?
Solved

How do I create two wireless networks with differing access rules using a pair of DLINK DWL 3200AP units

Posted on 2009-02-20
3
Medium Priority
?
1,288 Views
Last Modified: 2013-11-16
Hi Experts,
I wonder if someone out there can help with probably a basic question.
I have looked on the site for the hardware issues I have but to no avail

Here's the situation........

I have a bar with three floors, two lower ones for the customers and one at the stop for the staff.
Cabling in the building is limited and it's difficult to add more as it's an old and very solid building.

I have one broadband line terminating on the top floor with a DLINK dsl2640B router attached to it. This is wireless capable but I don't necessarily need it to be active, as I have bought (from advice on the internet), two DLINK DWL-3200AP access points, which I was thinking might be able to be the devices that all occupants could attach to as the access point blurb on the net claims they can support multiple wireless SSIDs

I have a couple of cat5 cables I managed to get in that run down from the top floor to the mid floor and the ground floor

I wanted to have two wireless networks so that the customers can get access to one of them and surf the net but not see the staff computers or access the server. I want the staff to have access to all the staff computers and the server and printer and the internet. I do not mind if they can see the customers, but would prefer them not to be able to so that if the customers have unprotected machines with viruses, they won't spread them to my staff devices. Both networks must have passwords so that only customers and staff can gain access and not my neighbours or people in the street. It is my intention to change the passwords now and again to limit the number of freeloaders who hear what the password is.

I have attached one of the DWL 3200APs on the mid floor and one on the lower floor and they are connected by the cables I mentioned earlier. The cables from them terminate on the top floor and attach to a Netgear PoE unmanaged switch which in turn is linked to the back of the DLINK dsl2640B router.

I have read the instructions in the DLINK guides and also used the AP manager2 software that comes with the AP's but it refuses to connect properly and I can only change IP address and very minor things. I keep getting SNMP errors

I can get to use win explorer to directly browse the APs and change their settings and this seems reasonably easy to use, just difficult to figure out how to get what I desire. I can also telnet and use the CLI but there is a limit on what you can do this way

At the moment I have managed to get two networks running (sort of).
One is via the wireless part of the router and has a password and can see everything plus the internet. The other is via one of the AP's and this has a password, but can also see everything on the netwok and the internet. As I mentioned, I am happy to turn off wireless on the router and use the APs for both networks. I would ideally like the APs to share the broadcast of both networks (and be sort of virtually bonded together) so anyone anywhere can see both networks and get to what they should. Surprisingly, the APs are pushing out a really strong signal and can be accessed from all parts of the building which is why I feel that the router can be wirelessly disabled. However, if it's easier to keep it active, feel free to suggest.

My lan shema is set up as follows
Netmask is 255.255.255.0
Gateway is 192.168.10.1

router is 192.168.10.1
AP on mid floor is 192.168.10.2
AP on lower floor is 192.168.10.3
Printer on top floor is 192.168.10.10
Video surveillance DVR is 192.168.10.9
Server (soon to be installed) will be 192.168.10.5
Till points on the various floors are from 192.168.10.100 to 105

Access to the manuals and various info on this can be found at

For the router
http://www.dlink.co.uk/cs/Satellite?c=Product_C&childpagename=DLinkEurope-GB%2FDLProductCarousel&cid=1197319445979&p=1197318962342&packedargs=ParentPageID%3D1197318962321%26TopLevelPageProduct%3DConsumer%26locale%3D1195806691854%26packedargs%3DProductParentID%253D1195808621247&pagename=DLinkEurope-GB%2FDLWrapper

For the access points
http://www.dlink.co.uk/cs/Satellite?c=Product_C&childpagename=DLinkEurope-GB%2FDLProductCarousel&cid=1197319503907&p=1197356142823&packedargs=LeftBusinessSubMenu%3DSmallMedium%26ParentPageID%3D1197335068935%26TopLevelPageProduct%3DBusiness%26locale%3D1195806691854%26packedargs%3DProductParentID%253D1195808622294&pagename=DLinkEurope-GB%2FDLWrapper

For the dlink FTP site with other extra docs

ftp://ftp.dlink.co.uk/wireless/dwl-3200ap/
The AP manager software on the DLINK site seems to be older than the cd in the box and the one in the box seems CRAP as it always times out with SNMP issues. The older one does sort of work.

ftp://ftp.dlink.co.uk/dsl_routers_modems/dsl-2640b/


Thanks for looking and any help greatly appreciated
0
Comment
Question by:Grover247
  • 2
3 Comments
 
LVL 3

Expert Comment

by:jesseja
ID: 23692878
Honestly, the easiest way to provide your customers wi-fi would be to have a separate internet connection just for that purpose. This way your business network is totally isolated from the "public" wifi side.  

