Re: Separate Networks

On Tue, 26 Jan 2010 11:38:45 -0800 (PST), corymk <(E-Mail Removed)>
wrote:

>On Jan 23, 9:24*am, "pan" <p...@syix.com> wrote:
>> "corymk" <cor...@gmail.com> wrote in message
>>
>> news:8cdb8457-7b8e-4ce1-93bb-(E-Mail Removed)...
>> |I am working with a WRT54Gv4 running DD-WRT v24-sp1. *I have it setup
>> | on my workbench where I fix computers with infections. *I would like
>> | to be able to segregate out separate networks. *I have seen and worked
>> | with GuestGate systems (http://www.guestgate.com/us/en/index.php?
>> | page=the_solution) a little bit and know they have a feature called
>> | Host Network Protection. *This creates a separate network for each
>> | machine that connects to the device to make sure that no one can see
>> | each other and the computers are all separate. *I would like to setup
>> | something like this with my WRT54G2v4 if that is possible with DD-WRT
>> | aftermarket firmware. *I would like it setup on the wired side as well
>> | as the wireless side.
>> |
>> | Any thoughts on this would be wonderful.
>> |
>> | Thanks,
>> | Cory
>>
>> Doesn't WRT54G have VLAN capabilities?
>> That should work.
>
>Yes it does have VLAN capabilities. I am running V24-sp2 now. I just
>need to find a tutorial on how to set them up properly for this
>specification.

This sounds like it might be close to what you're trying to do:
<http://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_%28Separate_Networks_With_I nternet%29>

On Wed, 27 Jan 2010 12:19:10 -0800 (PST), corymk <(E-Mail Removed)>
wrote:

>On Jan 26, 2:15*pm, Char Jackson <n...@none.invalid> wrote:
>> On Tue, 26 Jan 2010 11:38:45 -0800 (PST), corymk <cor...@gmail.com>
>> wrote:
>>
>> This sounds like it might be close to what you're trying to do:
>> <http://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_%28Separa...>
>>
>>

Quote:

>> VLAN Detached Networks (Separate Networks With Internet) >> From DD-WRT Wiki >> >> This will separate the ports on the back of your router and allow you >> to create individual networks that can’t see each other but that can >> still browse the internet. >>

>
>I got that Wireless VLAN to work properly. I setup AP Isolation on
>both the original Wireless plus the new Virtual Wireless interfaces.
>Now I am thinking I want to segregate the wired connections. I
>thought an easy way would be to setup the DHCP pool to give out a /32
>network address. If the DHCP server gave out an address of
>192.168.1.100/255.255.255.255, then the computer would not be able to
>talk to any other machine anyways because it is on its own network.
>Is there a way to modify the DHCP server and this should be the last
>step I need without doing a VLAN on port 4 like I could have done
>otherwise.

As you mentioned, the AP Isolation feature is supposed to keep the
wireless clients separated from each other, and the link I provided
above is supposed to provide isolation on the wired ports. The only
thing I'm not sure of is whether the isolated wireless clients are
fully isolated from the isolated wired clients. Clear as mud?

I would not go down the road of handing out /32 netmasks, as it's
trivially easy to get around that kind of isolation. Use VLANs
instead.

On Wed, 27 Jan 2010 16:28:58 -0800 (PST), corymk <(E-Mail Removed)>
wrote:

>On Jan 27, 6:06*pm, Char Jackson <n...@none.invalid> wrote:
>> On Wed, 27 Jan 2010 12:19:10 -0800 (PST), corymk <cor...@gmail.com>
>> wrote:
>>
>>
>>
>> >On Jan 26, 2:15*pm, Char Jackson <n...@none.invalid> wrote:
>> >> On Tue, 26 Jan 2010 11:38:45 -0800 (PST), corymk <cor...@gmail.com>
>> >> wrote:
>>
>> >> This sounds like it might be close to what you're trying to do:
>> >> <http://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_%28Separa...>
>>
>> >>

Quote:

>> >> VLAN Detached Networks (Separate Networks With Internet) >> >> From DD-WRT Wiki

Quote:

>> >> >> This will separate the ports on the back of your router and allow you >> >> to create individual networks that can’t see each other but that can >> >> still browse the internet. >> >>

>>
>> >I got that Wireless VLAN to work properly. *I setup AP Isolation on
>> >both the original Wireless plus the new Virtual Wireless interfaces.
>> >Now I am thinking I want to segregate the wired connections. *I
>> >thought an easy way would be to setup the DHCP pool to give out a /32
>> >network address. *If the DHCP server gave out an address of
>> >192.168.1.100/255.255.255.255, then the computer would not be able to
>> >talk to any other machine anyways because it is on its own network.
>> >Is there a way to modify the DHCP server and this should be the last
>> >step I need without doing a VLAN on port 4 like I could have done
>> >otherwise.
>>
>> As you mentioned, the AP Isolation feature is supposed to keep the
>> wireless clients separated from each other, and the link I provided
>> above is supposed to provide isolation on the wired ports. The only
>> thing I'm not sure of is whether the isolated wireless clients are
>> fully isolated from the isolated wired clients. Clear as mud?
>>
>> I would not go down the road of handing out /32 netmasks, as it's
>> trivially easy to get around that kind of isolation. Use VLANs
>> instead.
>
>I did verify the isolation works properly between wireless devices.
>The isolation is indeed only available for the wireless networking.
>No, the isolated wireless clients are not isolated from the wired
>clients. They do exist on the network together and it is only the
>wireless clients that cannot see each other.

No, it's not just the wireless clients that can't see each other, it's
the wired clients, too, assuming you've followed the steps in the
tutorial I showed you. Or I should say, it's one wired client per
physical port, since it's the switch ports that are isolated, one per
VLAN. If such a small number of isolated switch ports isn't enough to
meet your needs, a managed switch of appropriate size might be a good
choice, or perhaps use cascaded dd-wrt boxes if you have them on hand.

>This setup if for computers that need cleaning up (viruses / malware /
>spyware). I don't want the computers to infect each other but I want
>to have multiples on the Internet at the same time without worrying
>about the infections spreading among the computers. That is why I
>think that Wireless AP Isolation is the correct way to go so far.

AP Isolation is great if your computers are connected wirelessly. If
you are using some wired connections as well, then follow the steps in
the tutorial I showed you.

>Now
>if I start dealing with that on the wired side, I need to find a way
>to stop the computers from passing traffic just using IP addresses.

Assigning a different VLAN per physical switch port takes care of
that.

>If I setup the VLAN's, I will have to have each computer plugged into
>a different port signifying a different VLAN if I understand this
>correctly. I am curious what other options or directions we may go.

What concerns do you have so far regarding this approach? You sound
unsure, but I can't tell why. Is it because 4 wired ports is not
enough?

>In thinking about the /32 subnet masks, I forgot that the computer
>would not be able to see the router in that effect. I want the
>computer to create a separate network to the same effect and also be
>isolated.

As I think more about this and how it applies to your situation, maybe
it's not so bad after all. If there were malicious humans operating
those computers, they could easily change the netmask and open up the
rest of the network, but it's just you, the computers, and their
malware. The risk is probably low.

On Wed, 27 Jan 2010 17:25:50 -0800, "pan" <(E-Mail Removed)> wrote:

>
>"corymk" <(E-Mail Removed)> wrote in message
>news:9c3d8858-8a3e-43d4-8811-(E-Mail Removed)...
>>If I setup the VLAN's, I will have to have each computer plugged into
>>a different port signifying a different VLAN if I understand this
>>correctly. I am curious what other options or directions we may go.
>
>
>A vlan is a collection of ports you assign.
>NOT 1 port per vlan.

In this case, it's a LAN port and the WAN port making up each
"collection". With 4 physical LAN ports and reusing the WAN port 4
times, you have 4 VLANs. That's my understanding, anyway.