How to secure your LAN if giving wireless access to random people?
If a coffee shop wants to give access to wireless but wants to protect itself from hackers on own work pc x2 how is this done?
Are there reasonably priced routers for the job? Something like a guest access? Not permitting access to any other client?
Are there reasonably priced routers for the job? Something like a guest access? Not permitting access to any other client?
lruiz52
Depending on your network hardware,you can set up vlans, acl's, or just physically separate your LAN fro the wireless network by directly connecting the wifi router to your firewall. On an available port.
Go for the FortiWifi-20C and use the guest access feature. It is about $300.
Effectively, it uses a different SSID for guests.
Effectively, it uses a different SSID for guests.
Note that this will replace whatever router you have now. PCs can connect to the Ethernet ports, or via any switch you may have now.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
By the way, the Apple Airport Extreme can also do the guest WiFi, but it does not have the UTM features.
ASKER
Hi,
I like this option 3.....
" Alternatively you can do it as outlined in the following article with a pair of basic home routers. Options #3 is the simplest:
http://blog.lan-tech.ca/2011/05/23/create-an-isolated-network-using-one-isp-connection-and-modem/
"
But please see pic attached ....
On the second router (has its WAN port feed from router 1 )
I select "DHCP" from the list and it works fine.
But should I be choosing a different option?
choice-.jpg
I like this option 3.....
" Alternatively you can do it as outlined in the following article with a pair of basic home routers. Options #3 is the simplest:
http://blog.lan-tech.ca/2011/05/23/create-an-isolated-network-using-one-isp-connection-and-modem/
"
But please see pic attached ....
On the second router (has its WAN port feed from router 1 )
I select "DHCP" from the list and it works fine.
But should I be choosing a different option?
choice-.jpg
DHCP will work but I recommend statc
Note that with this solution your own users will have NAT twice, or double NAT, and depending on what routers you have (and their ALG) the double NAT may break some applications - meaning, typically some two-way-applications, like instant messaging, etc.
If that happens, I recommend to get the Apple Airport Extreme, unless you also want UTM features in which case the FortiWiFi.
If that happens, I recommend to get the Apple Airport Extreme, unless you also want UTM features in which case the FortiWiFi.
ASKER
NAT twice, or double NAT - doesnt sound good :-(
A router is a NAT device, Network Address Translation. When you have two routers in series you have double NAT. Safe, secure, and works fine for internet access but as pergr pointed out some services, primarily incoming services that you might use to access your site from the internet require special configuration or will not work.
Do you host your own mail server or web server? Do you access your office by VPN? Those are the types of services that can be affected. There is no security risk, as a matter of fact double NAT can be more secure.
Do you host your own mail server or web server? Do you access your office by VPN? Those are the types of services that can be affected. There is no security risk, as a matter of fact double NAT can be more secure.
ASKER
Do you host your own mail server or web server? - No
Do you access your office by VPN? - No
I was thinking it would affect Skype and MS Messenger ett and people would be annoyed.
It a simple setup. 1 PC. 1 more max going in.
The rest are randomer. any VPN will be outbound by coffee shop punters contacting their offices.
Do you access your office by VPN? - No
I was thinking it would affect Skype and MS Messenger ett and people would be annoyed.
It a simple setup. 1 PC. 1 more max going in.
The rest are randomer. any VPN will be outbound by coffee shop punters contacting their offices.
Firstly it won't affect the guest network as it is not in a dual NAT position. It is the business that is behind 2 routers. I have not seen it affect any outgoing services other than some VPN connections, but pergr may be right with messenger and or Skype, I use either very seldom. Other than some VPN's it usually only affects services that require manually configuring incoming port forwarding such as hosted mail servers and such.
ASKER
RobWill - Just to make sure I understand this.
Router 1 and 2. The start of the daisy chain is the business = Router1 . The end of daisy chain is the randomers / customers Router 2. Is this how you see it?