You only have one router, so, you can only have one subnet, which is currently 192.168.10......
anything you connect to that network will follow this subnet as assigned by the DHCP server in your router. Thus allowing those users to see you network.

You could statically assign IP addresses with a different subnet to your business network machines (for example 192.168.20. ...) and this would make the "2" networks invisible to each other, but if the subnet isn't the same as the gateway subnet you will lose internet access.

You had mentioned about a server, if this server is going to act as a domain controller, and you placed your business network onto that domain, you could secure your files to only be available to domain users,  Thus protecting against unauthorized access.   Any Computer not connected to the domain could see it if they went into my network places, but without proper credentials, could not access it. But internet access would be available to them.

I personally would still prefer to have random internet users on their own, isolated, internet connection. It's the most secure option.



 
0
 

Author Comment

by:Grover247
ID: 23698901
Thanks for the comment. The building I have is old and it has the max number of lines into it. I agree your idea makes good sense but it may not be possible to do that

The telco have said that it may not be possible to install any more lines due to overload at the local exchange in my area. If they run new lines from elsewhere it may cost in excess of £500 plus then the normal line install.
The access points claim to have the ability to support multiple SSID's at the same time and support vlans but I fear this would need a layer 2 switch which is also outside my budget.

Any other ideas?

The access points claim to be able to do this, as they have three different personas they can take on if needed

Access Point -Create a wireless lan

WDS with AP-wirelessly connect multi networks whilst still functioning as a wireless AP

WDS-wirelessly connect multi networks

I have also seen in the documentation the option to allow or deny ethernet to lan access
"Enabling this feature allows Ethernet devices to communicate with wireless clients. If this is disabled, all data from the Ethernet to associated wireless devices is blocked. Wireless devices can still send data to the Ethernet".

Maybe I could ensure this is set for the customer WLAN so they could not get to the work machines etc on the fixed wire lan. Friends or visitors who truly require full access for special reasons could either connect via network cable or access the wlan directly on the router which would have full visibility

What does anyone think??
0
 

Accepted Solution

by:
Grover247 earned 0 total points
ID: 23759252
I got this pile of info from DLINK the other day and I asked a pile of other silly questions, so hopefully this will help someone else

D-Link Support request (1478835)
From:       support@service.dlink.biz
Sent:      24 February 2009 16:38:22
To:
Dear Customer,

Your Request:

--------------------------------------------------------------------------------
02/24/2009 02:48:02 PM
--------------------------------------------------------------------------------
RE: D-Link Support request

That sounds okay. Did you mean get a cable modem router or a normal DSL modem router. ? OR, did you mean to just get a plain router (if there is such a thing)??
If I can get what you suggest (in your next response)and attach the second router to the first router, then how would I configure the second router to route the traffic back through the first. I am quite confident in setting up routers to direct connections, but not when they are connected to each other. How would I set up the gateway and the user name and password etc for the connection on the second router, or would I not do this and just set it's ip address and set up DHCP in the required scope. If I consider this has been done, then presumably router 1 will act as a bridge for the two networks, so how do I turn whichever of them to allow bridging and recognise the other network?
One more thing. I do need to put port forwarding on my family network as I have a DVR with cameras on it to monitor my property (if you live where I live you would see this is sensible). Do you then think it would be sensible to look at your network diagram and to swap the routers around and have the home router first, or is this going to compromise the home network?.
Also, if I do enable the wireless to fixed traffic as I originally suggested, do I only need to do it if I have one network?I presume that if I get two networks, then I won't need to set that as it will be a different subnet completely.

