setup an isolated wireless network

Hi,

I have a class B network, which has 1 firewall to access internet.

I want to setup a wireless network which will be used by anyone to access
internet, but here is my problem.
I have no choice to plug wireless router to my network, (can't plug it in
to switch outside firewall due to location) to allow it to access internet.
- I don't want wireless users who will be accessing this router, to see or
access my class B network to obtain IP address, or see any resources on my
network

I will configure wireless router to access my LAN (give router static IP,
and define default gateway to access internet)
Define class C subnet for wireless users and have them obtain different IP
address range.
Then put the wireless router into confined area.

How secure would this setup be, against viruses, warm and or hackers.
(Anyone's laptop who may be infected by worm or pest, i don't want them have
any impact on my LAN)

Thanks
MC

In article <(E-Mail Removed)>
"CAMC1"<(E-Mail Removed)> wrote:

> Hi,
>
> I have a class B network, which has 1 firewall to access internet.
>
> I want to setup a wireless network which will be used by anyone to
> accessinternet, but here is my problem.
> I have no choice to plug wireless router to my network, (can't plug
> it in to switch outside firewall due to location) to allow it to
> access internet. - I don't want wireless users who will be accessing
> this router, to see or access my class B network to obtain IP
> address, or see any resources on mynetwork
>
> I will configure wireless router to access my LAN (give router
> static IP,and define default gateway to access internet)
> Define class C subnet for wireless users and have them obtain
> different IPaddress range.
> Then put the wireless router into confined area.
>
> How secure would this setup be, against viruses, warm and or
> hackers. (Anyone's laptop who may be infected by worm or pest, i
> don't want them haveany impact on my LAN)
>
> Thanks
> MC

Your LAN does not have any significant protection from malicious
traffic on this wireless LAN without a firewall.

Regards,
Scott

--
I'm trying a new usenet client for Mac, Nemo OS X.
You can download it at http://www.malcom-mac.com/nemo

My question here is, if a laptop has a virus that uses this router to access
internet, how could it access my LAN, since it would have no choice to be in
different subnet, and IP range. How could it attack, if it can't see
anything but wireless router?

MC

"Scott Lowe" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article &lt;(E-Mail Removed)&gt;
> "CAMC1"&lt;(E-Mail Removed)&gt; wrote:
>
> > Hi,
> >
> > I have a class B network, which has 1 firewall to access internet.
> >
> > I want to setup a wireless network which will be used by anyone to
> > accessinternet, but here is my problem.
> > I have no choice to plug wireless router to my network, (can't plug
> > it in to switch outside firewall due to location) to allow it to
> > access internet. - I don't want wireless users who will be accessing
> > this router, to see or access my class B network to obtain IP
> > address, or see any resources on mynetwork
> >
> > I will configure wireless router to access my LAN (give router
> > static IP,and define default gateway to access internet)
> > Define class C subnet for wireless users and have them obtain
> > different IPaddress range.
> > Then put the wireless router into confined area.
> >
> > How secure would this setup be, against viruses, warm and or
> > hackers. (Anyone's laptop who may be infected by worm or pest, i
> > don't want them haveany impact on my LAN)
> >
> > Thanks
> > MC
>
> Your LAN does not have any significant protection from malicious
> traffic on this wireless LAN without a firewall.
>
> Regards,
> Scott
>
> --
> I'm trying a new usenet client for Mac, Nemo OS X.
> You can download it at http://www.malcom-mac.com/nemo
>

In article &lt;(E-Mail Removed)&gt;
"CAMC1"&lt;(E-Mail Removed)&gt; wrote:

> My question here is, if a laptop has a virus that uses this router
> to access internet, how could it access my LAN, since it would have
> no choice to be in different subnet, and IP range. How could it
> attack, if it can't seeanything but wireless router?

Many viruses/worms/trojans have the ability to try to scan/penetrate
address ranges other than their own, as long as they have a route to
that network. By the nature of the fact that this wireless router
will be the default gateway for these wireless clients, and by nature
of the fact that this wireless router will be plugged into your LAN
behind your Internet firewall, that gives them potentially unfettered
access to your LAN via the wireless router.

They don't necessarily need to be on the same subnet--they just need
IP connectivity, and that they have in your proposed configuration.

