Create a private wireless network inside of a private wired network

I have a 50mb Metro-Ethernet connection at my office. I am using a Cisco 2951 Router (configured and maintained by my ISP) and a Sonicwall Firewall (maintained by me).

The internal network is on a 10.0.0 subnet.
It is an active directory network (Windows Server 2008) and I do NOT use any dhcp servers. Every device on my network has a manually-assigned 10.0.0 IP Address.

Inside this private network, I want to add a wireless access point so that certain devices in manufacturing can connect (wirelessly) and then have access to the resources on the 10.0.0 network.

Remember, I do not have a DHCP Server.

I purchased an ASUS RT-AC87U Wireless Router

My first thought was to simply turn the Wireless Router into an Access Point - plug an Ethernet cable into the back of the ASUS, set it to Access Point mode and call it a day. However, because I do not have a DHCP Server on my local network, and devices that connect to a wireless network typically don't have (or their users usually don't know how to assign) a static IP, I want to have a DHCP Server that is only used for devices that connect wirelessly.

And there's one more catch ... because my 10.0.0.x network is pretty much "full", I'd like the wireless router's dhcp server to hand out IPs on a different subnet ... but ... I want that subnet to seamlessly communicate with my 10.0.0.x network.

This is probably basic routing - using 2  /24 networks to get 2 times the number of usable IPs - but it's over my head. How do I get the wireless router to hand out IPs to wireless devices, have those IPs be on a subnet that is NOT 10.0.0.x yet allow all of those devices to have access to the 10.0.0.x "wired" network?

If I put the wireless router in 'Access Point' mode, it disables all of the router-like features (such as dhcp).
If I put it into router mode, it wants to connect to the internet via the WAN port. I don't need/want it to use the WAN port since it's simply an "extension" of my 10.0.0.x internal network, which itself already has a gateway to the Internet.

Hope I'm explaining this correctly...
LVL 10
ecarboneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ecarboneAuthor Commented:
Maybe part of the solution is to change my entire network's subnet mask from 255.255.255.0 to 255.255.254.0  ??? ... but ... I still want a dhcp server that will ONLY serve devices that connect to the wireless network. Another goal I am trying to accomplish is ensuring that if someone plugs an Ethernet cable into any port in the building, they do not get an IP via the dhcp server. But now that I think about it ... wouldn't an Ethernet device still find the DHCP server running on the wireless router? It's a DHCP Server and it's on the private network. Is there a way to ensure that ONLY wireless connections can use DHCP? And is 255.255.254.0 the proper way to add more usable IPs to my 10.0.0.x network?
0
Fred MarshallPrincipalCommented:
You don't need a DHCP server necessarily.  Perhaps that will help solve your issues.

Here's an example:

I have equipment with their management IP addresses manually entered.  The devices are connected to a network of course.  Originally, the network subnet matched what I have in the equipment devices.  Someone changed the network subnet so that now, if one uses DHCP, they cannot access the equipment.  Here's the solution:

Enter static IP address on my laptop.
Log into the existing wireless (that would provide an IP address with a DHCP server on the current subnet - which is NOT what I need).
Logging into the wireless doesn't affect the IP address on the laptop because it's static.
Once the laptop is connected to the LAN, it can operate on its own selected subnet (which matches the equipment addresses).  I can manage the equipment this way.

Similarly, you could perhaps give static IP addresses to your wirelessly-connected equipment and not worry about DHCP at all.  It's a choice of maintenance effort vs. the size of the network, number of static clients, etc.  It's worth a try.

Now, if your subnet isn't big enough, then I would likely make it bigger as you've suggested.

But, if you insist, then I have found that wireless access points with DHCP will NOT serve DHCP to wired clients.  You would want to confirm this with your particular equipment.  When you think about it, it makes sense for the very things you're concerned about.  You still have to worry about IP address conflicts when setting up ranges.
0
JohnBusiness Consultant (Owner)Commented:
I think a hybrid approach might work.

