Public internet access using a private network

I have been asked to set up a wireless access point to provide internet access for visitors at a local school, the computers in the school all have static ip addresses and their internet settings use a proxy server, can you tell me how to configure a wireless ap for this purpose so the visitors can only access the internet and cannot access the school network's files and printers? I would like this to work as simply as possible so the vistors only need to enter a wpa key to join the network and surf the net, Thank you
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

smckeown777Connect With a Mentor Commented:
Personally I'd get a wireless router to do this job, as an access point is always going to be on the same subnet as your LAN(bar you have vlan capable switches etc)

With a wireless router you connect its WAN interface to your existing LAN, setup the WAN IP to a spare IP on your subnet, and its default GW to your existing router...

Then activate the DHCP on the LAN side, and setup the wireless with whatever security you need

Now wireless clients will connect to this router, and can only use internet(since they can't see anything on the WAN side)

Hope this helps...
Well without knowing the schools network structure it's hard to say. You could use VLANs... but that would imply that switches can do these kind of things. And you are allowed to change the network structure. I don't know how familiar you are with Linux. But the setup with very low impact on the network structure would be a Linux box to which a WLAN AP is connected. The linux box would be connected to the schools internal netowork also. On the Linux box i would set up a firewall redirecting the port 80 to the schools proxy server (port). All other traffic would not be allowed (from the Linux box and to the Linux box).

i know this is not very easy to setup but in my opinion the only way to set this up without ímpacting the schools network. I also assumed that you must use the schools internal network and you cannot just use a direct cable to connect the WLAN AP to the router which may have a DMZ port.
When you have a direct cable from the firewall to the AP, just configure a DMZ on the firewall, setup DHCP and DNS for this Zone and you are almost ready to go. Then setup the AP with WPA and a preshared key, connect it to theDMZ Port and you are ready to go.

This is the fastest and easiest setup.
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

it4Author Commented:
Thanks jelcin for your suggestion, unfortunately I am not familiar enough with Linux to do this, can it be done with a Windows system instead? or maybe there is an access point available that I can set up with the proxy server details so that the computers connected to it do not need to know what the proxy settings are and can get their ip address by dhcp?
it4Author Commented:
Thanks iconnectu, unfortunately this is not possible as I don't have access to the firewall or a DMZ socket, the network is managed off site and all that the school has access to is a cabinet containing two switches which are connected to network sockets throughout the school, the cable providing internet access runs to the school from a remote location and just plugs into one of the switches.
Right, so working on a router sounds like a better option, since an AP is really just another switch and you don't have real access to your config on the infrastructure...

With a wireless router you hold all the keys(well in terms of the guests who need to use/access it)

Working with Jelcin's comment -  On the Linux box i would set up a firewall redirecting the port 80 to the schools proxy server (port). All other traffic would not be allowed (from the Linux box and to the Linux box).

Maybe that setup with work on the router(depending on the model) - i.e. setup the router to work with a proxy server on the WAN side for internet access(again not familiar with an exact model that will do this, but hopefully someone else can add to the solution)
Craig BeckConnect With a Mentor Commented:
You've got a couple of problems here.

1] You need an AP/Wireless Router which supports ACLs or Firewall (to block access to your LAN services).
2] Directing Guests to the proxy might be a bit harder than you think.

I would therefore suggest using an AP/Router which supports DD-WRT, and the TinyProxy package.  This will let you configure appropriate ACLs for clients so they can't get to LAN resources, while still being able to use the proxy server on your LAN with zero proxy configuration (the AP will forward all traffic to the proxy transparently).
iconnectuConnect With a Mentor Commented:
Maybe it is easier to ask the guys who manage the switch, to setup a separate VLAN and Port on the Switch and route it to the internet, instead of searching a long and complex way around. If the policy allow a guest access over the school network/proxy (?) they can setup the infrastructure and send you the informations. Then you have only to configure the ap.

When Guest Access is not allowed, you have to organize a separate Internet connection anyway.
it4Author Commented:
smckeown777 please could you recommend a suitable router for the job? possibly a netgear as they are usually quite easy to configure unless you know a better one that is easy to set up. Thanks
@it4 - unfortunately I don't know of a router model that supports proxying on the WAN side of the router, which is why this may not work as I originally said(I missed the part where you mentioned proxy access only to the internet)

Most routers use either DHCP/Static IP/PPPoE or PPPoA connections to connect the WAN port to the internet, so my solution would work fine if you didn't need a proxy at all, but it complicates things in this case...

But working with the comments from @iconnectu and @craigbeck may be your only option now

Craigbeck's solution involves getting a router to run DD-WRT(here's the site with the list of supported models - - but this involves installing DD-WRT on the router before you begin(not an expert on it at all) so not sure how much work is involved with that, craig might have more input on that
Once running DD-WRT you can use the TinyProxy software to work the proxy connection

@iconnectu's option sounds like the least work in my opinion, get the IT people who look after the network to create the new VLAN, then you connect your router(Netgear models are cool) to setup like I mentioned, WAN port connected to the port on the switch running the new VLAN, setup DHCP on the router and away you go
The only difference is they(the IT people) need to make sure that any traffic on that VLAN doesn't require a proxy and you are up and running

Hope one of these will help, sorry I can't be of more help than that...
As for models of Netgear the WNDR400 seems to be highly rated -
it4Author Commented:
Does anyone know if I can set up a windows pc with two nic's, one connected the the network and the other to a wireless router and share the internet connection using windows internet connection sharing so that the pc takes care of the proxy and the wireless router takes care of dhcp using a different ip range to the existing school network so that the local network resources are not accessible to the public
All Courses

From novice to tech pro — start learning today.