Using Linksys WRT54G for hot spot

I'm helping my friend set up a hot spot at his restaurant. He had a
54g that he was using for his internal LAN. Any wireless clients are
able to see computers on his LAN, which he doesn't want. I saw no way
with the LInksys FW to prevent the wireless clients from accessing the
LAN (AP Isolation only isolated wireless clients from each other).

We bought a Linksys BEFSR41 router and put it in place of the 54G for
his internal LAN locked away in his office. We then moved the 54G to a
better place in the restaurant for reception.
The 41 is the gateway and set to 192.168.0.1 on the LAN side. The 54G
has a static IP of 192.168.0.10. Clients to the 54G get IPs in the
range 192.168.1.100 and up. To them, the 54G is 192.168.1.1.

The problem is that the wireless clients can still see the LAN (for
instance, 192.168.0.3.).
I see that there is a static route on the 54G that configured itself
for 192.168.0.0/255.255.255.0. If I could delete this route and add
192.168.0.1/255.255.255.255 instead, all would work perfectly. But the
54G won't let me delete that route, so wireless clients have a path to
the entire 192.168.0.x network.

I also tried to configure the wireless side into its own 192.168.0.x
network. With this, the 54G was 192.168.0.10 on its WAN side and was a
client on the 192.168.0.x network on the LAN. But its own wireless
side was a different 192.168.0.x network. This way, it would be
impossible for a wireless client to route up to the LAN side
192.168.0.x machines. For some reason unknown to me, the 54G wouldn't
pass packets at all in this setup.

The three solutions I can think of:
1) get another IP address from the ISP and have the two routers in
parallell on a switch. I'd like to avoid this if possible.

2) set up the 41 so that it only allows the 54G to go to the internet
but not the LAN. This would be a static route from 192.168.0.10 to
0.0.0.0 excluding the rest of 192.168.0.x.

3) setup the 54G so its clients are 192.168.1.x and to not route
packets to 192.168.0.x at all.

The 54G and 41 are both set in gateway mode. Setting the 54G to router
mode wouldn't route packets at all. The 54G and the 41 both have DHCP
enabled.

Thanks for any help or feedback.
Chris

Chris,

Where is your friend's restaraunt located? Harborlink Networks
(http://www.harborlink.net) is always looking for more locations to
populate. Their systems allow for the two networks (hotspot & internal)
to stay separate.

Good luck!
Chris

Thanks, but we're in Colorado. We use a small ISP called Gonzo.

Two important considerations when running a hotspot and a LAN:
1. Prevent patrons from accessing your LAN (wired as well as wireless).
2. Quality of Service to keep patrons from degrading service for your LAN.

Depending on your needs:
* D-Link Airspot DSA-3100 Public/Private Hot Spot Gateway
<http://www.dlink.com/products/?sec=0&pid=173>
* Instant HotSpot
<http://www.instanthotspot.com/>
* ZyAIR B-4000 Turn-key Hotspot Gateway
<http://us.zyxel.com/products/model.php?indexcate=1028015363>
* SonicWALL TZ 150 Wireless
<http://www.sonicwall.com/products/tz150_wireless.html>

p.s. See the Intel Wireless Hotspot Deployment Guide
<ftp://download.intel.com/business/bss/infrastructure/wireless/deployment/hotspot.pdf>


In <(E-Mail Removed) .com> on 3 Nov 2005
11:44:42 -0800, (E-Mail Removed) wrote:

>I'm helping my friend set up a hot spot at his restaurant. He had a
>54g that he was using for his internal LAN. Any wireless clients are
>able to see computers on his LAN, which he doesn't want. I saw no way
>with the LInksys FW to prevent the wireless clients from accessing the
>LAN (AP Isolation only isolated wireless clients from each other).
>
>We bought a Linksys BEFSR41 router and put it in place of the 54G for
>his internal LAN locked away in his office. We then moved the 54G to a
>better place in the restaurant for reception.
>The 41 is the gateway and set to 192.168.0.1 on the LAN side. The 54G
>has a static IP of 192.168.0.10. Clients to the 54G get IPs in the
>range 192.168.1.100 and up. To them, the 54G is 192.168.1.1.
>
>The problem is that the wireless clients can still see the LAN (for
>instance, 192.168.0.3.).
>I see that there is a static route on the 54G that configured itself
>for 192.168.0.0/255.255.255.0. If I could delete this route and add
>192.168.0.1/255.255.255.255 instead, all would work perfectly. But the
>54G won't let me delete that route, so wireless clients have a path to
>the entire 192.168.0.x network.
>
>I also tried to configure the wireless side into its own 192.168.0.x
>network. With this, the 54G was 192.168.0.10 on its WAN side and was a
>client on the 192.168.0.x network on the LAN. But its own wireless
>side was a different 192.168.0.x network. This way, it would be
>impossible for a wireless client to route up to the LAN side
>192.168.0.x machines. For some reason unknown to me, the 54G wouldn't
>pass packets at all in this setup.
>
>The three solutions I can think of:
>1) get another IP address from the ISP and have the two routers in
>parallell on a switch. I'd like to avoid this if possible.
>
>2) set up the 41 so that it only allows the 54G to go to the internet
>but not the LAN. This would be a static route from 192.168.0.10 to
>0.0.0.0 excluding the rest of 192.168.0.x.
>
>3) setup the 54G so its clients are 192.168.1.x and to not route
>packets to 192.168.0.x at all.
>
>The 54G and 41 are both set in gateway mode. Setting the 54G to router
>mode wouldn't route packets at all. The 54G and the 41 both have DHCP
>enabled.
>
>Thanks for any help or feedback.
>Chris