1. Connect a LAN port on the Wi-Fi router to a LAN port on the network.
2. Give the Wi-Fi router a static IP address on the network.
3. Now ENABLE DHCP on the Wi-Fi router.

Your wired machines do not change but wireless devices will get DHCP.

DHCP is vastly (VASTLY) simpler to manage than static IP addresses and I cannot fathom a single reason why you would set up a whole network Static. It is make-work project and you might consider simplifying your life.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Since you have a Sonicwall, configure X0 with a vLAN to be a separate network.
Configure your Cisco 2951 with two vLANs See this URL on how to add a vLAN on the 2951 CLICK HERE

Create a vLAN and you can configure inter vLAN routing via the sonicwall. By doing this, rogue devices that connect to your network won't be placed into your vLANs.

Connect a SonicPoint, UniFi or any other AP that supports vLAN tagging(aka 802.1q) to a free port on your Cisco switch.

Configure the AP's SSID to tag traffic to you vLAN

Configure a DHCP daemon on the Sonicwall to listen ONLY on X0:[vLAN#] for IP requests. You can now configure this LAN interface with a separate IP range.

Here is a screenshot of what it can be with a vLAN on X0:
vLAN config on Sonicwall X0
Here is an example how to specify via your Sonicwall how to configure DHCP:
Sonicwall config DHCP
You are now set.

Lastly, to really leverage the SonicPoint, UniFi or other, configure two vlans on the AP now you can have a corp and guest wireless with separated traffic. All you need to do is a to add another vLAN on the switch, Sonicwall and AP with an SSID to match the vLAN.

Example
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fred MarshallPrincipalCommented:
Re: DHCP
I can't say that managing static addresses is all that much more difficult than using DHCP.  Since I have the experience at modest-sized sites, I can comment for peer-to-peer networks:

Some advocate using DHCP but with IP address reservations for explicit MAC addresses (i.e. devices).  Now, why might they do that?  It's to have the benefit of static addresses with the flexibility of DHCP.

We find that once deployed, computers with static addresses aren't much trouble to manage at all.  Rarely do we find that assistance is needed to reset the NIC settings.

Sometimes name service doesn't do what one expects or as soon as one expects.  This leads to using UNC notation such as \\[ipaddress] in place of \\[computername].  There are cases where ONLY the IP address works.  I'd not want to have to manage doing this in a DHCP environment.

When adding network printers, I trust using their IP addresses.  The steps for adding a printer using the IP address are well-known and supported by communities.  It also works for cross LAN printing when names don't.

If there are LAN-LAN interconnects with name service only local to each LAN or subnet then IP addresses are necessary.  This happens with MPLS links and VPN links if they are set up to limit name service to the local LAN.

The only difference between a name and an IP address is in your brain.  You can remember one almost as well as another for frequently-used addresses.

Of course, My Network Places or just Network in Windows shows the names and not the IP addresses.  So if you rely on this way to reach things then whether you use DHCP or not won't matter.  You will still see the names for the local subnet.

I'm sure there are situations where using DHCP is preferable.  This is just about a segment where it's not such a big deal.
0
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Netbios is not an efficient way to manage computers for name resolution. With the variety of computer/OS types, DNS is the only true way. The larger your network is DHCP is usually the easiest way to manage end point devices.

Using different subnets on the same vLAN, share a broadcast domain there is little isolation compared to using VLANs. It is then easy to ARP and MAC spoof hosts in either subnet when not separated by vLANs.

If you're just doing this in a lab scenario it's probably fine. If you really need isolation, you should use VLANs in your production environment to help enhance your network security.
0
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Hi ecarbone, just a bump to see if the info provided was helpful. Please let us know how it's going.
0
ecarboneAuthor Commented:
Hi nappy_d,

Your proposed solution seems like the way to go, and a big thanks for taking the time to include diagrams and links. However, in my organization (1) the ports on my Sonicwall are all being used (it's an older PRO 2040 with only 3 Ethernet ports, and (2) the Cisco 2900 series device is managed by my ISP and they won't do any 'custom' programming to it. Not to mention that the entire chassis is empty except for the three default ports 0/0, 0/1 and 0/2, which are already being used in some fashion. (They installed it and manage it for me).

