"John Navas" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Fri, 20 Apr 2007 23:01:01 GMT, "stephen" <(E-Mail Removed)>
> wrote in <NCbWh.5865$(E-Mail Removed)>:
>
> ><(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed) roups.com...
> >>
> >> I would like to set up a network with both wired and wireless clients.
> >> That much I can do with ease. However, I'd like to keep anything on
> >> the wireless network from communicating with anything on the wired
> >> network. Both networks should be able to see the Internet (WAN) and
> >> use it.
> >
> >your need 2 networks / LANs isolated from each other - whether 1 of them
is
> >wireless is just a detail...
>
> <quibble> Two isolated subnets. </quibble>
>
> >get a wireless router and plug it into your Internet feed.
> >
> >get a cable router (one with an Ethernet WAN port) - plug that into the
LAN
> >on the wireless router.
> >
> >wired devices go thru 2 routers and 2 sets of address translation, but
can
> >still get to the internet.
>
> True, but that's "double NAT", which generally works, but can cause
> problems with some (older) network apps, so better to avoid that if
> possible.
i ran double NAT for a long time, and i didnt manage to find any apps that
worked with 1 NAT but not 2.
The 1st router provided a URL checkers, and the 2nd acted as wireless LAN
box.
more to the point, "double NAT" exists in many places anyway, since a big
chunk of Internet servers live behind a firewalls / load balancers using
NAT....
>
> >wireless devices cannot get thru the WAN port of the cable router.
> >
> >done.
>
> Only if you make assumptions that aren't necessarily true; i.e., that
> the wired router won't open an inbound hole if a client on the wired LAN
> makes an outbound connection to a client on the wireless LAN. To ensure
> that kind of thing can't happen you need more sophistication than is
> present in most low-end wired routers.
thats pretty much always true.... if you break the security model it doesnt
do you much good.
but this is as good as a single router for insulation from the internet.
the insulation between the 2 wired and wireless groups isnt as good, since
wired devices can kick off connections to wireless devices.
>
> Better to setup wireless-to-wired isolation in a single wireless router,
> as featured in some wireless routers (e.g., SonicWALL), and also doable
> with DD-WRT firmware, which the OP already has, by means of VLAN.
> Google "dd-wrt vlan isolation".
i dont know my way around that firmware....
FWIW vlan separation has its security shortcomings - but probably not an
issue unless you trunk it on to another switch and an attacker knows how to
jump between tags, or join the 2 vlans together in some way.
>
> >> I have some Buffalo routers running DD-WRT v23 SP2 that I'd like to
> >> use for this. I thought that "AP isolation" might do this, but from
> >> what I've read it isn't what I am looking for.
> >>
> >> How can I go about doing this?
>
> --
> Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
> John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
--
Regards
(E-Mail Removed) - replace xyz with ntl
Similar Threads
Linear Mode