Sorry for sounding dumb!
I am happy to call and speak to somebody directly if it makes the process a bit faster

> From: support@service.dlink.biz
> To:
> Subject: D-Link Support request
> Date: Tue, 24 Feb 2009 10:55:05 +0100

> Dear Customer,

> Your Request:

> --------------------------------------------------------------------------------
> 02/23/2009 12:06:46 PM
> --------------------------------------------------------------------------------
> RE: D-Link Support request  

> Thanks for the reply.
> I did not realise the VLAN feature was only available on a L2 managed switch. that is way out of my price range, so I need to get this to work as best I can with what I have.
> I have also seen in the documentation for the 3200APs the option to allow or deny ethernet to lan access"Enabling this feature allows Ethernet devices to communicate with wireless clients. If this is disabled, all data from the Ethernet to associated wireless devices is blocked. Wireless devices can still send data to the Ethernet".Can you confirm how this works please as i think it works as described below.Maybe I could ensure this is set to enabled for the fiends/visitors WLAN so they could not get to the work machines etc on the fixed wire lan. Family could either connect via network cable (for security) or access the router's wlan (if I leave it switched on with a separate name to the 3200AP WLAN) directly on the router which would have full visibility of machines and internet

> If this will work, as i have two 3200 access points, what is the best way to set them up so they are set up so they both broadcast the same SSID (a "friends" WLAN with secure password authentication), they have the "deny ethernet to lan access" switched on so whichever access point my friends will use, they will not be able to see the wired devices, but still have access to the internet.
> I still want to be able to use the wireless part of my router to have a separate "family" wlan with access to everything but I do realise these machines will also be visible to "friends" on the same network that came in via the friends WLAN. I can live with this.

> If all else fails, I will endeavour to add another broadband line and split them into two totally different networks
> If this is the case, how would I set up the two APs to just be an extension of the the existing WLAN I will create on the router. We shall call it "WIRELESS FRIENDS" and the addressing will be something like 192.168.2.x, where the router will be the gateway and the address will be 192.168.2.1 and the AP's could have 192.168.2.2 and 192.168.2.3 respectively
> Please help. I have spent hundreds of pounds so far and not really got what I needed.



> > From: support@service.dlink.biz
> > To:
> > Subject: D-Link Support request
> > Date: Fri, 20 Feb 2009 15:29:15 +0100
> >
> > Dear Customer,
> >
> > Your Request:
> >
> > I have a basic dlink wireless broadband router and I want to attach 2 of the DWL-3200AP access points to it as I have a large building. The reason for this is that I would like to have my family to login to one wireless network with a password and they must have full access to the network of computers and the server and access to the internet, just like a normal house. I want to attach the two DWL-3200AP units and set them so that visitors and friends can have wireless access to the internet, but cannot see any of the computers and server.
> > I am happy to disable the standalone wireless on the router and just use the access points, but I am now very confused with the setup of the access points. I have been using a browser directly to the AP's but I can't seem to get them talking together and I am not sure how to set it up so that there are two networks through the access points. Do they need to have separate lan addresses or can they be on the same lan?
> >
> > My router and all the pc's and server are on the 192.168.10.x range with a mask of 255.255.255.0 and at the moment the access points are in the range 192.168.1.X and mask of 255.255.255.0
> >
> > Can I put them all on the same segment of the lan but somehow separate them using the access points so they remain exclusive to each other???
> >
> > Please help me quickly if possible as I need this done today if possible
> >
> >
> > Please help
> >
> > has been answered as follows:
> >
> > Dear
> >
> > Thanks for contacting D-Link Support.
> > It is possible to have multiple networs over one segment.
> > It is called Virtual LAN, but with your current hardware configuration is not possible.
> > D-Link routers don't support VLAN tagging which is necessary in this scenario.
> > To take full advantage of VLANs you would need to have Layer 3 switch which is capable of Routing between vlans and use of Access Control Lists, but unfortunatelly we don't have any in our offer for Home enviroments, only Business with high number of ports and obviously higher cost.
> >
> >
> > Regards
> >
> >
> > We hope that this answers your question and that your request is now resolved.
> > This information is also available through our Support Portal at http://service.dlink.biz
> >
> >
> > Regards - your D-Link Support Team
> >
> > P.S. If you have further questions regarding this request,
> > please reply to this eMail without modifying the subject text.