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
John,
The steps you described are exactly how I have it set up now. The wireless AP is a DHCP server. The problem is, I am out of 10.0.0.x IP addresses, so I am trying to figure out the next step. Here are two solutions I came up with:

1. Let the DHCP server on the wireless AP hand out IPs on a new subnet. For example, 10.0.1.x instead of 10.0.0.x ... but ... when those devices get IPs, I still need them to be able to communicate with my 10.0.0.x network. This is probably basic routing but how do I "program" this on a wireless router?

2. A second solution would be to expand my 10.0.0 network so that it could handle more than 254 IP addresses. But I am not sure what needs to change on my entire 10.0.0 network to make this happen and not bring the entire network to a crashing halt. Is it simply a matter of changing the subnet mask on all devices from 255.255.255.0 to 255.255.???.0? What do businesses do when they need more than 254 IPs on their internal/private network but 65,000 IPs is overkill?

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Fred,
I agree with you - manual IPs on a "small" network are not difficult to manage, and I like the sense of security knowing that file server #4 is 10.0.0.20 and will never change. Maybe it's a false sense of security but I'm comfortable with it and it has never caused me any additional work. And I know I can set IP reservations in my DHCP configuration but I guess I took it a step farther and went with static all across the board.

Regarding your first comment, I am not sure I follow.

I basically want two wireless networks - one that is password protected and allows connected devices to communicate with my (full) 10.0.0 network ... and ... another wireless network that is also password protected but is for guest use. Anyone that connects their laptop, phone, tablet, whatever to this second network gets internet access only. No access to my private network. I know that the Router offers 2 networks - one for me and one guest... it's the fact that my network is full... I guess that's where I am stuck.

Thanks everyone for your help so far.
0
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
I basically want two wireless networks - one that is password protected and allows connected devices to communicate with my (full) 10.0.0 network ... and ... another wireless network that is also password protected but is for guest use.
My diagram above gives you exactly what you have asked for :)

All you have to do is configure the vLAN routing.  Allow traffic from the corp wireless to the corp LAN and allow guest WiFi traffic to ONLY route to the internet.

Don't worry too much about the ISP switch.  This is outside of your internal network and of course control :)

I understand that all the ports are being used on the Sonicwall however, your internal ethernet devices, are the connected to a switch such as a 16 or 24 port switch? You can connect your AP to this switch but the switch MUST support vLANs
0
Fred MarshallPrincipalCommented:
Some comments on the RT-AC87U:

Referring to page 59 of the User Manual for the RT-AC87U, it appears that the General tab on the left is the control for the LAN wireless.  This would be for your added machines.  I can't tell from the brief description how these things change if the device is in Access Point mode.

There is also a tab on the left for Guest Network.  And, it appears that there can be multiple guest networks.

Taking a bit of a leap, it appears that you can set the IP address of the Guest Network as well as control its DHCP server.  But that's not covered in the manual.  I'd surely look there to see if they aren't all independent
0
Fred MarshallPrincipalCommented:
General comments:

First, I strongly recommend that you split your problem set and deal with one at a time.

