Advice required for secure LAN/ unsecure WLAN

I have a requirement for a router that can configured to separate the LAN
from WLAN.

I need to be able to have an unencrypted WLAN to WAN/INTERNET network
available to users of the coffee shop, but configured in such a way that
they are unable to access the internal LAN that runs the epos systems.

One computer on the LAN also needs access to the WAN/INTERNET.

I believe that a sonicwall TZ170 wireless may do the job, but are there any
alternative products?

Jason Russell

"Jason Russell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a requirement for a router that can configured to separate the LAN
>from WLAN.
>
> I need to be able to have an unencrypted WLAN to WAN/INTERNET network
> available to users of the coffee shop, but configured in such a way that
> they are unable to access the internal LAN that runs the epos systems.
>
> One computer on the LAN also needs access to the WAN/INTERNET.
>
> I believe that a sonicwall TZ170 wireless may do the job, but are there
> any alternative products?
>

Yeah, it's called get a second router that would use the gateway router to
the Internet so that machines connected to it can access the Internet. The
second router will segregate the two networks, with the machine behind the
second router protected from the machines on the unprotected wireless LAN.
You should make sure that the second router is an all wire solution.

Duane

"Duane Arnold" <Yeah-Don't-bother-@that's-right.BET> hath wroth:

>"Jason Russell" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>>I have a requirement for a router that can configured to separate the LAN
>>from WLAN.
>>
>> I need to be able to have an unencrypted WLAN to WAN/INTERNET network
>> available to users of the coffee shop, but configured in such a way that
>> they are unable to access the internal LAN that runs the epos systems.
>>
>> One computer on the LAN also needs access to the WAN/INTERNET.
>>
>> I believe that a sonicwall TZ170 wireless may do the job, but are there
>> any alternative products?
>>
>
>Yeah, it's called get a second router that would use the gateway router to
>the Internet so that machines connected to it can access the Internet. The
>second router will segregate the two networks, with the machine behind the
>second router protected from the machines on the unprotected wireless LAN.
>You should make sure that the second router is an all wire solution.
>Duane

Agreed. Some comments.

1. The TZ170 comes in various versions and user counts. 10 users is
currently barely adequate for a coffee shop. The problem is that the
ever prevalent game boxes, WiFi phones, and PDA's are raising the user
count without actually generating any traffic. They connect,
associate, and sometimes login, and then do nothing. I've seen the
DHCP table contain 50 entries with only one laptop in the coffee shop.
It's all from "drive by" WiFi users.

2. If the ISP offers a 2nd IP address, it's easy. One modem, two
routers, and two totally independent networks. This is what I do at 2
coffee shops. The problem is that it gets expensive. For example,
PBI/SBC/AT&T DSL is normally about $39/month for a single IP dynamic
IP account, $59/month for 5 static IP's, and nothing in between.
Because it's a business, AT&T DSL will not apply residential discounts
and promotions. With a $20/month differential, it doesn't take many
months before the TZ170 becomes economical.

3. If only one IP is available, such as with cable modem service,
then some ingenuity is required. Double NAT will work with some
complications. For example:
| http://www.publicip.net/zonecd/how.php
I covered the IP address layout in the following thread:
| http://groups.google.com/group/alt.i...1d98548089c0dc

4. It is also possible to build a multiple ethernet port Linux based
server that can separate connected LAN's using routing between ports.
I don't wanna go into this option right now (because I don't want to
do the necessary reading and Goggling).


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

"Jason Russell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a requirement for a router that can configured to separate the LAN
>from WLAN.
>
> I need to be able to have an unencrypted WLAN to WAN/INTERNET network
> available to users of the coffee shop, but configured in such a way that
> they are unable to access the internal LAN that runs the epos systems.
>
> One computer on the LAN also needs access to the WAN/INTERNET.
>
> I believe that a sonicwall TZ170 wireless may do the job, but are there
> any alternative products?
>
> Jason Russell


By far the easiest way to do this if you already have a LAN in place with a
router and internet connection would be to purchase a cheaper router/AP in
one and simply plug the WAN port of the new AP/router into a lan port of the
exsiting LAN switch.
Even if you don't have any equipment currently this would still work fine...
you could have a wired or wireless AP/router with security enabled
controlling your internet connection and POS LAN then purchanse another
router/wireless AP configured as above with no security enabled.

With the above setup clients could connect to your open access point and
have internet access but would be unable to browse your local LAN because
there is no way to get local traffic on the unsecure AP across the WAN port
to the other switch.

Adair