2nd WAP with no access to 1st WAP

We have a small network with about 30 users in a mac environment. We have a
wireless router connected to our network. I was asked to setup a small wap
for our conferance room. It wont be open but we dont want anybody who uses
this wap to see any resources on our other wap. -only internet access. Is
this a complex setup? if not, please send recommendations

carlos

On Tue, 09 Dec 2008 10:24:35 -0800, John Navas
<(E-Mail Removed)> wrote:

>On Tue, 9 Dec 2008 11:22:12 -0600, "UseNet" <(E-Mail Removed)> wrote in
><8Px%k.9677$(E-Mail Removed)>:
>
>>We have a small network with about 30 users in a mac environment. We have a
>>wireless router connected to our network. I was asked to setup a small wap
>>for our conferance room. It wont be open but we dont want anybody who uses
>>this wap to see any resources on our other wap. -only internet access. Is
>>this a complex setup? if not, please send recommendations
>
>Most straightforward way to do this on the cheap:
>* Main wireless router with VLAN support
>* Attach the WAP to a specific port on the main wireless router
>* Establish a VLAN between the WAP port and the Internet

To hopefully clarify, in the line immediately above, I believe "the
WAP port" refers to the "specific port on the main wireless router" to
which the WAP is connected, and "the Internet" refers to the WAN port
on the main wireless router.


>If, like most low-end products, your existing wireless router doesn't
>have VLAN support, but can run DD-WRT, you can use DD-WRT to do this.
><http://www.dd-wrt.com/wiki/index.php/Supported_Devices>
>
>But the approach I recommend is to replace your main wireless router
>with a more capable wireless router designed to do this. While my
>personal favorite is SonicWALL (TZ150/TZ170), the less expensive NETGEAR
>WG302 can also do this.
>
>Hope that helps.

Hey thanks
Now they just have a Linksys Wrt54gs with wpa encryption
I'll try to talk them into spending some more $$


"John Navas" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Tue, 9 Dec 2008 11:22:12 -0600, "UseNet" <(E-Mail Removed)> wrote in
> <8Px%k.9677$(E-Mail Removed)>:
>
>>We have a small network with about 30 users in a mac environment. We have
>>a
>>wireless router connected to our network. I was asked to setup a small
>>wap
>>for our conferance room. It wont be open but we dont want anybody who
>>uses
>>this wap to see any resources on our other wap. -only internet access.
>>Is
>>this a complex setup? if not, please send recommendations
>
> Most straightforward way to do this on the cheap:
> * Main wireless router with VLAN support
> * Attach the WAP to a specific port on the main wireless router
> * Establish a VLAN between the WAP port and the Internet
>
> If, like most low-end products, your existing wireless router doesn't
> have VLAN support, but can run DD-WRT, you can use DD-WRT to do this.
> <http://www.dd-wrt.com/wiki/index.php/Supported_Devices>
>
> But the approach I recommend is to replace your main wireless router
> with a more capable wireless router designed to do this. While my
> personal favorite is SonicWALL (TZ150/TZ170), the less expensive NETGEAR
> WG302 can also do this.
>
> Hope that helps.
> --
> Best regards, FAQ for Wireless Internet: <http://wireless.navas.us>
> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi>
> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo>
> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>

"UseNet" <(E-Mail Removed)> wrote in
news:wFA%k.7960$(E-Mail Removed):

> Hey thanks
> Now they just have a Linksys Wrt54gs with wpa encryption
> I'll try to talk them into spending some more $$

If they are going to decide to spend any money, here's another
solution.......

Mikrotik (mikrotik.com) offers many different 'RouterBoards', which comes
with their 'RouterOS'. The least expensive model, is the RB450, which is
a 5 port rtr/switch. You can buy it all over the web, bare board or in a
small nifty enclosure. For under $100 enclosed w/pwr supply, you get a
very effective routing device that is not too dis-similar to a Cisco or
Enterasys device.

I've just recently started using a few of these, and I'll tell you, it is
unbelievably powerful given the *very* low cost (relative to it's
capabilities).

(Essentially, they are SBC's that run an embedded version of Linux, and
Mikrotik has created a command-line management interface application that
gives you access and configurability to the advanced routing and
networking components of the Linux kernel. There's a GUI config tool as
well.)

