Guest Wifi & Network Security - PLEASE HELP!!

[jdatkin]

Hi All, im really hoping i can get some help with this.

I want to create a free wifi hotspot for customers in our waiting room/reception, but i dont want them to have access to the main network IE the business computers and files, i just want them to have access to the internet.

The setup so far:
We have a nice new bt infinity connection for internet, using the BT Business Hub3 router.
The router is connected to a gigabit ethernet switch which then feeds:
Accounts PC - Running XP
Reception PC - Running windows7
Service PC - Running Windows7
Network Printer
Apple Airport Express in reception (latest version) (intended for customer wifi)

I have initially setup the Apple Airport Express for customers, but found that it allows people access to the files of the Accounts PC.
The accounts PC has file sharing enabled so that accounts can be accessed by the reception pc, so disabling file sharing is not an option.

The Apple Airport Express will not allow me to create a guest network unless i turn on its DHPC/NAt function, but this conflicts with the primary BT Business Hub 3 and we lose internet?

The BT Business hub3 does not allow additional wifi networks to be created either so thats not an option?

I am thinking along the lines of having the 3 computers on a network which cant be accessed by other devices / laptops which may be using the wifi when visiting.

I looked at using the homegroup function, but of course the problem is that the Accounts pc which is currently accessible is on windows xp and doesnt support homegroup?

SO, it leaves me with some questions:
If i upgrade the accounts pc to windows 7 and use the homegroup function between the pcs will that prevent people who are using the wifi from gaining access?

If there are any additional ways around which are nice and simple i would be very grateful

Any suggestions are welcome!!

Many thanks

 

[allennnn]

Change the ip range on one of them so they don't conflict say 192.168.0.1 to 192.168.1.1

 

[jdatkin]

Change the ip range on one of them so they don't conflict say 192.168.0.1 to 192.168.1.1

Hi Allennnn
many thanks for your message.

Im sure it might hold promise if i understood it a bit more!! LOL

Could you explain it in more detail for me, think simple!!!

Many thanks

Jonathon

 

[allennnn]

If you you have 2 devices with dhcp sending out the same addresses they both get confused and fail but under lan or DHCP setting you can change on 1 device the start and end range of the local ip start>192.168.0.1 end>192.168.0.200 to a different addresses and they get along fine with out conflicting start>192.168.1.1 and end> 192.168.1.200 remember to save and after the reboot the ip to log on to the router will be different.

 

[allennnn]

On the apple its under the DHCP settings.

 

[allennnn]

To alter the LAN settings of the BT Home Hub 3

Go to http://bthomehub.home
Click on Settings.
Log in with your username and password.
Click on Advanced Settings
Click on Continue to advanced settings
Click on Home Network
Click on IP Addresses
Click on the Enabled No option under DHCP Server
Select the range required or Configure manually
Make the required changes to the DHCP settings
Under Hub IP Gateway Address you can amend the IP address/subnet mask that you want the BT Home Hub to use
Once you have successfully added an IP address/subnet mask to the hub and you have also made the required changes to the DHCP scope click the Apply button

http://btybb.custhelp.com/app/answers/detail/a_id/9011/~/how-do-i-change-the-dhcp-settings-of-the-bt-home-hub%3F

 

[jdatkin]

Hi Allennnn,
Many thanks for the advice.

I decided i would try to alter the ip range on the Apple Airport Address in stead of the BT Business Hub3, hopefully so that if anything went wrong it would only affect the guest network and leave the main business network unaffected.

I could only make it work by turning on NAT & DHCP.
The ip range wouldnt let me alter it how you described at first.
t made me assign it a static ip from the BT Hub first, and then the range that the Airport Express would let me specifify was limited.

It rebooted but then said it had no DNS servers, so i just copied in the DNS server details from the BT Hub and tried again.
This appeared to work.

The apple express gives a warning that there is now a double NAT which may cause connection problems, but i have tested connectivity and it appears to be working.
Both networks have access to the internet, and dont allow crossover traffic , which is basically what i wanted.
Does this sound about rite!!

Many thanks in advance

Jonathon

 

[choucove]

Having your customers access to the same network that your other business devices are on is not good, and even having separate IP address ranges in the DHCP is not what you need to actually separate the network traffic.

You need to have two separate routers in this environment. One router will be the default gateway for your private business computers, the other router will offer your public open wireless access for customers. Each router then connects back to a third primary router which goes out to the internet. Use the SAME network range and subnet mask on both wireless routers to prevent them from gaining access to the other network, or invest in a firewall which will give you actual access control list settings to allow/deny network traffic between two networks.


ROUTER 1 - Primary To Internet (Your BT Business Hub3)
---------------------------------------
IP Address: 192.168.3.254
Interface 1: To Router 2 - Private Network WAN
Interface 2: To Router 3 - Public Network WAN
WAN: Out to the internet

ROUTER 2 - Private Network
-----------------------------------
IP Address: 192.168.1.254
Default Gateway: 192.168.3.254
DHCP Pool: 192.168.1.1 - 100
WAN: To Router 1 - Primary to Internet

ROUTER 3 - Public Network
----------------------------------
IP Address: 192.168.2.254
Default Gateway: 192.168.3.254
DHCP Pool: 192.168.2.1 - 100
WAN: To Router 1 - Primary to Internet


You can also accomplish this by installing a router with DD-WRT though I have not personally done this yet. DD-WRT should allow you to configure individual ports on a wireless router to be individual networks instead of all within the same network range. Your business computers will be connected to a switch which is connected back to one port on the router, and your wireless router for your public customer access will connect to a separate port on the DD-WRT router.

 

[natedawg4ever]

...or you could use one router with VLAN functions. DDWRT does this but is not a very permanent solution. The hardware DDWRT is made for is not typically very solid hardware usually consumer grade products not commercial. If you want to save money go with the Zywall USG50 by Zyxel. Each port can be configured as a seperate VLAN or multiple ports can be assigned to a single VLAN. Once VLANs are created you can connect a WAP with AP isolation to the assigned guest VLAN and a switch to the internal private company VLAN for security. The USG50 is only $230 on Amazon.com making it cheaper than buying 3 seperate routers.

 

[amywright2010]

Just use Fusion WiFi (www.fusionwifi.com). It'll get you a free, secured staff and public network completely independent from one another. It's also fully legally compliant, because all web traffic is filtered, tracked and attributed to an individual user.