Isolating a wireless subnet?

We're replacing an Apple "snow" AirPort (802.11b) with an AirPort Extreme
(802.11n) and would like to provide Internet access for clients in the
waiting room. Obviously we don't want them to have access to our computers or
servers.

By what mechanism can a wireless subnet be created such that the users have
Internet access yet cannot (easily) have access to the rest of the private
net that shares the DSL modem that supplies 'net access to the LAN as a
whole?

Is a router required at the junction of the DSL modem and the 2 AirPort WAPs
that controls access between the 2 branches?

Other means?

Thanks,
Janie

(comp.protocols.tcp-ip added)

Janey wrote:
(snip)

> By what mechanism can a wireless subnet be created such that the users have
> Internet access yet cannot (easily) have access to the rest of the private
> net that shares the DSL modem that supplies 'net access to the LAN as a
> whole?

I presume you now have one NAT router between you and the DSL
connection. To do what you ask requires three NAT routers
(and three distinct subnets).

In many cases wireless access points are combined with NAT routers
which would minimize the number of boxes. Does the Airport Extreme
include NAT? (I thought Airport Extreme was 802.11G not N.)

Unless your DSL supplies more than one IP address you want one NAT
router connected to the DSL modem to allow more than one IP address
to connect to the Internet. Next, you want a NAT router for your
use and a NAT router for other users each connected to the first
NAT router. The first one should not have wireless access
(or should have it turned off). The second and third could
be either NAT routers with wireless access or NAT routers
connected to wireless access points.

-- glen

Janey wrote:
> We're replacing an Apple "snow" AirPort (802.11b) with an AirPort Extreme
> (802.11n) and would like to provide Internet access for clients in the
> waiting room. Obviously we don't want them to have access to our computers or
> servers.
>
> By what mechanism can a wireless subnet be created such that the users have
> Internet access yet cannot (easily) have access to the rest of the private
> net that shares the DSL modem that supplies 'net access to the LAN as a
> whole?
>
> Is a router required at the junction of the DSL modem and the 2 AirPort WAPs
> that controls access between the 2 branches?

Since you're asking here I'll assume your knowledge is a bit limited.

As to the two branches I'll assume you mean the waiting room and office sections of your network.

First you can do it with 3 routers but also two if you do it right.

DSL
Modem ---- Router1 **** wireless to waiting room
|
+-----Router2 (off LAN port of router1)
+ *********** wireless to office
|
+------------ wired to office (off LAN port of router2)


With this setup your waiting room can see the Internet as a whole but can't drill down into your office as long as you don't have router2 set to forward anything from the outside to any particular LAN.

To keep things simple Apple somewhat limits your choices as to NAT addresses so I'd pick something like the 192.168.x.x range for the office and 10.0.0.x range for the waiting room. This is set in router2 and router1 respectively.

As to which router you use where, I guess I'd put the newer one as router 2 as it will have somewhat better security options. You should lock down the admin of both routers with very very good passwords. You should also lock down the wireless to the office with a very secure password and no post its allowed. Or turn it off. And keep access to the routers and any wired Ethernet ports restricted. Physically.

And you mentioned "waiting room" I'd find a local mac wiz (there should be a user group in the area) or network wiz who will not get indignant at the Apple routers and pay them $200 for an hour or so of time to make sure you do it right. Doing it wrong in a doctors office can be a very bad idea.

David

In article <d04f1$47e397ec$d1aa8d95$(E-Mail Removed)>,
DLR <(E-Mail Removed)> wrote:

> And you mentioned "waiting room" I'd find a local mac wiz (there should be a
> user group in the area) or network wiz who will not get indignant at the
> Apple routers and pay them $200 for an hour or so of time to make sure you do
> it right. Doing it wrong in a doctors office can be a very bad idea.

I'd point out also that you don't absolutely need Apple products. We
have a setup something like this for our Inn using two non-Apple
routers; our only computers are Macs, and this setup works equally well
in connecting visiting Macs _and_ PCs.