The device would be connected between the LAN you want to use for the
internet connection, and the already existing WAP. One side of the rtr to
the existing LAN, the other to the existing AP. The existing LAN would
effectively become the gateway for internet traffic for the wireless
network.

The rtr is configured with one interface on the LAN to a LAN IP. Another
rtr interface going to the AP, and on a completely different subnet. The
rtr can also be default gateway'd to the LAN d g/w. The rtr would DCHP
for the AP network/subnet. DHCP would issue the rtr's AP network
interface for the clients d g/w.

Existing LAN <------------> RB450 <------------> WAP -----(clients)
[192.168.1.x] [.1.254 & .100.1] .100.2 .100.50 - .100.100
Def. g/w = .1.(d g/w)
DNS = .1.x DNS
DHCP to wireless --->
(Scope .100.50 - .100.100)
(DHCP'd g/w = .100.1)
(DHCP's DNS = .100.1)


The rtr would need to be configured with a few rules.....

Maybe just one, it would be set to only accept packets destined for the
LAN default gateway, which is the ultimate point of internet access. All
other packets would be dropped. This would isolate the LAN resources from
the WLAN.

The only other caveat would be that the device that is the ultimate point
of internet access be capable of adding static routes to it. This is
needed so return internet traffic destined for the WLAN will know where
to go when it gets back. I'm sure most Linksys cable/DSL rtr's have that
capability.

(And if not, the LAN side of the RB450 rtr can be configured to NAT the
WLAN anyway, so return traffic would always go to a LAN IP anyway, so no
route needed.)

Of course, this is the geeky way to do it, but very effective.



















>
>
> "John Navas" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> On Tue, 9 Dec 2008 11:22:12 -0600, "UseNet" <(E-Mail Removed)> wrote in
>> <8Px%k.9677$(E-Mail Removed)>:
>>
>>>We have a small network with about 30 users in a mac environment. We
>>>have a
>>>wireless router connected to our network. I was asked to setup a
>>>small wap
>>>for our conferance room. It wont be open but we dont want anybody
>>>who uses
>>>this wap to see any resources on our other wap. -only internet
>>>access. Is
>>>this a complex setup? if not, please send recommendations
>>
>> Most straightforward way to do this on the cheap:
>> * Main wireless router with VLAN support
>> * Attach the WAP to a specific port on the main wireless router
>> * Establish a VLAN between the WAP port and the Internet
>>
>> If, like most low-end products, your existing wireless router doesn't
>> have VLAN support, but can run DD-WRT, you can use DD-WRT to do this.
>> <http://www.dd-wrt.com/wiki/index.php/Supported_Devices>
>>
>> But the approach I recommend is to replace your main wireless router
>> with a more capable wireless router designed to do this. While my
>> personal favorite is SonicWALL (TZ150/TZ170), the less expensive
>> NETGEAR WG302 can also do this.
>>
>> Hope that helps.
>> --
>> Best regards, FAQ for Wireless Internet: <http://wireless.navas.us>
>> John Navas FAQ for Wi-Fi: <http://wireless.navas.us/wiki/Wi-Fi>
>> Wi-Fi How To: <http://wireless.navas.us/wiki/Wi-Fi_HowTo>
>> Fixes to Wi-Fi Problems: <http://wireless.navas.us/wiki/Wi-Fi_Fixes>

John Navas <(E-Mail Removed)> wrote in
news(E-Mail Removed):

> On Tue, 9 Dec 2008 22:25:21 +0000 (UTC), DanS
> <(E-Mail Removed)> wrote in
> <Xns9B6FB142C80E4thisnthatroadrunnern@85.214.105.2 09>:
>
>>"UseNet" <(E-Mail Removed)> wrote in
>>news:wFA%k.7960$(E-Mail Removed):
>>
>>> Hey thanks
>>> Now they just have a Linksys Wrt54gs with wpa encryption
>>> I'll try to talk them into spending some more $$
>>
>>If they are going to decide to spend any money, here's another
>>solution.......
>>...
>>Of course, this is the geeky way to do it, but very effective.
>
> If and only if you get it exactly right, and are prepared to keep it
> current indefinitely, which is why I recommend using a finished and
> supported product over any roll-your-own solution.