Because you need more IP addresses, I would change from /24 to /23 subnet mask as you suggested.
Doing this shouldn't be very disruptive if at all.
First, change the subnet mask on the internet gateway (the Sonicwall?)
Next, change the subnet mask on servers.
Since you aren't using DHCP, this isn't an issue or you might next change the DHCP subnet mask.
Then change the computers, critical ones first.
Then change the network printers.
The reason this works well is because the IP addresses aren't being changed, only the subnet mask.
So, when packets leave an unchanged machine that are destined for another machine on the network, they will be launched with the target as the next hop just as before.
And, when packets leave a changed machine, the same thing happens.
It's rare for this to cause any disruption.
But, of course, the broadcast address changes with the subnet mask change from 10.0.0.255 to 10.0.1.255.  So you would want to get all the changes done expeditiously so that more subtle issues don't appear.
Anyway, after this change is made, you will have more IP addresses available.
It will change from
10.0.0.0 - 10.0.0.255
to
10.0.0.0 -  10.0.1.255 adding the addresses 10.0.0.255, 10.0.1.0 on up to 10.0.1.254 for devices

I think I was misled by nappy_d's diagram.  I think that can't be how it is.  Rather, I can only imagine that it goes this way:

ISP <> Cisco 2951 Router (ISP managed) <> Sonicwall Firewall <> LAN

Is that right?

At first I didn't understand that you wanted two wireless networks.  I see that now.
Depending on your needs and preferences, one way would be to use the RT-AC87U as an internet gateway for the whole thing.  
If I were doing this in your situation, I'd make the RT-AC87U LAN address match the current internet gateway address and have it replace the current gateway.
Then, if I were leaving the current gateway in place upstream, I'd make it's LAN address and subnet something different and match the RT-AC87U WAN's address to that subnet.  Then the RT-87U would be able to provide everything you want it appears - *in Router mode*.
So, (assuming I have your network architecture right) you would change the Sonicwall subnet to something like 172.29.1.0/24 and the Sonicwall management IP address to 172.29.1.1.  Any different private IP range will do.  Then set the WAN IP on the RT-AC87U to 172.29.1.2 and the LAN address to 10.0.0.1? (whatever had been on the Sonicwall).
***BUT all this assumes you want to keep the RT-AC87U and not buy anything else.

Probably a simpler approach would be to buy another RT-87U and plug them both into the LAN:
One as an access point for your internal machines.
One as a guest wireless router.
Then I would want to make sure that none of the guest router traffic could access the local LAN devices.  The Sonicwall can probably deal with that if it's not otherwise easy to do.  (Note: the guest traffic would *appear* on the local subnet in order to reach the Sonicwall).
0
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
The Sonicwall is a much more powerful UTM device than the ASUS and I would not change this. Also my diagram is the solution I would implement.  for a small home-office the ASUS is great but not for production business environment.(again, IMO)..

The ASUS RT-AC87U does not appear to support listening to DHCP requests only on the wireless interfaces.  This will result in IP addresses being distributed to devices on the Ethernet network.

You need to get this configured via your Sonicwall and your internal LAN switch. CLICK HERE

You should acquire 1 or 2 of these devices. CLICK HERE
0
Fred MarshallPrincipalCommented:
I wouldn't remove the Sonicwall either...
I agree with nappy_d re: appropriate environments.  It's the small businesses that fall in a gray area.

It's hard to know how the DHCP requests propagate.  I posted a question in this regard recently.  Using a D-Link access point, it's clear that the DHCP server does not serve the wired network.  I came to believe that this is common. On the other hand, if there is no DHCP server running on an access point then I believe the DHCP requests will propagate to the wired network's DHCP server.  What happens if there's also a wireless guest network?  I can only imagine that DHCP requests on the guest network, lacking its own DHCP server, will NOT propagate to the wired network.

But this all gets into the question of what mode the device is in and how it behaves in that mode.
I couldn't find good info about the RT-AC87U in that regard.  i.e. guest networks and DHCP in Router vs. Access Point modes.
0
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
I have briefed through the manual for your ASUS device HERE  It does not support listening for DHCP requests only on the wireless interface.