I use Airport Extreme in the Mac Pro now and then to test the wireless
connections.
--
Gav P

Gavrilo Prinzip wrote:
> In article <d04f1$47e397ec$d1aa8d95$(E-Mail Removed)>,
> DLR <(E-Mail Removed)> wrote:
>
>> And you mentioned "waiting room" I'd find a local mac wiz (there should be a
>> user group in the area) or network wiz who will not get indignant at the
>> Apple routers and pay them $200 for an hour or so of time to make sure you do
>> it right. Doing it wrong in a doctors office can be a very bad idea.
>
> I'd point out also that you don't absolutely need Apple products. We
> have a setup something like this for our Inn using two non-Apple
> routers; our only computers are Macs, and this setup works equally well
> in connecting visiting Macs _and_ PCs.

Agreed. But the OP implied they had already bought or planned to buy a 2nd Apple router. And if all you've ever seen is a Linksys configuration web page, well things are a bit different. My point was to not get "your brother's friend who's owned a mac for 2 months" to come do it.

David

"Janey" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) obal.net...
> We're replacing an Apple "snow" AirPort (802.11b) with an AirPort Extreme
> (802.11n) and would like to provide Internet access for clients in the
> waiting room. Obviously we don't want them to have access to our computers
or
> servers.
>
> By what mechanism can a wireless subnet be created such that the users
have
> Internet access yet cannot (easily) have access to the rest of the private
> net that shares the DSL modem that supplies 'net access to the LAN as a
> whole?

1 way to do it is to build 2 separate networks.

internet - wlan router (with external users) - wlan router (internal users).

main drawback is the external users could clog up your Internet feed.
>
> Is a router required at the junction of the DSL modem and the 2 AirPort
WAPs
> that controls access between the 2 branches?

or you find a wireless router that can handle multiple SSIDs and keep the
traffic flows in separate VLANs. You then use different SSIDs for users &
visitors, then priority, different networks and rate limiting to control who
goes where and access.

some of the Cisco stuff can do this, so something like an 1800 series router
with embedded WLAN would work.
www.cisco.com/go/1800 - exactly which model depends on DSL flavour, or cable
etc.

programming these things can be complicated, so you may want to get some
help.

but - not consumer gear, and not consumer prices. 1801s we use at work
(without wireless) list @ $1000.
>
> Other means?
>
> Thanks,
> Janie
>
--
Regards

(E-Mail Removed) - replace xyz with ntl

On Fri, 21 Mar 2008 08:13:24 GMT, Janey <(E-Mail Removed)> wrote:

>We're replacing an Apple "snow" AirPort (802.11b) with an AirPort Extreme
>(802.11n) and would like to provide Internet access for clients in the
>waiting room. Obviously we don't want them to have access to our computers or
>servers.

The easiest way to do this is to check if your ISP offers a 2nd IP
address. If so, connect *TWO* routers to your cable or DSL modem
through a cheapo ethernet switch. Each IP address will have its own
routeable IP address, its own router, and no way are any packets going
to cross over from one router to the other.

Another way is to buy a router that offers dual SSID, dual WPA keys,
or security "zones". Seach Google for "dual SSID". Most (not all) of
these have independent routing for each SSID. Most routers that are
designed to run a public hot spot (i.e. DD-WRT FON router) have this
feature.
<http://www.dd-wrt.com/wiki/index.php/FON_Hotspot#Wireless_.3E_Wireless_Security>

I only know one router that has two WPA keys. MyEssentials ME-1004R.
<http://www.myessentialssupport.com/product/?pid=ME1004-R>
This is a cheap ($40) router owned by Belkin that has this useful
feature. If the client uses one settable WPA key, they get the
internet and the local LAN. If they use the settable "guest" key,
they get only the internet. The catch is that the clients MUST use a
WPA key, which is generally a good idea anyway.

Incidentally, make sure your wireless router has "client isolation" or
"AP isolation" as Linksys misnamed it. It prevents the clients from
seeing and attacking each other.

Sonicwall uses security zones:
<http://www.sonicwall.com/downloads/SOS2e_Enhanced_Security_Zones_Explained.pdf>
for isolation.

Another way is to use two routers in series. The network connected to
the LAN side of the 2nd router is the "inside" protected network. The
2nd router keeps anyone from the LAN side of the 1st router (or
"public" side) out of the "inside network. The IP layout is something
like this:
Router 1 Router 2
WAN= ISP assigned WAN= 192.168.1.2
WAN Netmask= ISP assigned WAN Netmask= 255.255.255.252
Gateway= ISP assigned Gateway= 192.168.1.1
LAN IP= 192.168.1.1 LAN IP= 192.168.2.1
LAN Netmask= 255.255.255.0 LAN Netmask= 255.255.255.0

Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)

This works but causes problems due to the double NAT. Details on
request.



