a cisco or maybe some other more expensive type device but the AP will only pass traffic it will not filter it.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096352
Scotty_cisco - Does your last note mean I cannot have 172.16.1.XXX 255.255.255.0 on the first Linkysys Router
and 10.10.10.XXX with 255.255.0.0 on the Second Linksys N Router?
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096359
If you have two routers, you can have two ranges.  But, if you have one router and one access point, then you only have one network.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096366
the problem is that without a NAT or a router to talk from a 10.10.10.xx to a 172.16.1.xx network because basic IP networking they are in different cities as it were with no bridge connecting the roads between the 2 cities.

Make sense?

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096374
OK - I will forget the Access Point - if I can figure how to make the two routers work.

So I have two routers...both Linksys
I will use those two ranges
I will connect the WAN port of the Second Router to a Lan port on a switch ( or does it need to be actually in the first router)?
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096383
As long as the switch is connected to the router, that is fine.
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096385
no check out the upper figure ...

router 1 lan port to router 2 wan port were router 1 is connected to your internet connection by it's wan port

0
 

Author Comment

by:jimmysupport
ID: 17096399
Internet Connects to Wan Port on Router 1
Router 1 connects to lan port on switch
Ethernet Cable from Lan Switch Connects to WAN port on Router 2
Plus another Cable connects to a LAN port on router2 to a LAN Port on a Switch

Do I have that right?
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096407
That would work.... yes

Thanks
Scott
0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17096408
No, you shouldnt need to connect anything to the LAN port of router2 as it is for wireless access, right?
0
 

Author Comment

by:jimmysupport
ID: 17096441
Ok - which is right - cable to LAN port or no?

Tomorrow, I will be doing this on an island, 13 miles off the coast, I have to be sure one way or the other will work.
May I turn back to the Access Point for a moment (it is my backup if I can't get the routers to work).

Does it need to be plugged into the router directly, or can it be on a switch upstairs?

Can I simply set it to get its IP from DHCP on router 1 or do I have to give it a static IP?

Do I have to take Wireless  MAC filtering off of the Router 1?
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096452
think we're confused here .... there is no AP any more there is 2 networks if there are going to be lan hosts behind the second router then yes the lan port on router 2 MUST be connected to the switch for the non wireless hosts.

Thanks
Scott

you can allow the second router to get a dhcp address and router and the mac filtering will need to be off if your guests will be connecting to that one.

0
 

Author Comment

by:jimmysupport
ID: 17096476
Using two routers - two networks, but there will be ONLY WIRELESS off router 2

So, I only need the lan port connected - if I need a wired connection to that network...right?

Router 2 is a Wireless Router I am going to try and use it to provide wireless to the upstairs area.
That is all  it needs to do.

But, if I allow it to get its address from DHCP downstairs, how will I allow it to give out 10.10.10.xxx 255.255.0.0
because its IP would come from the 172.16.1.xxx network?

I thought I would tell it that its Gateway was 172,16.1.1 and its DNS was 172.16.1.1
0
 
LVL 12

Expert Comment

by:Scotty_cisco
ID: 17096495
the DHCP server on the first floor router will provide this information dynamically to the upstairs router... or you need to statically set it if you want to do it that way.

Thanks
Scott
0
 

Author Comment

by:jimmysupport
ID: 17096550
Let me review - I think I have it:

Two Networks:
Do the physical connections as mentioned above (eliminate the cable from standard lan port to switch from Router 2)

Allow the downstairs Router 1 to be the Gateway and DNS for router 2.
assign the wan port from router 2 an IP address out of the 172.16.1.1 network

nat the first router (172.16.x.x network) to the 10.10.10.x  guest network

allow Router 2 to dhcp addresses to the guests...who will be able to log on with a WEP passkey. (WEP is good enough).

0
 
LVL 2

Accepted Solution

by:
just-one-it earned 300 total points
ID: 17097261
I dont think you will need to do any kind of nat for this to work.  Think of it this way: the 2nd router is acting as if it were the only device in the network.  It thinks router1 is its internet provider.  So, it will assign ip's to hosts connected to it and forward the traffic from those hosts to the internet, which is really router1 which then in turn forwads the traffic out the rest of the world.

It will look something like this:

                     [Internet Router]
                            |
                            |
                {Router1}-------{Router2}
                    |                   |
                  |                   |
              [Switch]            [Wireless]
                  |                   |            
                  |                   |
      (172.16 network)      (10.0.0.0 network)

0
 
LVL 2

Expert Comment

by:just-one-it
ID: 17097275
Sorry, that diagram didn't come out so well.  I meant for it to show router2 connected to router1.  It should only be connected to router1 via it's Wan port.  If you plan to connect wired hosts to router2, then make sure they are connected to it directly or on a switch which is not connected to the 172.16 network.  That way you keep the networks seperate.
0
 

Author Comment

by:jimmysupport
ID: 17102084
I went to the Island and did what Scotty and just-one-it said to do, using two routers and it worked great.
Thanks so much for the quick help...saved my 61 year old neck!
This is the best $50 I ever spent!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP Server 14 86
VIRTUAL NETWORKING 3 62
WiFi issues - devices refused connection, WiFi router restart cures issue! 9 69
ShoreTel PBX blocking incoming number 1 48
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question