Regards,
Scott

--
I'm trying a new usenet client for Mac, Nemo OS X.
You can download it at http://www.malcom-mac.com/nemo

Without the wireless router, virus with laptop has no connection to network,
so it can't scan anything
I see your point, only if wirus could control router, and router reveals
it's own LAN address
am I wrong to assume this?

thanks
MC

"Scott Lowe" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article &lt;(E-Mail Removed)&gt;
> "CAMC1"&lt;(E-Mail Removed)&gt; wrote:
>
> > My question here is, if a laptop has a virus that uses this router
> > to access internet, how could it access my LAN, since it would have
> > no choice to be in different subnet, and IP range. How could it
> > attack, if it can't seeanything but wireless router?
>
> Many viruses/worms/trojans have the ability to try to scan/penetrate
> address ranges other than their own, as long as they have a route to
> that network. By the nature of the fact that this wireless router
> will be the default gateway for these wireless clients, and by nature
> of the fact that this wireless router will be plugged into your LAN
> behind your Internet firewall, that gives them potentially unfettered
> access to your LAN via the wireless router.
>
> They don't necessarily need to be on the same subnet--they just need
> IP connectivity, and that they have in your proposed configuration.
>
> Regards,
> Scott
>
> --
> I'm trying a new usenet client for Mac, Nemo OS X.
> You can download it at http://www.malcom-mac.com/nemo
>

In article &lt;(E-Mail Removed)&gt;
"CAMC1"&lt;(E-Mail Removed)&gt; wrote:

> Without the wireless router, virus with laptop has no connection to
> network,so it can't scan anything
> I see your point, only if wirus could control router, and router
> revealsit's own LAN address
> am I wrong to assume this?
>
The router *WILL* reveal its own LAN address, because it must act as
the default gateway for the wireless PCs. Therefore, any PC connected
to the wireless network will, by default, know the IP address of the
router and will have a route to other networks--including your LAN.

Regards,
Scott

--
I'm trying a new usenet client for Mac, Nemo OS X.
You can download it at http://www.malcom-mac.com/nemo

hi,
if the switch permit, you can create a diferent vlan on the out-port of AP
and the router.That will isolate the internal network and all access from AP
will transit the router and there with adecvate routing table they will not
have access to your internal LAN.
--
Dragos CAMARA
MCSA Windows 2003 server


"CAMC1" wrote:

> Hi,
>
> I have a class B network, which has 1 firewall to access internet.
>
> I want to setup a wireless network which will be used by anyone to access
> internet, but here is my problem.
> I have no choice to plug wireless router to my network, (can't plug it in
> to switch outside firewall due to location) to allow it to access internet.
> - I don't want wireless users who will be accessing this router, to see or
> access my class B network to obtain IP address, or see any resources on my
> network
>
> I will configure wireless router to access my LAN (give router static IP,
> and define default gateway to access internet)
> Define class C subnet for wireless users and have them obtain different IP
> address range.
> Then put the wireless router into confined area.
>
> How secure would this setup be, against viruses, warm and or hackers.
> (Anyone's laptop who may be infected by worm or pest, i don't want them have
> any impact on my LAN)
>
> Thanks
> MC
>
>
>
>

Can you explain again?
I am not sure exactly what you mean
MC

"Dragos CAMARA" <(E-Mail Removed)> wrote in message
news:87E4699C-0208-4F4C-A993-(E-Mail Removed)...
> hi,
> if the switch permit, you can create a diferent vlan on the out-port of AP
> and the router.That will isolate the internal network and all access from
AP
> will transit the router and there with adecvate routing table they will
not
> have access to your internal LAN.
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "CAMC1" wrote:
>
> > Hi,
> >
> > I have a class B network, which has 1 firewall to access internet.
> >
> > I want to setup a wireless network which will be used by anyone to
access
> > internet, but here is my problem.
> > I have no choice to plug wireless router to my network, (can't plug it
in
> > to switch outside firewall due to location) to allow it to access
internet.
> > - I don't want wireless users who will be accessing this router, to see
or
> > access my class B network to obtain IP address, or see any resources on
my
> > network
> >
> > I will configure wireless router to access my LAN (give router static
IP,
> > and define default gateway to access internet)
> > Define class C subnet for wireless users and have them obtain different
IP
> > address range.
> > Then put the wireless router into confined area.
> >
> > How secure would this setup be, against viruses, warm and or hackers.
> > (Anyone's laptop who may be infected by worm or pest, i don't want them
have
> > any impact on my LAN)
> >
> > Thanks
> > MC
> >
> >
> >
> >

hi,
on the lan port of AP put an static IP, on the switch where do you connect
the AP create a VLAN with AP and the router(wich connect to the internet) -
by that you create a logical separate network from your lan with only AP and
router, so the users who connect to AP will "see" only the AP and the router
no matter what.