>
>By what mechanism can a wireless subnet be created such that the users have
>Internet access yet cannot (easily) have access to the rest of the private
>net that shares the DSL modem that supplies 'net access to the LAN as a
>whole?
>
>Is a router required at the junction of the DSL modem and the 2 AirPort WAPs
>that controls access between the 2 branches?
>
>Other means?
>
>Thanks,
>Janie
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

There is a mask error in the example you provided.

You've specified a mask of 255.255.255.0 for the LAN interface of Router
1, and a mask of 255.255.255.252 for the WAN interface of Router 2.

Since you are connecting these interfaces together, they must use the
same mask.

Use 255.255.255.0 for both.

Best Regards,
News Reader

Jeff Liebermann wrote:
> On Fri, 21 Mar 2008 08:13:24 GMT, Janey <(E-Mail Removed)> wrote:
>
>> We're replacing an Apple "snow" AirPort (802.11b) with an AirPort Extreme
>> (802.11n) and would like to provide Internet access for clients in the
>> waiting room. Obviously we don't want them to have access to our computers or
>> servers.
>
> The easiest way to do this is to check if your ISP offers a 2nd IP
> address. If so, connect *TWO* routers to your cable or DSL modem
> through a cheapo ethernet switch. Each IP address will have its own
> routeable IP address, its own router, and no way are any packets going
> to cross over from one router to the other.
>
> Another way is to buy a router that offers dual SSID, dual WPA keys,
> or security "zones". Seach Google for "dual SSID". Most (not all) of
> these have independent routing for each SSID. Most routers that are
> designed to run a public hot spot (i.e. DD-WRT FON router) have this
> feature.
> <http://www.dd-wrt.com/wiki/index.php/FON_Hotspot#Wireless_.3E_Wireless_Security>
>
> I only know one router that has two WPA keys. MyEssentials ME-1004R.
> <http://www.myessentialssupport.com/product/?pid=ME1004-R>
> This is a cheap ($40) router owned by Belkin that has this useful
> feature. If the client uses one settable WPA key, they get the
> internet and the local LAN. If they use the settable "guest" key,
> they get only the internet. The catch is that the clients MUST use a
> WPA key, which is generally a good idea anyway.
>
> Incidentally, make sure your wireless router has "client isolation" or
> "AP isolation" as Linksys misnamed it. It prevents the clients from
> seeing and attacking each other.
>
> Sonicwall uses security zones:
> <http://www.sonicwall.com/downloads/SOS2e_Enhanced_Security_Zones_Explained.pdf>
> for isolation.
>
> Another way is to use two routers in series. The network connected to
> the LAN side of the 2nd router is the "inside" protected network. The
> 2nd router keeps anyone from the LAN side of the 1st router (or
> "public" side) out of the "inside network. The IP layout is something
> like this:
> Router 1 Router 2
> WAN= ISP assigned WAN= 192.168.1.2
> WAN Netmask= ISP assigned WAN Netmask= 255.255.255.252
> Gateway= ISP assigned Gateway= 192.168.1.1
> LAN IP= 192.168.1.1 LAN IP= 192.168.2.1
> LAN Netmask= 255.255.255.0 LAN Netmask= 255.255.255.0
>
> Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
> Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)
>
> This works but causes problems due to the double NAT. Details on
> request.
>
>
>
>> By what mechanism can a wireless subnet be created such that the users have
>> Internet access yet cannot (easily) have access to the rest of the private
>> net that shares the DSL modem that supplies 'net access to the LAN as a
>> whole?
>>
>> Is a router required at the junction of the DSL modem and the 2 AirPort WAPs
>> that controls access between the 2 branches?
>>
>> Other means?
>>
>> Thanks,
>> Janie

(someone wrote)

> The easiest way to do this is to check if your ISP offers a 2nd IP
> address. If so, connect *TWO* routers to your cable or DSL modem
> through a cheapo ethernet switch. Each IP address will have its own
> routeable IP address, its own router, and no way are any packets going
> to cross over from one router to the other.

