Solved

Public Wifi on a private LAN

Posted on 2012-03-23
9
791 Views
Last Modified: 2013-12-27
I'm sure this is simple, but so far I have not had success.  I have a WRT54G loaded with DD-WRT and a Netgear FVX538 router.  The Netgear (192.168.1.1) is connected to my internet and is a DHCP server.  I want to be able to provide wireless internet through the Linksys without the possibility of probing to the 1.1 network where my personal computers are.

What I have done: set up DD-WRT as 2.1 with a static IP on the WAN (1.17) and connected the Internet port to a LAN port on the Netgear.  It works; it is acting as a DHCP server on the 2.1 network and I can access the internet; however, I can also type in a 1.xx address and open a web page on one of those computers.  I can't have that.  The Linksys (clients will always be wireless) needs all traffic to go to-from the internet only.  I don't even want a ping to a 1.xx address to respond.

What am I missing here?
0
Comment
Question by:RareSeeds
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 37760118
You have them backwards.  The one closest to the ISP connection should be the public one.  I have attached a paper that describes.
Multiple-Subnets.pdf
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 167 total points
ID: 37760915
Put 192.168.1.17 in the Netgear's DMZ.

According to the FVX538's manual, that router has advanced features for the DMZ, including being able to assign port 8 as the DMZ port, so you should study the manual carefully when configuring the DMZ.
0
 
LVL 37

Assisted Solution

by:meverest
meverest earned 167 total points
ID: 37762175
Hi,

you need a firewall filter rule on the DD-WRT that blocks traffic between 192.168.1.0/24 and 192.168.2.0/24:

iptables -I FORWARD 1 -p tcp -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP

if you have NAT on for the 192.168.2.0 subnet, you may also need to add a rule to block traffic also from the dd-wrt router itself:

iptables -I FORWARD 1 -p tcp -s 192.168.1.0/24 -d 192.168.1.17 -j DR

cheers!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:RareSeeds
ID: 37766152
Thanks for the suggestions.  Let me answer each one of you in order...

@fmarshall: The Netgear FVX538 has two WAN ports; I have two internet connections set up as a balanced load.  As a result, I must to use the Netgear as the primary router.  But there's more as described in the next answer:

@Darr247: The routers are in separate buildings connected by fiber.  It is not possible to connect the Linksys exclusively to a particular LAN port on the Netgear.  The Linksys building also needs private LAN access in addition to hosting the public wifi.  Also, both internet connections go to the Netgear building.

@meverest: You can't block all traffic to 192.168.1.1 since it is the primary router supplying internet to the rest of the network as described above.  I am a complete novice at the iptables commands, so if there's a modification you can make to allow 1.1 while blocking 1.2-1.254, please post it.  Or this may not be a good idea; I don't know.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 37767530
In DD-WRT, on the Administration tab, Commands sub tab, paste in the iptables commands meverset gave you, and click Run Commands after pasting in each one.

After you've pasted both in and ran them, test that the DD-WRT firewall is blocking 192.168.2.0 from talking to 192.168.1.0 - if it is, then click Save Firewall.

Those setting will be saved until you do a hard reset (holding the reset button in, plugging in the power, then continuing to hold the reset button in for 30 seconds, should clear the NVRAM where the iptables settings are stored... those settings should not be cleared by holding in the reset button for 30 seconds withOUT removing the power).

Here's a link to the wiki - http://www.dd-wrt.com/wiki/index.php/Iptables_command
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 166 total points
ID: 37767835
OK.  I didn't mean to imply that you couldn't use the Netgear as the ISP interface.  That's fine.
What I did mean to say is that you would not want to connect the private computers at the Netgear LAN.  It's hard to isolate them that way.  Either it won't work or the settings will be somewhat obscure as in hard to figure out and/or hard to remember and maintain.  Keep it simple.

So, I would do this as shown in the diagrams:

Add another router (it doesn't have to be more than a commodity router unless you have a whole lot of computers).  It's WAN side will be 192.168.1.xxx.  Then connect all the private computers to its LAN side.
If you don't want to change IP addresses on the working subnet then do this:
Make the new router LAN side be 192.168.1.0 using 192.168.1.1 so that it will be come the subnet gateway .. which it will be anyway.
Change the netgear LAN subnet to 192.168.99.0 using 192.168.99.1
Now you will have a private LAN with wireless if you want it.

Now add a wireless router as a switch on the netgear LAN.  Turn off DHCP.  It will now act as an access point and get addresses from the Netgear.

This is a very simple setup that's fairly easy to understand and maintain.
Wireless-Router-as-a-Simple-Swi.pdf
0
 
LVL 37

Expert Comment

by:meverest
ID: 37768589
>> You can't block all traffic to 192.168.1.1 since it is the primary router supplying internet to the rest of the network as described above.

yes you can! :-)

The reason that this will work is because when traffic is forwarded to 192.168.1.1 for internet access, the destination IP address is NOT 192.168.1.0/24 (it is the internet address) and therefore the firewall will pass those packets. :)

You won't be able to ping the actual gateway itself, and when you try a traceroute, it will time out on that hop, but it will work perfectly OK - go ahead and try it ;-)

Cheers!
0
 

Author Comment

by:RareSeeds
ID: 37772127
Thanks for these suggestions and pointers.  I have implemented a combination of the accepted answers and it is working well.
0
 

Author Closing Comment

by:RareSeeds
ID: 37772157
- Connecting the public Wifi to the DMZ is by far the best solution.
- The iptables command blocked the traffic between the private and public networks successfully; it is not the best, but it works.
- Redesigning and rewiring the network as fmarshall is also a perfect solution; it just requires more hardware.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How do I modify Ubigate for new ISP? 2 92
Read-only SNMP string example ? 7 89
Cisco WLAN 5520 licensing 10 33
2 routers and 1 public IP Address. 10 40
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question