What is that supposed to mean ? A finished and supported product ? Keep it
current indefinitely ?

What are you trying to say ?

John Navas <(E-Mail Removed)> wrote in
news:(E-Mail Removed):


>>> If and only if you get it exactly right, and are prepared to keep it
>>> current indefinitely, which is why I recommend using a finished and
>>> supported product over any roll-your-own solution.
>>
>>What is that supposed to mean ? A finished and supported product ?
>>Keep it current indefinitely ?
>>
>>What are you trying to say ?
>
> What I'm saying is that it's hard to get it right even with real
> expertise, much less no real expertise, and hard to keep it updated to
> deal with new threats. Thus roll-your-own is not a good option for
> most people, who are much better served by products "finished and
> supported" by experts.
>
> Trying to go cheaper is simply false economy. You have to consider
> the total cost of ownership, including the cost of making a mistake
> and being compromised. Jeff's suggestion of the basic My Essential
> ME-1004R is only $30-40. My suggestion of the more capable and
> powerful NETGEAR WG302 is about $150, which is still affordable for
> even a small business of value.

So what are you trying to say ? That Mikrotik products are unsupported ?
And a roll-your-own solution ? Far from it. Taking a typical consumer rtr
and flashing DD-WRT on it is totally an unsupported roll-your-own
solution. RouterOS is far more capable than any standard commodity
cable/DSL rtr.

I guess the people here are right.

John Navas <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Thu, 11 Dec 2008 12:43:37 +0000 (UTC), DanS
> <(E-Mail Removed)> wrote in
> <Xns9B714EA44FE33thisnthatroadrunnern@85.214.105.2 09>:
>
>>John Navas <(E-Mail Removed)> wrote in
>>news:(E-Mail Removed) m:
>>
>>
>>>>> If and only if you get it exactly right, and are prepared to keep
it
>>>>> current indefinitely, which is why I recommend using a finished and
>>>>> supported product over any roll-your-own solution.
>>>>
>>>>What is that supposed to mean ? A finished and supported product ?
>>>>Keep it current indefinitely ?
>>>>
>>>>What are you trying to say ?
>>>
>>> What I'm saying is that it's hard to get it right even with real
>>> expertise, much less no real expertise, and hard to keep it updated
to
>>> deal with new threats. Thus roll-your-own is not a good option for
>>> most people, who are much better served by products "finished and
>>> supported" by experts.
>>>
>>> Trying to go cheaper is simply false economy. You have to consider
>>> the total cost of ownership, including the cost of making a mistake
>>> and being compromised. Jeff's suggestion of the basic My Essential
>>> ME-1004R is only $30-40. My suggestion of the more capable and
>>> powerful NETGEAR WG302 is about $150, which is still affordable for
>>> even a small business of value.
>>
>>So what are you trying to say ?
>
> Just what I actually wrote.
>
>>That Mikrotik products are unsupported ?
>>And a roll-your-own solution ?
>
> Configuring a router with "a few rules" is roll-your-own

No, it's not a roll-your-own solution. It's a COTS product. Plug in and
configure and use. No 'roll-your-own' involved. I said you *could* buy it
w/o an enclosure....if that was desired.

("the geeky way
> to do it" in your words), and MicroTik is a Latvian company with no
> presence in the USA.

So only US companies can have good products ? If what you mean by no
presence is that they don't have headquarters here, yeah, so. If you
meant that noone uses those products in the US, you are sadly mistaken.

>>Far from it. Taking a typical consumer rtr
>>and flashing DD-WRT on it is totally an unsupported roll-your-own
>>solution. RouterOS is far more capable than any standard commodity
>>cable/DSL rtr.
>
> That may be, but it's not a simple and straightforward solution that's
> suitable for the average user or small business. I wouldn't recommend
> that route (pun intended) without hiring a local expert like Jeff to
> approve, assemble, configure and support it.

Actually, it IS a simple solution. And yes, it is straight forward. You
have to configure the exact same things as if you were using a commodity
rtr, except for adding 1 rule. An, it's obvious that if a company has 30
users, there has to be someone taking care of the network, whether it be
an internal geek worker, or some company/consultant they hire.

