Solved

How to segment all wireless traffic

Posted on 2014-10-09
12
181 Views
Last Modified: 2014-11-03
We have a wireless access point that is in our network and is dishing out 192.0.0.0 addresses to any wireless device attached to it. The only issue is that one can access our 10.0.0.0 domain network.
We want all traffic that rides on the wireless to only be for internet access only.

What do we have to do? Do we have to do NATing of some sort to make sure that nothing on the 10.0.0.0 scheme is accessible?
0
Comment
Question by:Robert Mohr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
12 Comments
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 40371909
All depends how you have it connected.  If you have a smart switch you could use VLans.  If it is connected to a firewall as the default gateway and the firewall is high end enough you could deny a route from one subnet to the other.  Or you could use a switch and split the internet before it goes into firewall and have two separate networks.

Would need more information on how you have the entire thing connected.  Equipment, etc.
0
 

Author Comment

by:Robert Mohr
ID: 40373117
My wireless device connects to Port 2 on the switch.
Could I create a VLAN on Port 2 only and then in the wireless device point to that VLAN?

If this is the right way to do it, then I could need to know how to create this VLAN within the switch.
0
 

Author Comment

by:Robert Mohr
ID: 40373166
Any thoughts on how to create a VLAN on a SMC6750L2 TigerSwitch using the web interface on a single port during production hours?  I think if I can accomplish this then the wireless access point will be simple.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 40373493
What type of firewall are you using? make/model
0
 

Author Comment

by:Robert Mohr
ID: 40373793
Why do you need the firewall?
Shouldn't the switch and wireless be the only things that need to be configured?
0
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 40373881
Something has to do your routing
0
 

Author Comment

by:Robert Mohr
ID: 40373953
Cisco 2900
0
 
LVL 24

Expert Comment

by:DMTechGrooup
ID: 40373969
I havent worked with your switches for this.  If it were me I would use the router and create an access list to deny subnet b access to subnet a type thing.
0
 

Author Comment

by:Robert Mohr
ID: 40374003
OK. Thank-you.
0
 
LVL 28

Expert Comment

by:Dr. Klahn
ID: 40374102
Build a DMZ.  Put the WAP in the DMZ.  Then put a second firewall in the DMZ, and run the 10.0 network behind the second firewall.  The WAP then cannot get through the second firewall into the 10.0 network.

If the installation in question is not large, the second firewall can be a consumer-grade product without wireless capability.  Or a wireless firewall with the WiFi turned off.

Schematically:  Internet modem connects to firewall 1.  Firewall 1 serves WAP and firewall 2.  Firewall 2 serves the 10.0 network.  The WAP is on the inside of firewall 1 and can get to the internet, but on the outside of firewall 2 and so cannot get to the 10.0 network.

Cost, around $30 if you use a consumer-grade firewall.
0
 

Accepted Solution

by:
Robert Mohr earned 0 total points
ID: 40410740
We ended up creating a completely different subnet altogether on one available interface and as long as the WAN had that gateway associated it didn't matter what IP the devices had on the wifi LAN side. It works great and all traffic is segregated.
0
 

Author Closing Comment

by:Robert Mohr
ID: 40419023
We went a different route
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question