Solved

Public Wifi on a private LAN

Posted on 2012-03-23
9
789 Views
Last Modified: 2013-12-27
I'm sure this is simple, but so far I have not had success.  I have a WRT54G loaded with DD-WRT and a Netgear FVX538 router.  The Netgear (192.168.1.1) is connected to my internet and is a DHCP server.  I want to be able to provide wireless internet through the Linksys without the possibility of probing to the 1.1 network where my personal computers are.

What I have done: set up DD-WRT as 2.1 with a static IP on the WAN (1.17) and connected the Internet port to a LAN port on the Netgear.  It works; it is acting as a DHCP server on the 2.1 network and I can access the internet; however, I can also type in a 1.xx address and open a web page on one of those computers.  I can't have that.  The Linksys (clients will always be wireless) needs all traffic to go to-from the internet only.  I don't even want a ping to a 1.xx address to respond.

What am I missing here?
0
Comment
Question by:RareSeeds
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
You have them backwards.  The one closest to the ISP connection should be the public one.  I have attached a paper that describes.
Multiple-Subnets.pdf
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 167 total points
Comment Utility
Put 192.168.1.17 in the Netgear's DMZ.

According to the FVX538's manual, that router has advanced features for the DMZ, including being able to assign port 8 as the DMZ port, so you should study the manual carefully when configuring the DMZ.
0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 167 total points
Comment Utility
Hi,

you need a firewall filter rule on the DD-WRT that blocks traffic between 192.168.1.0/24 and 192.168.2.0/24:

iptables -I FORWARD 1 -p tcp -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP

if you have NAT on for the 192.168.2.0 subnet, you may also need to add a rule to block traffic also from the dd-wrt router itself:

iptables -I FORWARD 1 -p tcp -s 192.168.1.0/24 -d 192.168.1.17 -j DR

cheers!
0
 

Author Comment

by:RareSeeds
Comment Utility
Thanks for the suggestions.  Let me answer each one of you in order...

@fmarshall: The Netgear FVX538 has two WAN ports; I have two internet connections set up as a balanced load.  As a result, I must to use the Netgear as the primary router.  But there's more as described in the next answer:

@Darr247: The routers are in separate buildings connected by fiber.  It is not possible to connect the Linksys exclusively to a particular LAN port on the Netgear.  The Linksys building also needs private LAN access in addition to hosting the public wifi.  Also, both internet connections go to the Netgear building.

@meverest: You can't block all traffic to 192.168.1.1 since it is the primary router supplying internet to the rest of the network as described above.  I am a complete novice at the iptables commands, so if there's a modification you can make to allow 1.1 while blocking 1.2-1.254, please post it.  Or this may not be a good idea; I don't know.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 44

Expert Comment

by:Darr247
Comment Utility
In DD-WRT, on the Administration tab, Commands sub tab, paste in the iptables commands meverset gave you, and click Run Commands after pasting in each one.

After you've pasted both in and ran them, test that the DD-WRT firewall is blocking 192.168.2.0 from talking to 192.168.1.0 - if it is, then click Save Firewall.

Those setting will be saved until you do a hard reset (holding the reset button in, plugging in the power, then continuing to hold the reset button in for 30 seconds, should clear the NVRAM where the iptables settings are stored... those settings should not be cleared by holding in the reset button for 30 seconds withOUT removing the power).

Here's a link to the wiki - http://www.dd-wrt.com/wiki/index.php/Iptables_command
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 166 total points
Comment Utility
OK.  I didn't mean to imply that you couldn't use the Netgear as the ISP interface.  That's fine.
What I did mean to say is that you would not want to connect the private computers at the Netgear LAN.  It's hard to isolate them that way.  Either it won't work or the settings will be somewhat obscure as in hard to figure out and/or hard to remember and maintain.  Keep it simple.

So, I would do this as shown in the diagrams:

Add another router (it doesn't have to be more than a commodity router unless you have a whole lot of computers).  It's WAN side will be 192.168.1.xxx.  Then connect all the private computers to its LAN side.
If you don't want to change IP addresses on the working subnet then do this:
Make the new router LAN side be 192.168.1.0 using 192.168.1.1 so that it will be come the subnet gateway .. which it will be anyway.
Change the netgear LAN subnet to 192.168.99.0 using 192.168.99.1
Now you will have a private LAN with wireless if you want it.

Now add a wireless router as a switch on the netgear LAN.  Turn off DHCP.  It will now act as an access point and get addresses from the Netgear.

This is a very simple setup that's fairly easy to understand and maintain.
Wireless-Router-as-a-Simple-Swi.pdf
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
>> You can't block all traffic to 192.168.1.1 since it is the primary router supplying internet to the rest of the network as described above.

yes you can! :-)

The reason that this will work is because when traffic is forwarded to 192.168.1.1 for internet access, the destination IP address is NOT 192.168.1.0/24 (it is the internet address) and therefore the firewall will pass those packets. :)

You won't be able to ping the actual gateway itself, and when you try a traceroute, it will time out on that hop, but it will work perfectly OK - go ahead and try it ;-)

Cheers!
0
 

Author Comment

by:RareSeeds
Comment Utility
Thanks for these suggestions and pointers.  I have implemented a combination of the accepted answers and it is working well.
0
 

Author Closing Comment

by:RareSeeds
Comment Utility
- Connecting the public Wifi to the DMZ is by far the best solution.
- The iptables command blocked the traffic between the private and public networks successfully; it is not the best, but it works.
- Redesigning and rewiring the network as fmarshall is also a perfect solution; it just requires more hardware.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now