>
>>I guess the people here are right.
>
> About what? That fly by the seat of your ass is a good idea?

No...that you are an ass.

> That it works for knowledgeable folks like you is cool, but doesn't
> necessarily mean it's a good idea for average folks.

I didn't say it was good for everyone, but an option that would work with
the stated requirement. Nothing more, nothing less.

John Navas <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Thu, 11 Dec 2008 18:16:53 +0000 (UTC), DanS
> <(E-Mail Removed)> wrote in
> <Xns9B718725AED6Bthisnthatroadrunnern@85.214.105.2 09>:
>
>>No...that you are an ass.
>
> Stopping to ad hominem is a sure sign of nothing persuasive to say.
> Game over. Thanks for conceding the point.

So you are *once again* wrong, as the 'persuasive' points I did make were
snipped by you.

I only ended with calling you an ass.

John Navas <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Thu, 11 Dec 2008 19:25:09 +0000 (UTC), DanS
> <(E-Mail Removed)> wrote in
> <Xns9B7192B85E5DEthisnthatroadrunnern@85.214.105.2 09>:
>
>>John Navas <(E-Mail Removed)> wrote in
>>news:(E-Mail Removed) m:
>>
>>> On Thu, 11 Dec 2008 18:16:53 +0000 (UTC), DanS
>>> <(E-Mail Removed)> wrote in
>>> <Xns9B718725AED6Bthisnthatroadrunnern@85.214.105.2 09>:
>>>
>>>>No...that you are an ass.
>>>
>>> Stopping to ad hominem is a sure sign of nothing persuasive to say.
>>> Game over. Thanks for conceding the point.
>>
>>So you are *once again* wrong, as the 'persuasive' points I did make
>>were snipped by you.
>
> Your straw man arguments were off point, failing to address my points.

No, they weren't off point. They addressed your points exactly.

Do I need to show them to you....(the > lines are your comments with my
replies below.
-----------------------------------------------------------
> Configuring a router with "a few rules" is roll-your-own

No, it's not a roll-your-own solution. It's a COTS product. Plug in and
configure and use. No 'roll-your-own' involved. I said you *could* buy it
w/o an enclosure....if that was desired.

> to do it" in your words), and MicroTik is a Latvian company with no
> presence in the USA.

So only US companies can have good products ? If what you mean by no
presence is that they don't have headquarters here, yeah, so. If you
meant that noone uses those products in the US, you are sadly mistaken.

> That may be, but it's not a simple and straightforward solution that's
> suitable for the average user or small business. I wouldn't recommend
> that route (pun intended) without hiring a local expert like Jeff to
> approve, assemble, configure and support it.

Actually, it IS a simple solution. And yes, it is straight forward. You
have to configure the exact same things as if you were using a commodity
rtr, except for adding 1 rule. An, it's obvious that if a company has 30
users, there has to be someone taking care of the network, whether it be
an internal geek worker, or some company/consultant they hire.

> About what? That fly by the seat of your ass is a good idea?

No...that you are an ass.
------------------------------------------------------------------

> You had nothing persuasive to say, so you stooped to ad hominem, thus
> conceding the discussion.

There you go.....black and white.....your comments and my points un-
snipped.....

What, do you think I'd forget what I said or that you can't go back and
look at the earlier posts.....YOU are the one failing to address MY
points, as seen by YOUR creative snipping.

I stand by my assessment. You ARE an ass.

John Navas <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> On Tue, 09 Dec 2008 12:52:30 -0600, Char Jackson <(E-Mail Removed)>
> wrote in <(E-Mail Removed)>:
>
>>On Tue, 09 Dec 2008 10:24:35 -0800, John Navas
>><(E-Mail Removed)> wrote:
>
>>>Most straightforward way to do this on the cheap:
>>>* Main wireless router with VLAN support
>>>* Attach the WAP to a specific port on the main wireless router
>>>* Establish a VLAN between the WAP port and the Internet
>>
>>To hopefully clarify, in the line immediately above, I believe "the
>>WAP port" refers to the "specific port on the main wireless router" to
>>which the WAP is connected, and "the Internet" refers to the WAN port
>>on the main wireless router.
>
> The blind trying to lead the blind -- I love it!

(No manners here.)