Any way the router will be on 2 VLAN's -the default one where is your LAN
and that where AP reside. Is like you have 2 nic's on the router one
connected to the LAN and the other connected to the AP with no routing one to
other.
--
Dragos CAMARA
MCSA Windows 2003 server


"CAMC1" wrote:

> Can you explain again?
> I am not sure exactly what you mean
> MC
>
> "Dragos CAMARA" <(E-Mail Removed)> wrote in message
> news:87E4699C-0208-4F4C-A993-(E-Mail Removed)...
> > hi,
> > if the switch permit, you can create a diferent vlan on the out-port of AP
> > and the router.That will isolate the internal network and all access from
> AP
> > will transit the router and there with adecvate routing table they will
> not
> > have access to your internal LAN.
> > --
> > Dragos CAMARA
> > MCSA Windows 2003 server
> >
> >
> > "CAMC1" wrote:
> >
> > > Hi,
> > >
> > > I have a class B network, which has 1 firewall to access internet.
> > >
> > > I want to setup a wireless network which will be used by anyone to
> access
> > > internet, but here is my problem.
> > > I have no choice to plug wireless router to my network, (can't plug it
> in
> > > to switch outside firewall due to location) to allow it to access
> internet.
> > > - I don't want wireless users who will be accessing this router, to see
> or
> > > access my class B network to obtain IP address, or see any resources on
> my
> > > network
> > >
> > > I will configure wireless router to access my LAN (give router static
> IP,
> > > and define default gateway to access internet)
> > > Define class C subnet for wireless users and have them obtain different
> IP
> > > address range.
> > > Then put the wireless router into confined area.
> > >
> > > How secure would this setup be, against viruses, warm and or hackers.
> > > (Anyone's laptop who may be infected by worm or pest, i don't want them
> have
> > > any impact on my LAN)
> > >
> > > Thanks
> > > MC
> > >
> > >
> > >
> > >
>
>
>

It is an old Cisco catalyst 3500 series switch that I don't think has VLan
capable. Besides, that switch is still connected to another switch, with no
direct connection to outside router.

MC

"Dragos CAMARA" <(E-Mail Removed)> wrote in message
news:B950EA61-F0C0-42C8-9DA8-(E-Mail Removed)...
> hi,
> on the lan port of AP put an static IP, on the switch where do you connect
> the AP create a VLAN with AP and the router(wich connect to the
internet) -
> by that you create a logical separate network from your lan with only AP
and
> router, so the users who connect to AP will "see" only the AP and the
router
> no matter what.
>
> Any way the router will be on 2 VLAN's -the default one where is your LAN
> and that where AP reside. Is like you have 2 nic's on the router one
> connected to the LAN and the other connected to the AP with no routing one
to
> other.
> --
> Dragos CAMARA
> MCSA Windows 2003 server
>
>
> "CAMC1" wrote:
>
> > Can you explain again?
> > I am not sure exactly what you mean
> > MC
> >
> > "Dragos CAMARA" <(E-Mail Removed)> wrote in message
> > news:87E4699C-0208-4F4C-A993-(E-Mail Removed)...
> > > hi,
> > > if the switch permit, you can create a diferent vlan on the out-port
of AP
> > > and the router.That will isolate the internal network and all access
from
> > AP
> > > will transit the router and there with adecvate routing table they
will
> > not
> > > have access to your internal LAN.
> > > --
> > > Dragos CAMARA
> > > MCSA Windows 2003 server
> > >
> > >
> > > "CAMC1" wrote:
> > >
> > > > Hi,
> > > >
> > > > I have a class B network, which has 1 firewall to access internet.
> > > >
> > > > I want to setup a wireless network which will be used by anyone to
> > access
> > > > internet, but here is my problem.
> > > > I have no choice to plug wireless router to my network, (can't plug
it
> > in
> > > > to switch outside firewall due to location) to allow it to access
> > internet.
> > > > - I don't want wireless users who will be accessing this router, to
see
> > or
> > > > access my class B network to obtain IP address, or see any resources
on
> > my
> > > > network
> > > >
> > > > I will configure wireless router to access my LAN (give router
static
> > IP,
> > > > and define default gateway to access internet)
> > > > Define class C subnet for wireless users and have them obtain
different
> > IP
> > > > address range.
> > > > Then put the wireless router into confined area.
> > > >
> > > > How secure would this setup be, against viruses, warm and or
hackers.
> > > > (Anyone's laptop who may be infected by worm or pest, i don't want
them
> > have
> > > > any impact on my LAN)
> > > >
> > > > Thanks
> > > > MC
> > > >
> > > >
> > > >
> > > >
> >
> >
> >