Thanks.
Router 1 and 2. The start of the daisy chain is the business = Router1 . The end of daisy chain is the randomers / customers Router 2. Is this how you see it?
Thanks.
Not sure I follow your description.
Assuming you are using option #3
Internet=>modem=>wireless router (guests connect)=>business router=>business users connect
The reason this is protected is the guest users are on the internet side of the business router, thus have no more access to the business than your neighbors do.
Fairly familiar with the configuration, I wrote the article :-)
Assuming you are using option #3
Internet=>modem=>wireless router (guests connect)=>business router=>business users connect
The reason this is protected is the guest users are on the internet side of the business router, thus have no more access to the business than your neighbors do.
Fairly familiar with the configuration, I wrote the article :-)
ASKER
Hi RobWill.
I was thinking it the other way around!
Ive look at your diagram again and see what you are thinking.
Im using 2 routers.
Theirs - The first has a built in modem and is installed there.
Mine - i was thinking of daisy chaining on and using for randomers only.
My router has better range but no modem. From theirs I see two other cat5 cables that are going somewhere .... for what I will have to see. On site tomorrow to see whats what.
This may turn out a lot more complicated that I thought.
Wish I could just add an access point that would do wireless and block any hackers.
Anyway will see what happens
I was thinking it the other way around!
Ive look at your diagram again and see what you are thinking.
Im using 2 routers.
Theirs - The first has a built in modem and is installed there.
Mine - i was thinking of daisy chaining on and using for randomers only.
My router has better range but no modem. From theirs I see two other cat5 cables that are going somewhere .... for what I will have to see. On site tomorrow to see whats what.
This may turn out a lot more complicated that I thought.
Wish I could just add an access point that would do wireless and block any hackers.
Anyway will see what happens
If you configure:
Internet=>modem=>business router=>wireless router (guests connect)
Guests have full access to your network and you cannot access them. definite no,no.
Think of a router as a one way valve as far as the security goes.
If you have a combined modem router you need to either put it in bridge mode (makes it a simple modem) and add two routers, or grant guests access to the combined modem/router unit and add another router for the business.
Or....as a other suggested buy a router with guest support, but that requires also putting the modem in bridge mode.
Internet=>modem=>business router=>wireless router (guests connect)
Guests have full access to your network and you cannot access them. definite no,no.
Think of a router as a one way valve as far as the security goes.
If you have a combined modem router you need to either put it in bridge mode (makes it a simple modem) and add two routers, or grant guests access to the combined modem/router unit and add another router for the business.
Or....as a other suggested buy a router with guest support, but that requires also putting the modem in bridge mode.
If you do get something like the Apple Extreme, or the FortiWifi, that has a guest feature, it is good if you put the modem in bridge mode, but not strictly necessary.
The combined router/modem is a router or a NAT device. Adding anything else, without enabling bridge mode, creates double NAT. That is not a security risk but can conceivably block some client access to their services such as connecting to their offices by VPN.
More importantly if you are connected to the modem/router and you add connect another router to it for guests, you are not protected from the guests, their connection flows through yours.
This is probably not the place to ask this, and not questioning your doing so at all, but does it pay to offer wireless in a coffee shop? I have always wondered that as I see 2/3 of the chairs occupied by folk buying 1 coffee and sitting there all morning on their laptop. I suppose in this age it is almost a requirement to offer wireless. Just thought it would be interesting to hear your point of view.
More importantly if you are connected to the modem/router and you add connect another router to it for guests, you are not protected from the guests, their connection flows through yours.
This is probably not the place to ask this, and not questioning your doing so at all, but does it pay to offer wireless in a coffee shop? I have always wondered that as I see 2/3 of the chairs occupied by folk buying 1 coffee and sitting there all morning on their laptop. I suppose in this age it is almost a requirement to offer wireless. Just thought it would be interesting to hear your point of view.
ASKER
Will report back soon.