Hey guys! I'm a little new to setting up networks (taking networking classes right now) and I have a chance to get a little real-world experience. I'd like to get a little advice before I dive into it, though. I've tried googling this but didn't really find exactly what I was looking for. Here's the deal...
My girlfriend is the manager of a small bar/restaurant and they recently had some problems with their wireless network. After calling their ISP, it turns out someone had gotten into their router and screwed with the settings, basically disabling their network. They had the network open so their customers could connect to it and use their internet connection (stupid, yes.) The thing is, they didn't have a separate SSIDs for public and private access, it was just all the same network (business computers, credit card machines, juke box and customers all on the same network.) I offered to help them make things a little more secure. They got everything back up and running but their ISP told them their router doesn't support multiple SSIDs or VLAN so they were told that in order to make a "guest" access point, they's have buy another wireless router and physically connect it to the existing one.
I plan on securing their existing network by changing the the admin username and password for their router configuration, hiding and changing the the SSID so it isn't broadcast for everyone to see, and setting up a secure WPA key. I figure all that should be sufficient for securing their private network but if anyone here has any other suggestions for making it more secure, please feel free to comment on that.
I want to set up the public network so that it's open to everyone without having to enter a password, but secure enough that no one can screw anything up, do anything unscrupulous over the connection or hog the bandwidth, stuff like that. So here are my concerns for this:
What ports should I block?
Is there a way to block wireless users from accessing the router configuration and only allowing wired connections to do so?
Is there a way to put a limit on connection speed so that so that if someone decides to download a 200MB app to their phone it doesn't slow everyone else down?
Would I enable NAT on the public router?
Any other suggestions?
Basically I want to balance what their customers expect from a WiFi hot spot with keeping things as secure as possible.
Then buy a cheap router and set it up as a wireless access point - details are in a Sticky Post in this sub-Forum. So long as the connection is one step away from the clients, it's that much more secure. The router remains secured by the highest WPA they can manage, hiding the SSID is academic because you're giving it to the customers any but the difference with the access piont is, you can call it by the Restaurant's name - totally different from the router's SSID.
1. Enable Option: Only allow wired LAN computer to log on WiFi Router, using even registered NIC's MAC.
2. The DHCP IP range may start with 100 IPs.
3. This WiFi router's WAN port may then connect to a "More Powerful / Decent" base router's 1 of 4-port.
The base router handles your restaurant's LAN / Internet network (IP: 10.0.0.1 to 254).
With Netbios over TCP being disabled. ==> Customers could not access Shares from your base LAN/ offices etc..