Definitely consider some of the options I included here and here

Also see my screenshot from above to get DHCP only on the vLAN and wireless interface.
http://filedb.experts-exchange.com/incoming/2015/10_w44/988623/Screen-Shot-2015-10-30-at-9.51.40-PM.png
0
Fred MarshallPrincipalCommented:
The manual for the ASUS shows an image of a control window that has the device in *Wireless router* mode.
That doesn't tell us much about Access Point mode - which I believe was the topic of discussion.
Access points general only serve their wireless clients with DHCP - but it's still worth checking.
0
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
The RT-AC87U does not support the ability to listen on specific interfaces for DHCP requests.  IT also does not support vLANs.  If you want to get advanced solutions for your network such as this, the RT-AC87U is not the unit for your organization.  

I highly recommend you upgrade to devices such as the types referenced earlier to achieve your needs.  Your Sonicwall already supports this and it is your best recommendation forward.

Don't simply put two separate access points on your network, each with their own DHCP server etc. That is just making more work than you need.

configure vLANS on your Cisco switch and Sonicwall as described above
purchase access points that support vLANs to segment and secure access properly
when you purchase your access points, depending on the area covered, you may need to acquire multiple access points to properly cover your site and to allow wireless roaming between devices. Thereare tons of comfigurations on this based on vendor.  Take a look at this article for an overview CLICK HERE
0
ecarboneAuthor Commented:
This was a great discussion. Thanks to each of you for your help. Here's where I am at so far.

Fred:

Changing the /24 to /23 is the solution I was looking for (regarding the additional IP Addresses).
You are correct regarding nappy_d's diagram - it should be:  ISP <> Cisco 2951 Router (ISP managed) <> Sonicwall Firewall <> LAN (but I now know what he was illustrating - more on that below)
To avoid having to add another point of failure in the chain from LAN to Internet, I didn't want to install another switch or use the ASUS as my Gateway.
If there is no DHCP server running on the access point, the DHCP requests will in fact propagate to the wired network's DHCP server. But on my wired network, I do not have (nor want) a DHCP server.
So, I thought of enabling DHCP on the ASUS so that it could only serve the wireless connections. But... as pointed out earlier, it looks like the DHCP server will happily work across the entire wired network and that's what I want to avoid

nappy_d:

I realize what your network diagram was showing. Although you labeled the switch as the one provided by my ISP, I know (think) you meant it could be ANY switch as long as it supports VLAN which my internal (LAN) switches do. However ...
In your other image - the screenshot of the Sonicwall interface - I see how you have DHCP enabled only for the VLAN. Very clever. However, my Sonicwall interface looks nothing like that. Unfortunately my firewall is 10 years old and is running SonicOS 4.2.1. The device is past its EOL and it's not possible to update the OS (so hopefully a new Sonicwall is in my budget next quarter) . (Actually, the new TZ series seems more powerful than my old PRO series, plus it comes with enough ports where I can just dedicate one to my wireless and that would probably solve all my problems)
I was trying to get this desired configuration using only the equipment I have now. The TRENDnet PoE AP/WDS device you mentioned looks great. I'm curious to know if there is a model that runs on the 2.4 and 5 GHz spectrum.

Here's where I am at now:

[Firewall] <> [DMZ Switch] <> [ASUS RT-AC87U #1] <> [ASUS RT-AC87U #2]

ASUS device #2 is at the end of the chain. It's configured as an Access Point. I ran a cable from its WAN port to a LAN port on ASUS device #1
ASUS device #1 is configured as a Router. Its WAN port is connected to the DMZ switch. DHCP is enabled but ... since it is on my DMZ network ... I don't have to worry about any devices in the building getting an IP Address (since all of the network jacks throughout my building are on the LAN network not the DMZ network and the only way to plug something into my DMZ switch is to be standing inside my server room).
Finally, the DMZ switch connects to the "DMZ" interface on the Sonicwall

OK so what does this get me? A guest network, that's all.  :-(
Because any device that connects to my wireless network is now part of the DMZ. No LAN access.

So where I am at right now, is only half of the solution.