That is a good way, but when they do they usually charge
extra for it. If you don't need the extra IP, and/or static IP,
then double NAT works well.

(snip)

> Another way is to use two routers in series. The network connected to
> the LAN side of the 2nd router is the "inside" protected network. The
> 2nd router keeps anyone from the LAN side of the 1st router (or
> "public" side) out of the "inside network. The IP layout is something
> like this:
> Router 1 Router 2
> WAN= ISP assigned WAN= 192.168.1.2
> WAN Netmask= ISP assigned WAN Netmask= 255.255.255.252
> Gateway= ISP assigned Gateway= 192.168.1.1
> LAN IP= 192.168.1.1 LAN IP= 192.168.2.1
> LAN Netmask= 255.255.255.0 LAN Netmask= 255.255.255.0

As someone else mentioned, the Router2 WAN Netmask is wrong.

> Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
> Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)

This keeps the public net from accessing the inside LAN, but doesn't
keep them from watching the data going by. At least they can
see broadcast packets, and any other that are flooded by the
switch.

> This works but causes problems due to the double NAT.
> Details on request.

What problems due to double NAT? As I said, I would do
double NAT for both nets for full isolation. If it is
worth worrying about isolation it is worth the price of
another NAT router.

-- glen

On Fri, 28 Mar 2008 21:51:53 -0400, News Reader <(E-Mail Removed)>
wrote:

>There is a mask error in the example you provided.

Eye nver maek mistrakes.

>You've specified a mask of 255.255.255.0 for the LAN interface of Router
>1, and a mask of 255.255.255.252 for the WAN interface of Router 2.
>
>Since you are connecting these interfaces together, they must use the
>same mask.
>
>Use 255.255.255.0 for both.
>
>Best Regards,
>News Reader

>Jeff Liebermann wrote:
>> Another way is to use two routers in series. The network connected to
>> the LAN side of the 2nd router is the "inside" protected network. The
>> 2nd router keeps anyone from the LAN side of the 1st router (or
>> "public" side) out of the "inside network. The IP layout is something
>> like this:
>> Router 1 Router 2
>> WAN= ISP assigned WAN= 192.168.1.2
>> WAN Netmask= ISP assigned WAN Netmask= 255.255.255.252
>> Gateway= ISP assigned Gateway= 192.168.1.1
>> LAN IP= 192.168.1.1 LAN IP= 192.168.2.1
>> LAN Netmask= 255.255.255.0 LAN Netmask= 255.255.255.0
>>
>> Users on the LAN side of Router 1 use 192.168.1.xxx (public access)
>> Users on the LAN side of Router 2 use 192.168.2.xxx (inside LAN)

1. Please don't "top post".

2. Your comments are absolutely true if Router 2 needs to see all the
devices on the LAN side of Router 1. For that, I would use
255.255.255.0. However, I do NOT want them to see all those users and
devices. Router 2 only needs to see the LAN side IP address of Router
1 (plus the broadcast address) for a total of 2 IP addresses.

With 255.255.255.252, it looks like this:
<http://www.aboutmyip.com/AboutMyXApp/SubnetCalculator.jsp?ipAddress=192.168.1.1&cidr=30 >
Address: 192.168.1.1
Netmask: 255.255.255.252
Network Address: 192.168.1.0 / 30
Broadcast Address: 192.168.1.3
First host: 192.168.1.1
Last host: 192.168.1.2
Total host count: 2

It can also be done with CIDR /31 or 255.255.255.254, but I like to
save the 2nd IP address for tinkering, testing, sniffing, etc.

The security of such an arrangement is marginal at best. Users on the
LAN side of Router 1 cannot see machines on the LAN side of Router 2,
but can sniff their traffic. Users on the LAN side of Router 2 cannot
see users on the LAN side of Router 1, but only because of the router
netmask.

This arrangement is far from ideal and the netmask is somewhat of a
kludge. It's the best I can do with one WAN IP, and not going to a
VPN tunnel. IMHO, the best way are two routers, two WAN IP's, two
LAN's, and never the two shall meet. However, many ISP's will not
provide more than one routeable IP, requiring abominiations like this.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558