--
Best regards, HELP FOR CINGULAR GSM & SONY ERICSSON PHONES:
John Navas <http://navasgrp.home.att.net/#Cingular>

On 3 Nov 2005 11:44:42 -0800, (E-Mail Removed) wrote:

>I'm helping my friend set up a hot spot at his restaurant. He had a
>54g that he was using for his internal LAN. Any wireless clients are
>able to see computers on his LAN, which he doesn't want. I saw no way
>with the LInksys FW to prevent the wireless clients from accessing the
>LAN (AP Isolation only isolated wireless clients from each other).
>
>We bought a Linksys BEFSR41 router and put it in place of the 54G for
>his internal LAN locked away in his office. We then moved the 54G to a
>better place in the restaurant for reception.
>The 41 is the gateway and set to 192.168.0.1 on the LAN side. The 54G
>has a static IP of 192.168.0.10. Clients to the 54G get IPs in the
>range 192.168.1.100 and up. To them, the 54G is 192.168.1.1.

Backwards. The WRT54G (with alternative firmware) has QoS which
you're going to need.

To get some semblance of isolation, you use double NAT as below. It's
not perfect, but it's good enough. If you want real isolation between
the wireless and wired parts of the LAN, methinks some routing tweaks
in the WRT54G will be best, or just save your dollars and buy a
Sonicwall TZ-170 which offers completely seperate IP address blocks
for the wired and wireless parts.

LAN #1 is the private office LAN.
LAN #2 is the public wireless LAN.
It could be the other way around, but that would create a complex
setup for doing port redirection to the private office LAN for
incoming traffic (i.e. PCAnywhere, VNC, VoIP, etc).

LAN #1
WAN===[Router #1]===================[Router #2]=======LAN #2

WAN = xxx.xxx.xxx.xxx WAN = 192.168.1.2
WAN NM = 255.255.255.0 WAN NM = 255.255.255.0
LAN = 192.168.1.1 LAN = 192.168.5.1
IP's = 192.168.1.xxx IP's = 192.168.5.xxx
LAN NM = 255.255.255.0 LN NM = 255.255.255.0

Computers on LAN #1 cannot see any computers on LAN #2.
Computers on LAN #2 can see all computers on LAN #1
Both LAN #1 and LAN #2 can see the internet. The "5" in the
192.168.5.xxx IP block is arbitrary.

If you do NOT want any of the LAN #2 computers to see the computers on
LAN #1, you change the subnet mask on WAN port Netmask on Router #2 so
that it only will "see" Router #1. That would look like his:

WAN = xxx.xxx.xxx.xxx WAN = 192.168.1.2
WAN NM = 255.255.255.0 WAN NM = 255.255.255.252 <===!!!!
LAN = 192.168.1.1 LAN = 192.168.5.1
IP's = 192.168.1.xxx IP's = 192.168.5.xxx
LAN NM = 255.255.255.0 LN NM = 255.255.255.0

Digging out my handy subnetmask calculator:
| http://www.wildpackets.com/support/downloads
This will allow only two IP address (192.168.1.1 and .2) to be seen by
the WAN port of Router #2 (in addition to the broadcast address of
192.168.1.3). Note that 192.168.1.2 is the WAN IP address of Router
#2 so there is really only one useable IP address. I like to have a
few more IP's to install print servers and shared devices, so I tend
to use 255.255.255.248, which allows 5 useable IP's.

I'm too lazy to change the IP addresses to conform to your IP current
layout. Sorry.

Note the 255.255.255.252 or .248 WAN netmask on the 2nd layout. That's
what makes this work.

You will probably want to enable "AP Isolation" in the WRT54G Wireless
Advanced settings. This will isolate wireless clients from each other
(and should really be called "client isolation").

The WRT54G includes QoS features. It should therefore be connected to
the WAN to handle the network traffic and not isolated (as you've
apparently done) as the #2 router.
| http://wrt-wiki.bsr-clan.de/index.ph...ity_of_Service

You can also use routing on the WRT54G to isolate individual LAN ports
on the WRT54G from each other and from the wireless (which is just
another LAN port). You will need alternative (Sveasoft or DD-WRT)
firmware do to this. Floyd Davidson covered this in:
| http://groups.google.com/group/alt.i...6d2c66c3b3315b
and other postings.

Finally, note the DD-WRT firmware for the WRT54G includes "Chillispot"
hot-spot software. See:
| http://wrt-wiki.bsr-clan.de/index.php?title=Chillispot
| http://wrt-wiki.bsr-clan.de/index.ph...e=HTTPRedirect

Also, follow instructions when doing a flash upgrade to the WRT54G. I
didn't and just turned a WRT54g v1.1 into a "brick" (again).

| http://wrt-wiki.bsr-clan.de/index.ph...ur_WRT54G.2FGS
--
Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
831.336.2558 voice
http://www.LearnByDestroying.com AE6KS
http://802.11junk.com Skype: JeffLiebermann
(E-Mail Removed) (E-Mail Removed)

Thanks for the in depth reply Jeff. Your time is much appreciated.
And John, thanks for the recommendations.
Chris

(E-Mail Removed) writes:

>I'm helping my friend set up a hot spot at his restaurant. He had a
>54g that he was using for his internal LAN. Any wireless clients are
>able to see computers on his LAN, which he doesn't want. I saw no way
>with the LInksys FW to prevent the wireless clients from accessing the
>LAN (AP Isolation only isolated wireless clients from each other).

If you put OpenWRT on it you'll have all the options you need (and
lots more).

--kyler