> _________________________________________________________________
> Check out the new and improved services from Windows Live. Learn more!
http://clk.atdmt.com/UKM/go/132630768/direct/01/


> I have a basic dlink wireless broadband router and I want to attach 2 of the DWL-3200AP access points to it as I have a large building. The reason for this is that I would like to have my family to login to one wireless network with a password and they must have full access to the network of computers and the server and access to the internet, just like a normal house. I want to attach the two DWL-3200AP units and set them so that visitors and friends can have wireless access to the internet, but cannot see any of the computers and server.
> I am happy to disable the standalone wireless on the router and just use the access points, but I am now very confused with the setup of the access points. I have been using a browser directly to the AP's but I can't seem to get them talking together and I am not sure how to set it up so that there are two networks through the access points. Do they need to have separate lan addresses or can they be on the same lan?

> My router and all the pc's and server are on the 192.168.10.x range with a mask of 255.255.255.0 and at the moment the access points are in the range 192.168.1.X and mask of 255.255.255.0

> Can I put them all on the same segment of the lan but somehow separate them using the access points so they remain exclusive to each other???

> Please help me quickly if possible as I need this done today if possible


> Please help

> has been answered as follows:

> Dear

> Feature described by you will not give you 100% security as you would have with VLANs, because your router is default gateway in the network. Enabling option for blocking traffic from ethernet to wireless works well untill, any of your privilege PC (home users) will send some packets to your visitor machine, then router learns its mac address and ap cannot block communication between these users.
> Just on top of my head cheapest solution would be connect cable router behind your existing one and keep your home network on the second router. You can try to borrow router from a friend or buy cheap one for few pounds on ebay.
> Network config below
> Phone line --- router 1 (friends network)------ router 2 (home network)
> This way you will divide your network on two subnets and users connected to 1st router will not be able to access anything behind 2nd. Only issue will be if you want to forward any ports for your home users you will need to do it on both routers.
> You can use DWL-3200AP as additional APs for both networks, just plug one into each router and use same SSID and security as router but different channel.

> Regards
> D-Link Support



> We hope that this answers your question and that your request is now resolved.
> This information is also available through our Support Portal at http://service.dlink.biz


> Regards - your D-Link Support Team

> P.S. If you have further questions regarding this request,
> please reply to this eMail without modifying the subject text.

_________________________________________________________________

Hotmail, Messenger, Photos and more - all with the new Windows Live. Get started!
http://www.download.live.com/


--------------------------------------------------------------------------------
02/23/2009 12:06:46 PM
--------------------------------------------------------------------------------
RE: D-Link Support request (1478835)

Thanks for the reply.
I did not realise the VLAN feature was only available on a L2 managed switch. that is way out of my price range, so I need to get this to work as best I can with what I have.
I have also seen in the documentation for the 3200APs the option to allow or deny ethernet to lan access"Enabling this feature allows Ethernet devices to communicate with wireless clients. If this is disabled, all data from the Ethernet to associated wireless devices is blocked. Wireless devices can still send data to the Ethernet".Can you confirm how this works please as i think it works as described below.Maybe I could ensure this is set to enabled for the fiends/visitors WLAN so they could not get to the work machines etc on the fixed wire lan. Family could either connect via network cable (for security) or access the router's wlan (if I leave it switched on with a separate name to the 3200AP WLAN) directly on the router which would have full visibility of machines and internet

If this will work, as i have two 3200 access points, what is the best way to set them up so they are set up so they both broadcast the same SSID (a "friends" WLAN with secure password authentication), they have the "deny ethernet to lan access" switched on so whichever access point my friends will use, they will not be able to see the wired devices, but still have access to the internet.
I still want to be able to use the wireless part of my router to have a separate "family" wlan with access to everything but I do realise these machines will also be visible to "friends" on the same network that came in via the friends WLAN. I can live with this.

If all else fails, I will endeavour to add another broadband line and split them into two totally different networks
If this is the case, how would I set up the two APs to just be an extension of the the existing WLAN I will create on the router. We shall call it "WIRELESS FRIENDS" and the addressing will be something like 192.168.2.x, where the router will be the gateway and the address will be 192.168.2.1 and the AP's could have 192.168.2.2 and 192.168.2.3 respectively
Please help. I have spent hundreds of pounds so far and not really got what I needed.



