Link to home
Start Free TrialLog in
Avatar of it4
it4

asked on

Public internet access using a private network

I have been asked to set up a wireless access point to provide internet access for visitors at a local school, the computers in the school all have static ip addresses and their internet settings use a proxy server, can you tell me how to configure a wireless ap for this purpose so the visitors can only access the internet and cannot access the school network's files and printers? I would like this to work as simply as possible so the vistors only need to enter a wpa key to join the network and surf the net, Thank you
ASKER CERTIFIED SOLUTION
Avatar of Shane McKeown
Shane McKeown
Flag of Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Josef Pospisil
Well without knowing the schools network structure it's hard to say. You could use VLANs... but that would imply that switches can do these kind of things. And you are allowed to change the network structure. I don't know how familiar you are with Linux. But the setup with very low impact on the network structure would be a Linux box to which a WLAN AP is connected. The linux box would be connected to the schools internal netowork also. On the Linux box i would set up a firewall redirecting the port 80 to the schools proxy server (port). All other traffic would not be allowed (from the Linux box and to the Linux box).


i know this is not very easy to setup but in my opinion the only way to set this up without ímpacting the schools network. I also assumed that you must use the schools internal network and you cannot just use a direct cable to connect the WLAN AP to the router which may have a DMZ port.
When you have a direct cable from the firewall to the AP, just configure a DMZ on the firewall, setup DHCP and DNS for this Zone and you are almost ready to go. Then setup the AP with WPA and a preshared key, connect it to theDMZ Port and you are ready to go.

This is the fastest and easiest setup.
Avatar of it4
it4

ASKER

Thanks jelcin for your suggestion, unfortunately I am not familiar enough with Linux to do this, can it be done with a Windows system instead? or maybe there is an access point available that I can set up with the proxy server details so that the computers connected to it do not need to know what the proxy settings are and can get their ip address by dhcp?
Avatar of it4

ASKER

Thanks iconnectu, unfortunately this is not possible as I don't have access to the firewall or a DMZ socket, the network is managed off site and all that the school has access to is a cabinet containing two switches which are connected to network sockets throughout the school, the cable providing internet access runs to the school from a remote location and just plugs into one of the switches.
Right, so working on a router sounds like a better option, since an AP is really just another switch and you don't have real access to your config on the infrastructure...

With a wireless router you hold all the keys(well in terms of the guests who need to use/access it)

Working with Jelcin's comment -  On the Linux box i would set up a firewall redirecting the port 80 to the schools proxy server (port). All other traffic would not be allowed (from the Linux box and to the Linux box).

Maybe that setup with work on the router(depending on the model) - i.e. setup the router to work with a proxy server on the WAN side for internet access(again not familiar with an exact model that will do this, but hopefully someone else can add to the solution)
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of it4

ASKER

smckeown777 please could you recommend a suitable router for the job? possibly a netgear as they are usually quite easy to configure unless you know a better one that is easy to set up. Thanks
@it4 - unfortunately I don't know of a router model that supports proxying on the WAN side of the router, which is why this may not work as I originally said(I missed the part where you mentioned proxy access only to the internet)

Most routers use either DHCP/Static IP/PPPoE or PPPoA connections to connect the WAN port to the internet, so my solution would work fine if you didn't need a proxy at all, but it complicates things in this case...

But working with the comments from @iconnectu and @craigbeck may be your only option now

Craigbeck's solution involves getting a router to run DD-WRT(here's the site with the list of supported models - http://www.dd-wrt.com/wiki/index.php/Supported_Devices) - but this involves installing DD-WRT on the router before you begin(not an expert on it at all) so not sure how much work is involved with that, craig might have more input on that
Once running DD-WRT you can use the TinyProxy software to work the proxy connection

@iconnectu's option sounds like the least work in my opinion, get the IT people who look after the network to create the new VLAN, then you connect your router(Netgear models are cool) to setup like I mentioned, WAN port connected to the port on the switch running the new VLAN, setup DHCP on the router and away you go
The only difference is they(the IT people) need to make sure that any traffic on that VLAN doesn't require a proxy and you are up and running

Hope one of these will help, sorry I can't be of more help than that...
As for models of Netgear the WNDR400 seems to be highly rated - http://www.expertreviews.co.uk/wireless-routers/1292005/netgear-wndr4000-n750-wireless-dual-band-gigabit-router/specifications
Avatar of it4

ASKER

Does anyone know if I can set up a windows pc with two nic's, one connected the the network and the other to a wireless router and share the internet connection using windows internet connection sharing so that the pc takes care of the proxy and the wireless router takes care of dhcp using a different ip range to the existing school network so that the local network resources are not accessible to the public