Skip to main content

Setting up 2 networks with 1 gateway

More
11 years 1 month ago #38217 by Richardbee
Hi

I would like to setup a wireless access point for guests. We have only 1 gateway to the internet.
I would like the network to be safe from guest hacking into the network.

What I tried:
Network - Router A (Linksys WRTG) (192.168.168.200) acting as Gateway (as internal wireless access point)
Router B (Linksys WRTG), (192.168.1.1), dhcp enabled (to be used as guest access point), Wan port connected to Router A (different network, so should be safe?)

Guest was able to connect to Router B and access internet (setup correct). Security? I was able to connect to our network, :(

What I need is guest to be able to access the internet and not able to access our network.

Help and advice on how to set up a secure access point is appreciated.

Thank you in advance
Richard
More
11 years 1 month ago #38218 by Nevins
Hello Richardbee,

Have you considered using Vlans and Port security? What is the usage of the network? Who are the guests and what level of access do you want them to have on your network?

-Nevins

Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
More
11 years 1 month ago #38219 by Richardbee
Hi Nevins

Thanks for taking time to help. Sorry, but I don't know anything about vlans and port security. Will be reading up on those. Well, sometimes guest/participants wants to access the internet and to do that will need to log on our network.

I would like to have a complete 'no access' to the network and just be able to surf the internet wirelessly.

Thanks
Richard
More
11 years 1 month ago #38220 by Nevins
Yep no problem. I understand. Anyways I see you are online right now check your pm's I'll help you out.

Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
More
11 years 1 month ago #38221 by Richardbee
Hi Nevins

Read up on it, don't really understand it.. :(

Anyway, am I able to do, what I intend to do with a WRT54G router? I have another router (to use as guest access) with dd-wrt firmware.

If yes, can you point me to the right direction?

Thanks in advance.
richard
More
11 years 1 month ago #38222 by Nevins
Alright lets work from bottom to top on this one. The simplest thing to understand is port security. To understand port security lets first talk about what it is we want to secure:

[img]http://http://imgur.com/EVAg9Vt[/img]


In port security the goal is to only allow specific mac addresses to pass data though the interface.


For example if you take the above switch and wanted to only allow the unique address physically burned in to your network card (mac address) so that nobody else could use the switch port you could. Additionally if you attached a hub or other network devices to that interface devices attached to that hub would only work if they had an allowed mac address.


Port security has a number of features revolve around triggering an access violation on one or more interfaces. Access violations can be set to trigger 3 different modes:

MODE STATE ON TRIGGER
Shutdown(default) -- blocking all traffic *err-disabled*
Protect drop non-allowed mac addresses
Restrict drop non-allowed mac addresses & log violations

Now that you know what port security does you can see how to configure it here as well as check out the different Access violation types:

www.cisco.com/en/US/docs/switches/datace...ide/sec_portsec.html


VLANS (VIRTUAL LANS)

Virtual Lans

http://imageshack.us/f/580/broadcastdomainvlan.png/


The point of a virtual local area network is to logically subdivide an existing local area network using existing hardware. It's basically like saying devices attached to each vlan assigned interface is it's own physical local area network group. So if you look at the above image all the devices are physically sharing router0,switch0 and the trunk link between them but logically the company user group and accounting department are different local area networks.

Without VLANs to get the same results you would have to buy devices and links for each network. Typically speaking most cisco routers allow virtual lans.

The key to VLANS is to understand that interfaces are a member of a VLAN or a shared trunk between networking devices and gateways. A nice feature for VLANS is you can apply policy at your gateway router though Access Control Lists or DNS to force everyone in one VLAN to participate in those polices. Those policies are typically applied to the sub-interface for that VLAN trunk link.


Another possibility I forgot to mention is RADIUS Authentication (stops outsiders from accessing your network), you basically set up an authentication server give it some codes, give your clients access to the codes and they can log into your network and use it. Anyone without the code can't get on.

packetlife.net/blog/2008/aug/6/simple-wired-8021x-lab/

I would like to have a complete 'no access' to the network and just be able to surf the internet wirelessly.


Because you would like them to have "complete 'no access' to the network" I would say VLANS are what you need. You need the same hardware but you need them to not be connected to your existing network.

Here is the cisco whitepaper for configuring VLANS:

www.cisco.com/en/US/docs/switches/lan/ca...on/guide/swvlan.html


Let me know where you stand on this we'll work from there.

Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
Time to create page: 0.153 seconds