If my old, dated Sonicwall will let me:
- Create a VLAN
- Enable DHCP
- Activate it *only* for that VLAN
(as nappy_d illustrated)

... then I'll move my ASUS devices from the DMZ to the LAN/VLAN, enable the Guest Network feature on the device and I think at that point I'll have everything I am looking for.

Having the wireless network in my DMZ seemed like a good temporary solution but now I'm seeing the additional disadvantages:

- An account manager will come to the office, connect to Wi-Fi, try to connect to the VPN and ... nothing. Why? Because he's in the DMZ and from there, you can't see the VPN endpoint. (Because it's the DMZ ;-)

- Another user connects his phone to Wi-Fi and ... now he can't send/receive email. Why? Because he's in the DMZ and from there, you can't connect to the mail server.

I've pigeonholed all of the Wi-Fi users into a DMZ that basically can't do anything except browse the web. So as I mentioned above, my next task is to poke around my old Sonicwall's management screens and see if I can move the ASUS wireless devices to the LAN without compromising security.
0
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
What is the model of the model of your Sonicwall? that you have?
0
ecarboneAuthor Commented:
SonicWall PRO 2040 Enhanced
Firmware Version: SonicOS Enhanced 4.2.1.0-20e
ROM Version: SonicROM 3.1.0.2

There's a page for configuring DHCP but I don't see any place to do VLAN tagging.
Thanks for your help.
0
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Take a look at this URLCLICK HERE

p.163 It details what you need to do to configure sub interfaces(VLANs etc)
p.173 and deploying vLANs
p.228 DHCP configurations and interfaces

Let me know if you have any questions
0
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Just checking in to see if you've had some time to review the pages from the sonicwall admin guide.
0
ecarboneAuthor Commented:
nappy_d - I read through all of the relevant sections of the SonicWall Admin Guide and I was all set to tackle this project over the weekend, but ... then I realized the ASUS wireless devices I have do not support VLANs. (You had even mentioned this earlier on, but I missed it until re-reading every thread from top to bottom).

So, although I'm pleased to know my old trusty SonicWall can handle this configuration, the ASUS routers cannot and so therefore, they are the deal-breaker here. It's not in my budget to acquire two more APs (and I cannot return the two ASUS routers I already purchased). My fault for not planning this before buying them.

So at this point I suppose my options are to wait until I can upgrade my SonicWall to a newer model (one that has more interface ports), or wait until I have the budget to buy two new APs, or suck it up and just drop the wireless network inside of my LAN.

I did not want to do this for two security reasons:
(1) If someone connects to the wireless network, now they have visibility and access to all of the devices on the LAN. This is fine for authorized users but what about guests and vendors that visit my office and want to get online? I don't want them to have access to my LAN.
(2) The second reason is because by enabling DHCP on the ASUS and then plugging it into my LAN essentially adds a DHCP server to my entire LAN - another thing I did not want to do.

I suppose there's one more option (?):
The WAN port (X1) of my SonicWall physically connects to the managed router that is installed by my ISP. Let's say the WAN port's default gateway is 1.2.3.250.
Put a small switch in between the SonicWall and the Managed ISP Router.
Reconnect the chain with Ethernet cables, so now the link between the SonicWall and the Managed ISP Router is re-established.
Now, into another port on that small switch, plug in my wireless router.
The ASUS wireless router would then be reconfigured so that it's gateway is also 1.2.3.250

This gives me a wireless network that is outside of my LAN. Any devices that connect to this will need to connect to the VPN if they need access to the LAN resources. Same as if they were connecting to the VPN from home.

Again, another partial solution. But it seems I can't get everything I want without either (a) buying a new firewall (one with more ports) or (b) buying new APs (that support VLANs)

example with Wi-Fi outside of the firewall
0
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Based on your diagram above, do you have two physical switches connected to the Sonicwall; one for your LAN and the other for your DMZ?
0
ecarboneAuthor Commented:
Sorry for the delay in getting back to you. Next year if the budget allows, I will look into upgrading my firewall. Thanks everyone for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.