> From: support@service.dlink.biz
> To:
> Subject: D-Link Support request
> Date: Fri, 20 Feb 2009 15:29:15 +0100

> Dear Customer,

> Your Request:

> I have a basic dlink wireless broadband router and I want to attach 2 of the DWL-3200AP access points to it as I have a large building. The reason for this is that I would like to have my family to login to one wireless network with a password and they must have full access to the network of computers and the server and access to the internet, just like a normal house. I want to attach the two DWL-3200AP units and set them so that visitors and friends can have wireless access to the internet, but cannot see any of the computers and server.
> I am happy to disable the standalone wireless on the router and just use the access points, but I am now very confused with the setup of the access points. I have been using a browser directly to the AP's but I can't seem to get them talking together and I am not sure how to set it up so that there are two networks through the access points. Do they need to have separate lan addresses or can they be on the same lan?

> My router and all the pc's and server are on the 192.168.10.x range with a mask of 255.255.255.0 and at the moment the access points are in the range 192.168.1.X and mask of 255.255.255.0

> Can I put them all on the same segment of the lan but somehow separate them using the access points so they remain exclusive to each other???

> Please help me quickly if possible as I need this done today if possible


> Please help

> has been answered as follows:

> Dear

> Thanks for contacting D-Link Support.
> It is possible to have multiple networs over one segment.
> It is called Virtual LAN, but with your current hardware configuration is not possible.
> D-Link routers don't support VLAN tagging which is necessary in this scenario.
> To take full advantage of VLANs you would need to have Layer 3 switch which is capable of Routing between vlans and use of Access Control Lists, but unfortunatelly we don't have any in our offer for Home enviroments, only Business with high number of ports and obviously higher cost.


> Regards


> We hope that this answers your question and that your request is now resolved.
> This information is also available through our Support Portal at http://service.dlink.biz


> Regards - your D-Link Support Team

> P.S. If you have further questions regarding this request,
> please reply to this eMail without modifying the subject text.

_________________________________________________________________
Check out the new and improved services from Windows Live. Learn more!
http://clk.atdmt.com/UKM/go/132630768/direct/01/


I have a basic dlink wireless broadband router and I want to attach 2 of the DWL-3200AP access points to it as I have a large building. The reason for this is that I would like to have my family to login to one wireless network with a password and they must have full access to the network of computers and the server and access to the internet, just like a normal house. I want to attach the two DWL-3200AP units and set them so that visitors and friends can have wireless access to the internet, but cannot see any of the computers and server.
I am happy to disable the standalone wireless on the router and just use the access points, but I am now very confused with the setup of the access points. I have been using a browser directly to the AP's but I can't seem to get them talking together and I am not sure how to set it up so that there are two networks through the access points. Do they need to have separate lan addresses or can they be on the same lan?

My router and all the pc's and server are on the 192.168.10.x range with a mask of 255.255.255.0 and at the moment the access points are in the range 192.168.1.X and mask of 255.255.255.0

Can I put them all on the same segment of the lan but somehow separate them using the access points so they remain exclusive to each other???

Please help me quickly if possible as I need this done today if possible


Please help

has been answered as follows:

Dear

Phone line ---- DSL Router (visitor network) [LAN PORT] ---- [WAN PORT] Cable router (home network)

The second router has to be cable router like our DIR or DI series, by default these routers are setup to DHCP client on the WAN interface so what you need to do is connect it's WAN port with your DSL router's LAN port using normal ethernet cable and you have access to the internet with no further configuration.

I've mentioned port forwarding in case you use FTP server or something similar which needs to have direct access from the Internet to your local machine, otherwise port forwarding is not neccesary.
Best solution is if you have DMZ option on the DSL router is to put 2nd routers IP into DMZ and you don't need to setup anything additional apart normal forwarding like with scenario with one router (as you familiar with).

Swapping networks around like you sugested will compromise your security between these two networks.
Clients connected to 2nd router (CABLE one - Home users) can access anything eg. Internet, clients from friends/visitors but
Clients connected directly to 1st router (DSL one - Visitors) can access internet and themselfs ONLY.

If you wish to speak to us you can call us direct
on 0871 873 0909 option 1 or 2 and quote your case number

Regards


We hope that this answers your question and that your request is now resolved.
This information is also available through our Support Portal at http://service.dlink.biz


Regards - your D-Link Support Team

P.S. If you have further questions regarding this request,
please reply to this eMail without modifying the subject text.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question