|
-
Jan 18th, 2010, 04:12 PM
#1
Thread Starter
Fanatic Member
Seperate network?
Hello there,
I'm hoping that someone can help me with this network issue. I'm trying to find a way to seperate a wireless access point from the rest of my network, only allowing internet traffic through - nothing else.
I've got a few HP Procurve switches, and a run through my building about 100 ft long. The run connects to a unmanaged switch, and there's a WAP and a wireless router connected to the switch. The WAP is secured, the router is unsecured. I use the secured one for folks that come into the building and have the passphrase - it allows a connection to our server, our printers, etc. I use the unsecured one for guests. It SHOULD restrict access to all servers and such, but doesn't. Access is permitted to our servers and our printers without a problem - they just can't be locating by browsing.
I purchased a managed switch in the hope that I could configure a specific port to do what I'm trying to get it to do, but I'm a little confused.
I've tried VLANs, but VLANs are much more restrictive than I though - blocking all traffic, as if there were literally two seperate LAN's. I noticed an option for using a RADIUS server, but I suspect that traffic would be the same once authentication was completed.
I know that I could get away with this with another run and a VLAN configured in the main router, but I don't want to have to drop tiles, run wire, get the snake, put a plug in, etc.
Is there any way to only block network browsing protocols, only allowing internet access?
As I was typing this, I just thought to restrict all traffic not on port 80...will need to look into that though.
EDIT: I couldn't find any options to do this, but this wouldn't work anyway, as I'd want to allow other traffic, just not to the rest of my network. Maybe I could set up a special subnet mask for the router to only be able to access the gateway? I don't know anything about how to create one though...
Does anyone have any other ideas?
Last edited by drag0n_45; Jan 18th, 2010 at 04:18 PM.
-
Jan 19th, 2010, 10:34 AM
#2
Re: Seperate network?
Two options:
A) Hook the wireless access point up to the DMZ port on your router if it has one (most do). Downside is there's no firewall between the access point and the internet.
B) Buy a second router. Have the first router connected to you internet on it's WAN. Hook the access point and the second router's WAN to the first router's LAN. connect the rest of your network to the second router's LAN. Run both routers in NAT mode.
-
Jan 19th, 2010, 11:11 AM
#3
Thread Starter
Fanatic Member
Re: Seperate network?
That's what I thought - didn't know if there was any kind of outbound firewall rule or anything like that. Might have to think out of the box on this one...
-
Jan 20th, 2010, 04:30 PM
#4
Re: Seperate network?
Couldnt you put the wireless AP on a different subnet and have that dishing out DHCP for the wireless clients (on that same subnet obviously) then have the default gateway for those clients set to your firewall and assuming its a half decent firewall you will be able to block specific ports from this subnet getting to the other 'main' subnet which is what you want isnt it? So you would allow port 80 (HTTP), 443 (HTTPS), 21 (FTP) and whatever else you want from this guest subnet outbound to the internet, but not to your other subnet.
Alternatively, do what one of our clients does and just get a cheap internet line specifically for the guests to use, then your wireless AP is hooked up to the router that brings that internet line into the building and its totally separate to the rest of your network.
-
Jan 20th, 2010, 04:55 PM
#5
Thread Starter
Fanatic Member
Re: Seperate network?
Come to think of it, the subnetting idea sounds like it could work. All I need to do is change DHCP to assign a different subnet to it (subnet 2) and allow internet access to subnet 1. Now to learn about the wonders of subnetting.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|