Solved

Public Wifi on a private LAN

Posted on 2012-03-23
9
792 Views
Last Modified: 2013-12-27
I'm sure this is simple, but so far I have not had success.  I have a WRT54G loaded with DD-WRT and a Netgear FVX538 router.  The Netgear (192.168.1.1) is connected to my internet and is a DHCP server.  I want to be able to provide wireless internet through the Linksys without the possibility of probing to the 1.1 network where my personal computers are.

What I have done: set up DD-WRT as 2.1 with a static IP on the WAN (1.17) and connected the Internet port to a LAN port on the Netgear.  It works; it is acting as a DHCP server on the 2.1 network and I can access the internet; however, I can also type in a 1.xx address and open a web page on one of those computers.  I can't have that.  The Linksys (clients will always be wireless) needs all traffic to go to-from the internet only.  I don't even want a ping to a 1.xx address to respond.

What am I missing here?
0
Comment
Question by:RareSeeds
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 37760118
You have them backwards.  The one closest to the ISP connection should be the public one.  I have attached a paper that describes.
Multiple-Subnets.pdf
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 167 total points
ID: 37760915
Put 192.168.1.17 in the Netgear's DMZ.

According to the FVX538's manual, that router has advanced features for the DMZ, including being able to assign port 8 as the DMZ port, so you should study the manual carefully when configuring the DMZ.
0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 167 total points
ID: 37762175
Hi,

you need a firewall filter rule on the DD-WRT that blocks traffic between 192.168.1.0/24 and 192.168.2.0/24:

iptables -I FORWARD 1 -p tcp -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP

if you have NAT on for the 192.168.2.0 subnet, you may also need to add a rule to block traffic also from the dd-wrt router itself:

iptables -I FORWARD 1 -p tcp -s 192.168.1.0/24 -d 192.168.1.17 -j DR

cheers!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:RareSeeds
ID: 37766152
Thanks for the suggestions.  Let me answer each one of you in order...

@fmarshall: The Netgear FVX538 has two WAN ports; I have two internet connections set up as a balanced load.  As a result, I must to use the Netgear as the primary router.  But there's more as described in the next answer:

@Darr247: The routers are in separate buildings connected by fiber.  It is not possible to connect the Linksys exclusively to a particular LAN port on the Netgear.  The Linksys building also needs private LAN access in addition to hosting the public wifi.  Also, both internet connections go to the Netgear building.

@meverest: You can't block all traffic to 192.168.1.1 since it is the primary router supplying internet to the rest of the network as described above.  I am a complete novice at the iptables commands, so if there's a modification you can make to allow 1.1 while blocking 1.2-1.254, please post it.  Or this may not be a good idea; I don't know.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 37767530
In DD-WRT, on the Administration tab, Commands sub tab, paste in the iptables commands meverset gave you, and click Run Commands after pasting in each one.

After you've pasted both in and ran them, test that the DD-WRT firewall is blocking 192.168.2.0 from talking to 192.168.1.0 - if it is, then click Save Firewall.

Those setting will be saved until you do a hard reset (holding the reset button in, plugging in the power, then continuing to hold the reset button in for 30 seconds, should clear the NVRAM where the iptables settings are stored... those settings should not be cleared by holding in the reset button for 30 seconds withOUT removing the power).

Here's a link to the wiki - http://www.dd-wrt.com/wiki/index.php/Iptables_command
0
 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 166 total points
ID: 37767835
OK.  I didn't mean to imply that you couldn't use the Netgear as the ISP interface.  That's fine.
What I did mean to say is that you would not want to connect the private computers at the Netgear LAN.  It's hard to isolate them that way.  Either it won't work or the settings will be somewhat obscure as in hard to figure out and/or hard to remember and maintain.  Keep it simple.

So, I would do this as shown in the diagrams:

Add another router (it doesn't have to be more than a commodity router unless you have a whole lot of computers).  It's WAN side will be 192.168.1.xxx.  Then connect all the private computers to its LAN side.
If you don't want to change IP addresses on the working subnet then do this:
Make the new router LAN side be 192.168.1.0 using 192.168.1.1 so that it will be come the subnet gateway .. which it will be anyway.
Change the netgear LAN subnet to 192.168.99.0 using 192.168.99.1
Now you will have a private LAN with wireless if you want it.

Now add a wireless router as a switch on the netgear LAN.  Turn off DHCP.  It will now act as an access point and get addresses from the Netgear.

This is a very simple setup that's fairly easy to understand and maintain.
Wireless-Router-as-a-Simple-Swi.pdf
0
 
LVL 37

Expert Comment

by:meverest
ID: 37768589
>> You can't block all traffic to 192.168.1.1 since it is the primary router supplying internet to the rest of the network as described above.

yes you can! :-)

The reason that this will work is because when traffic is forwarded to 192.168.1.1 for internet access, the destination IP address is NOT 192.168.1.0/24 (it is the internet address) and therefore the firewall will pass those packets. :)

You won't be able to ping the actual gateway itself, and when you try a traceroute, it will time out on that hop, but it will work perfectly OK - go ahead and try it ;-)

Cheers!
0
 

Author Comment

by:RareSeeds
ID: 37772127
Thanks for these suggestions and pointers.  I have implemented a combination of the accepted answers and it is working well.
0
 

Author Closing Comment

by:RareSeeds
ID: 37772157
- Connecting the public Wifi to the DMZ is by far the best solution.
- The iptables command blocked the traffic between the private and public networks successfully; it is not the best, but it works.
- Redesigning and rewiring the network as fmarshall is also a perfect solution; it just requires more hardware.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question