Router/Firewall Security Question

[Total]

I am intirested in allowing all wireless connections complete access to the Internet (using a seperate Access Point) but I still want all hard wired PC's to be protected by the routers firewall (and also protected by the wireless users). Whats the best way to do this?

If I put the Access Point in the DMZ would all the wireless users be able to go around the routers firewall and access the rest of the LAN? I only ask this because I don't want to block ANY ports for the wireless connections.

If the access point if behind the routers firewall with the rest of the LAN will all the wireless connections basically "go around" the security and have easy access to the rest of the hard wired LAN PC's?


Thanks in advance for any advice.

 

[riser]

If your cable/dsl connection comes into your router and your wireless AP connects into the router, it will be behind the firewall. The only security issue you'll have is the WEP on the AP/computers.

Basically you want your high speed connection to come into your router and then your AP to branch off the router. All the signals will come into the AP, then hit the router for internet access, which is protected by the router's firewall.

**
If the access point if behind the routers firewall with the rest of the LAN will all the wireless connections basically "go around" the security and have easy access to the rest of the hard wired LAN PC's?

They won't go around any security. The only time the router's firewall comes into play is when you're sending a request outside the firewall, ie to the internet. If you're accessing on of your computers, the router's firewall has nothing to do with it.

Riser

 

[folken]

Putting the AP in a DMZ "should" separate it from the local lan. I'm not sure how great a little home router handles a dmz, I havent tried it on one yet. You would have to assign the wireless clients static ip addresses though as there will be no dhcp server.
The best way to do it though would be vlaning it onto a completely different subnet. You would need something better than a home router to do that though A linux machine would do it nicely for cheap.

<A HREF="http://www.folken.net/myrig.htm" target="_new">My precious...</A>

 

[Total]

Thanks for the reply’s so far.

Hmmm…. I would most definitely need DHCP. Let me explain more what this was going to be used for. I have a friend who wants to install wireless in his pub. He wants anyone who brings in a laptop to freely go online, no keys, no setup, just DHCP and your on. On the other hand he has to computers in the office that share files so security is a concern. Bundle all this together and add him not wanting to spend much of anything.

I was thinking if he uses 2 home routers, each with a completely different network range, and put the office PC’s behind a second router then they “should” be safe. Here was what I was thinking:


Modem
|
|
Router1-------(DMZ)-------WirelessAccessPoint
228 Network
|
|
Router2
192 Network
||
||
OfficePC's


My biggest question is how to connect the second router and the access point to the first router.

I would think that the wireless people would need most if not all ports open because you simply don’t know what applications they will use. One the other hand you don’t want to port forward all ports because then the office PC’s won’t be able to do anything.

I guess by simply plugging in the second router to any of the normal ports (1-4, 1-8, ect) and then connecting the access point to the DMZ allowing it to just pass though, might be the best bet.

 

[folken]

That method should work fine.

<A HREF="http://www.folken.net/myrig.htm" target="_new">My precious...</A>

 

[jihiggs]

i would get a second ip address from your isp, hook a cheap hub to the ethernet side of the broadband modem and plug the wan sides of two routers into the hub. they can both get their own ip addresses and would both be completely separate networks. a nat behind another nat network is an ugly way of doing somthing like that.

go tell your alien brothers, that ronnie cordova says they're gay!!! <A HREF="http://sockbaby.com" target="_new"> sock baby </A>

 

[TheCh0s3n1]

hmm...

Why a hub instead of a router? I know you mentioned that using a NAT behind another NAT is kind of ugly, but wouldn't the hub kill the Internet connection?

Sorry, I'm still pretty new to networking. I come here to learn more and to share what I know...

 

[riser]

Hubs really aren't used anymore.. they should just take them out of production.. SOHO ones cost just as much as a switch..
but you are right, putting the hub in place would probably kill that network..

Since Hubs broadcast while switches use MAC addresses to send information..


and why are we posting on 1 month old posts?

 

[mackintire]

ideally you would use a router that supports Private Vlans.

That would allow you to put the access point behind the router and not have anything blocked outgoing to the wan. However there would be no traffic between the LAN and the Vlan. So the access point users can use the internet and any resource in the DMZ but not access other users on the lan. The Lan users could not access any wirelessly connected users either.