Create WiFi access point to access WAN and not local LAN.

Hi Experts,

                   in the office there is a domain network with the usual lan access to employees etc..

People often visit the office with laptops and need to connect to external resources, which is a concern because domain resorces are then visible to the visitor.

We would like to change that but can't figure out how to do it.

We're happy to purchase an WiFi access point and let it do the work for us, but so far we do not see any access points capable of that. We were hoping for something like an access point with a NAT so that we could use different IP addresss on the AP (eg.

I hope that makes sense ?

Thanks, Chris.
Chris ColemanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
You can get either a Wi-Fi Router or Wi-Fi Access point and give it a different IP address on your network. Go into the GUI setup for LAN and give it a static IP on your network. Then set up DHCP for a completely different subnet and DHCP enabled.

The physical connection is WAN (Wi-Fi router) to LAN (Network).

This works for the majority of situation but is not meant to keep out hackers (which you do not likely have).

You can get more complicated and expensive with VLAN's but try the above to get started.
The fundamental part of accomplishing this is that the router to which the access point and LAN connect must support some sort of isolation.  For example, some wireless routers have a "guest network" capability.  This will isolate those on the guest network from the rest of the network.  The key is that your existing LAN must be connected to the LAN side of that router.  If you connect such a router as a secondary one to your existing router and leave your LAN users on the existing router, you'll not accomplish what you want.

If your existing router supports VLANs, then you can accomplish it there.  If it doesn't have VLAN capability or "guest network" (or some other name) capability on its own WiFi, you'll be looking at three solutions:

1)   You can replace your router with one that has the capability (VLAN or guest network).  If it has guest network capability, set it up for the users you don't want to have access to local resources.

2)  Add a new wireless router with the "guest network" capability and connect all existing non-guest devices to the new router (through switches, if needed).  Nothing will be connected to the LAN side of the main router other than the new router.

If the existing router is a modem/router, it would be much better to put it in Bridged Mode when you connect the new router to it.  That will avoid having two routers between computers and the internet.  Having two routers (with no bridging) inline is not unworkable, just more difficult.

3)  Add a new router with its WAN side connected to the LAN side of your existing router.  Move all devices on your existing LAN to the LAN side of this router.  You can change the LAN IP address on your existing router to, for example, to allow you to put your original routers existing LAN IP address on the new router.  This will keep your existing LAN in the same subnet that it presently is on.  This would allow your existing LAN users to access users on the main router (which should just be the public WiFi users), but not the other way around.

This last solution has the issue of two active routers in series.  Workable, but not optimal.  It's likely what John was describing.

If you provide the make and model of your existing router we can give more detailed answers.
Craig BeckCommented:
What APs and switch/router gear do you have?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Chris ColemanAuthor Commented:

      it gets more complicated but for you guys 'a walk in the park' ..

Anyway the added complication is that the wireless access point has to be at the other end of building (from the router), and in between is a netgear 16port basic (non-intelligent)  switch, ...

The broadband router is a BT Business Smart Hub (well its not so smart but thats what they say), it has no VLAN? support, it does have port mapping capability and can support multiple DNS hosts (literally as many as you want) .

I also purchased a Netgear V7000 router which according to the sales pitch supports  isolated guest networks, but after purchase I discovered that it will not do that when running in AP mode, so I guess I'll be sending that back.

Anyway any further help is greatly appretiated.

This all started when a guy in the office gave an arp -a command ..

If there is only one cable from the unmanaged switch to the main router, I think you'll have to use VLANs.  You'll need a main router that does VLANs to accomplish this.

The good news is that your "Smart" Hub can be put into Bridge Mode:

Once that is done, you can add a router that supports VLANs.  If you put the distant Access Point on a different VLAN, you can restrict it to internet traffic.

You would want to ensure that the unmanaged switch will pass the VLAN tags.  That appears to possible on some and not on others, at least dependent on the MTU that it allows.  You may have to replace that switch.

Your Smart Hub also supports a guest network with its WiFi.  You could use repeaters to get that to the distant location, but how well that works is very dependent on what is inbetween.
Sandeep GuptaConsultantCommented:
You just need to create an access list blocking all LAN network and call the ACL in user role.
Sandeep GuptaConsultantCommented:
You can do this on either cisco or aruba AP
If the AP is connected to the LAN side of the router, will it be able to distinguish between packets that eventually end up outside the LAN as opposed to those that route through the LAN side of the router?
Chris ColemanAuthor Commented:

       Just looking on the Aruba site and it does appear that they include something like a NAT for wireless and/or access lists for IP, which if I understand completely will do the job.

Possibly even blocking downstream arp requests .

CompProbSolv has a pertinent question, again if my understanding of the documentation is correct this is exactly what it does ?

Sandeep GuptaConsultantCommented:
I have implemented similar kind of setup in Aruba, thus can say it will work.
I'm not disagreeing with whether or not it can work, just not understanding how it works.

Does the AP look inside the packet to see what the eventual destination IP is and discard anything that is addressed to the subnet on the WAN side of the AP (which is the LAN side of the main router)?
Sandeep GuptaConsultantCommented:
if you are using iAP , yes AP will do all this work. As per WLAN operation when user is put into role, he will access the network based upon acls present in role.

it would be something like:

netdestination Internal_Networks

ip access-list session Block_Internal_Networks
  user   alias Internal_Networks any  deny

user-role Test1
 access-list session global-sacl
 access-list session apprf-Test1-sacl
 access-list session Guest-Access
 access-list session cplogout
 access-list session Guest-Access-Logon
 access-list session Block_Internal_Networks

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris ColemanAuthor Commented:
Although CompProbSolv provided a lot of useful information and certainly gave me clear insight on what can and cannot be achieved in the proposed setup; Sandeep provided a definative solution which is relatively simple to apply in most ethernet/LAN scenarios.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.