Results 1 to 5 of 5

Thread: Seperate network?

  1. #1

    Thread Starter
    Fanatic Member
    Join Date
    Jan 2007
    Location
    Middletown, CT
    Posts
    948

    Seperate network?

    Hello there,
    I'm hoping that someone can help me with this network issue. I'm trying to find a way to seperate a wireless access point from the rest of my network, only allowing internet traffic through - nothing else.

    I've got a few HP Procurve switches, and a run through my building about 100 ft long. The run connects to a unmanaged switch, and there's a WAP and a wireless router connected to the switch. The WAP is secured, the router is unsecured. I use the secured one for folks that come into the building and have the passphrase - it allows a connection to our server, our printers, etc. I use the unsecured one for guests. It SHOULD restrict access to all servers and such, but doesn't. Access is permitted to our servers and our printers without a problem - they just can't be locating by browsing.

    I purchased a managed switch in the hope that I could configure a specific port to do what I'm trying to get it to do, but I'm a little confused.

    I've tried VLANs, but VLANs are much more restrictive than I though - blocking all traffic, as if there were literally two seperate LAN's. I noticed an option for using a RADIUS server, but I suspect that traffic would be the same once authentication was completed.

    I know that I could get away with this with another run and a VLAN configured in the main router, but I don't want to have to drop tiles, run wire, get the snake, put a plug in, etc.

    Is there any way to only block network browsing protocols, only allowing internet access?

    As I was typing this, I just thought to restrict all traffic not on port 80...will need to look into that though.
    EDIT: I couldn't find any options to do this, but this wouldn't work anyway, as I'd want to allow other traffic, just not to the rest of my network. Maybe I could set up a special subnet mask for the router to only be able to access the gateway? I don't know anything about how to create one though...

    Does anyone have any other ideas?
    Last edited by drag0n_45; Jan 18th, 2010 at 04:18 PM.

  2. #2
    PowerPoster Jenner's Avatar
    Join Date
    Jan 2008
    Location
    Mentor, OH
    Posts
    3,712

    Re: Seperate network?

    Two options:

    A) Hook the wireless access point up to the DMZ port on your router if it has one (most do). Downside is there's no firewall between the access point and the internet.

    B) Buy a second router. Have the first router connected to you internet on it's WAN. Hook the access point and the second router's WAN to the first router's LAN. connect the rest of your network to the second router's LAN. Run both routers in NAT mode.
    My CodeBank Submissions: TETRIS using VB.NET2010 and XNA4.0, Strong Encryption Class, Hardware ID Information Class, Generic .NET Data Provider Class, Lambda Function Example, Lat/Long to UTM Conversion Class, Audio Class using BASS.DLL

    Remember to RATE the people who helped you and mark your forum RESOLVED when you're done!

    "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. "
    - Albert Einstein

  3. #3

    Thread Starter
    Fanatic Member
    Join Date
    Jan 2007
    Location
    Middletown, CT
    Posts
    948

    Re: Seperate network?

    That's what I thought - didn't know if there was any kind of outbound firewall rule or anything like that. Might have to think out of the box on this one...

  4. #4
    Pro Grammar chris128's Avatar
    Join Date
    Jun 2007
    Location
    England
    Posts
    7,604

    Re: Seperate network?

    Couldnt you put the wireless AP on a different subnet and have that dishing out DHCP for the wireless clients (on that same subnet obviously) then have the default gateway for those clients set to your firewall and assuming its a half decent firewall you will be able to block specific ports from this subnet getting to the other 'main' subnet which is what you want isnt it? So you would allow port 80 (HTTP), 443 (HTTPS), 21 (FTP) and whatever else you want from this guest subnet outbound to the internet, but not to your other subnet.
    Alternatively, do what one of our clients does and just get a cheap internet line specifically for the guests to use, then your wireless AP is hooked up to the router that brings that internet line into the building and its totally separate to the rest of your network.
    My free .NET Windows API library (Version 2.2 Released 12/06/2011)

    Blog: cjwdev.wordpress.com
    Web: www.cjwdev.co.uk


  5. #5

    Thread Starter
    Fanatic Member
    Join Date
    Jan 2007
    Location
    Middletown, CT
    Posts
    948

    Re: Seperate network?

    Come to think of it, the subnetting idea sounds like it could work. All I need to do is change DHCP to assign a different subnet to it (subnet 2) and allow internet access to subnet 1. Now to learn about the wonders of subnetting.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width