Need help setting up a wireless network for my library

[capofirstfret]

I work at a small public library and we're trying to setup wireless internet for our patrons. I've been studying VLANs, trunking, etc and going through the Mike Meyers book trying to study and learn enough to prepare for the Network+ cert, but for all that knowledge, my hands on experience is at a minimum so I'm seeking help before I screw this up. I feel dumb having to ask these questions, but I'd rather make sure I do it right and learn something along the way than have to take out stock in excedrin.

We are using a Cisco 1841router, a Linksys SRW224G4 switch, and we just purchased on recommendation the Cisco WRVS4400N Wireless N VPN Router.

Could someone give me the best configuration to provide wireless to our patrons in a way that avoids their possibly accessing anything else on our network? I've been told separating into separate VLANs is my best option, and while I know I can work through it to make it work, I want to make sure I've got the physical connection down so that I can focus on the software/routing side of things. Any advice and help would be most appreciated.

 

[Emerald]

the easiest way with the devices you listed connect the wireless router's WAN port to one of the four LAN ports of the main router.

configure the LAN port as a DMZ and enable network separation on the wireless router (prevents wireless devices from seeing eachother).

make sure the wireless router uses a different IP scheme then your main network or the VLAN if you create one.

by using the WAN port on the wireless router you create a separation between the networks and on top of that placing the wireless router into the DMZ will give it additional security. Setting up a VLAN for the LAN port in the main router will add another layer of security.

 

[capofirstfret]

Thanks for the reply! I'll be implementing this tomorrow so I'll let you know how it goes. Been studying for a while but like I said, this will be my first hands on networking project besides very simple home network file sharing.

 

[eibgrad]

Wait a second, there's serious problems w/ this proposed configuration (or else I’m misunderstanding the proposal).

I'm assuming the Cisco 1841 router is the library's primary router, the switch is patched to the primary router LAN to LAN, and that the proposal is to patch the Cisco WRVS4400N Wireless N VPN Router to the switch in support of the patrons.

[cisco 1841](lan)<-- wire -->(lan)[switch](lan)<-- wire -->(wan)[cisco wrvs4400n]

If not, correct me. If so, then it’s a big mistake.

Simply patching the WAN of the wireless router to the primary router (or switch) does NOTHING to protect the network of the primary router. All clients of the wireless router now have access to the upstream network of the primary router! If anything, the patrons are protected from the library’s network thanks to the wireless router’s firewall.

I suppose if the switch is configured w/ VLANs, it’s possible to prevent this. But it’s still tricky since you’d need to have three VLANs; one for the library, one for the patrons, and a third to route both independently to the Internet. So it can be done, but a bit tricky to implement, esp. if you’re new to VLANs and routing commands.

What would work better (and frankly be easier to implement) is to make the wireless router the primary (public) router, then place the library’s router behind it.

[cisco wrvs4400n](lan)<-- wire -->(wan)[cisco 1841] ](lan)<-- wire -->(lan)[switch]

Now the *library* is protected from patrons by the WAN’s firewall, yet the library can still see the patrons who are upstream.

And I would also enable AP Isolation on the wireless router to prevent patrons from accessing each other (does nothing to prevent wireless users from seeing/accessing any wired resources on that same router though).

The DMZ of either router is irrelevant since that only allows remote access through the firewall for remote users. And I just don’t see where anything involving remote access comes into play in this scenario. At least not based on the limited information provided so far.

As always when using multiple routers, each needs to use different networks (e.g., 192.168.1.x and 10.0.0.x).

But even using two routers is not without some risk. Because the WAN of the library’s router and patrons share the same network, there remains the possibility (if only remotely) of an ARP poisoning attack. IOW, someone could monitor ARP traffic of the patron network, determine the MAC address of the library router’s WAN, then spoof their own MAC address w/ that of the WAN, and create a MITM (Man In The Middle) attack. So everything that travels to and from the WAN of the library’s router also passes to and from the attacker! The attacker just sits there, monitoring traffic looking for things of interest, with no one the wiser. A very clever and almost impossible attack to detect while it’s happening.

Granted, we talking about what’s possible here, not necessarily what’s likely, but it illustrates how easily you can make a mistake and really mess up if you don’t know what to look for!

The best solution (at least if you’re only using hardware, not VLANs) is using three (3) routers in a Y configuration.

[patron router](lan)<-- wire -->(wan)[primary router](wan)<-- wire -->(lan)[library router]

Now ARP poisoning is not possible because the patrons and the library never share the same network, EVER. And now you could use the DMZ of the primary router and direct it to the library router’s WAN IP to permit remote access for library staff. Meanwhile, patrons have no remote access at all (which probably makes sense).