We help IT Professionals succeed at work.

Creating a wifi access to internet with no access to files on the network

Hello,

I was asked to setup a wifi access for the clients who come in meetings with people of our company. But we don't want  to give them access to the files on the network, only to internet. I know it's possible because there is so much wifi access everywhere, and we shouldn't have access to the files of these network (macdonalds, airports wifi, ...)
They shouldn't be able to access the files on the computers in our domain, but our NAS don't have windows security, it's linux in them so we have to give public access.
So I'd like some link on how to configure things like that. Do I have to buy some specific hardware? I'm pretty sure I could find that on google, but I have no idea how to ask the question.
Comment
Watch Question

cpmcomputersManaging Director

Commented:
The basic principle is easy

Simply install an access point
With a completely different ip range from your current network

Turn dhcp on
Set it to issue a guest ssid and secure it with a password

The precise requirement will depend on the topology of your network
Broadband firewall what provides dhcp

And also the physical area you wish to provide cover for (a single room or the whole building - in which case you may need more than one device

Author

Commented:
Thanks for the answer.

Ok, I'm trying to do that. How will the access point know where to look for internet if I set it up like that. I mean the access point won't be in the network with internet access.

Let's say my IP range is 10.0.5.x. I then create a new range 10.0.6.x and use it for the access point. Let's say my gateway is 10.0.5.7. Can I configure my access point to have the IP 10.0.6.1 and have a gateway and dns 10.0.5.7?
It seems that it doesn't accept this configuration.
Hi,

if you buy professional AP like http://www.zyxel.com/products_services/nwa5120_series.shtml?t=p

they have integrated L2 isolation. You just simple turn it on and setup MAC addresses of device where user can connect all others will be blocked. On this device you can have up to 8-16 SSID networks with special configuration of security, filters and more. Iam using one network for public without password but specified VLAN for slow conection on internet and L2 isolation one VIP guest with password L2 isolatio but faster net and access to partner s storage. And 3 virtual network for employers with RADIUS protection so every emplayer have own password and I easy see him in logs.
cpmcomputersManaging Director

Commented:
No that will not work
Can you describe the topology
What provides the broadband
How is dhcp allocated
What router /switches /firewall
Do you have
Are any vlan capable ?

Author

Commented:
Ok,

We have a draytek router (vigor 2925), a SBS2003 server (this is the DHCP server), 2 basic switches.
We use a cisco WAP200 as the access point for the wifi. We only need one as this is a wifi access points for the client when they come for meetings.
It is possible for us to buy hardware for this, but I would like to use the least pricey means available.
cpmcomputersManaging Director

Commented:
Ok that makes sense

Are you saying the CiscoWap is presently providing wifi inside the network (if some will it still be required to do so)
ie you want some users to have full network access and some to have guest only access?

Or will it be for guest access only ?
Managing Director
Commented:
Seems your cisco WAP200 is Vlan capable as is the Vigour 2925

If the Vigour is in close proximity to where your guests are
You can simply set up a wifi vlan on that device as this has that capability.
Would need to consult the manual sorry I tend to use sonicwall

If you do ned to use the WAP then

See this link which illustrates what you would need to set up

https://supportforums.cisco.com/discussion/11224976/rv-120w-vlan

What you would need to do is setup a guest Vlan on each device
the vigour would them handle the routing through to the  internet

turning off the ability for interlan traffic would protect your internal network

Hope this helps

Author

Commented:
Well thanks for that.
It seems the configuration I have at the moment will be sufficient. I only have to understand how to configure these vlan.
I'll search for a tutorial because I have no idea how to do that.
But you answered my question, and now I know what to google, and I have an idea of what to do.

Thanks for your help
cpmcomputersManaging Director

Commented:
Sorry it is a little vague
If it was Sonicwall I can give chapter and verse

If you do need more specifics
raise another post here and I will pick it up

( Good luck with Sage Btw)