How to? WiFi access passing only HTTP & DHCP

Hi All

I have a standard home network, comprising of a Draytek 2900Gi wifi
router, a few PCs, etc.

All the PCs need to be able to see each other via windows networking,
and this works fine.

I would like to add a wifi access point to the network which passes
only HTTP/HTTPS, plus DHCP.

The reason for this is that my teenage son has a laptop which is
infected with various viruses. But he won't let anybody touch it.
Obviously I could just block his wifi access but I probably won't see
him again if I do that...

It "should" be OK because he doesn't have an admin-level login into
any of the other computers, so any virus should not be able to login,
but this is assuming windoze networking is totally secure.

He does have a non-admin login into one of the machines, on which I
also have an admin account, so if that machine got infected and then I
logged in, the virus could spread from there. However, that machine is
running current Kaspersky AV, which is something I suppose.

So I think the best thing is for him to have HTTP-only access on the
wifi and then his laptop can have whatever viruses. Eventually it will
get totally trashed and he will have learnt a lesson about downloading
every piece of software he finds on the internet.

I have some spare routers, but the problem with all the consumer
routers on the market is that their ethernet ports are on the same net
as their wifi ports. I need something which will implement the packet
filtering *between* a wifi port and an ethernet port.

I'd be grateful for any suggestions.

Peter wrote:

> I would like to add a wifi access point to the network which passes
> only HTTP/HTTPS, plus DHCP.
>
> The reason for this is that my teenage son has a laptop which is
> infected with various viruses. But he won't let anybody touch it.
> Obviously I could just block his wifi access but I probably won't see
> him again if I do that...

<snip>
>
> I'd be grateful for any suggestions.

I'm not a networking expert at all, but how about this ? :-

Give every client on your network fixed IPs, and assign your son's laptop's
IP address a DMZ allocation.

This will expose his machine 'raw' to the net, but also isolate it from the
other clients on your LAN. For added security set up the software firewalls,
that I hope are running on your clients, with a rule to reject in both
directions any communication with your son's IP address.

http://en.wikipedia.org/wiki/Demilit...28computing%29

--
Mark
Please replace invalid and invalid with gmx and net to reply.

> I have a standard home network, comprising of a Draytek 2900Gi wifi
> router, a few PCs, etc.
>
> All the PCs need to be able to see each other via windows networking,
> and this works fine.
>
> I would like to add a wifi access point to the network which passes
> only HTTP/HTTPS, plus DHCP.
>
> The reason for this is that my teenage son has a laptop which is
> infected with various viruses. But he won't let anybody touch it.
> Obviously I could just block his wifi access but I probably won't see
> him again if I do that...

He needs to learn to behave in a responsible manner. Don't be a wimp! Just
tell him unless, and until, he allows it to be sorted then he has no access.

Peter Crosland

Mark Carver <(E-Mail Removed)> wrote

>Peter wrote:
>
>> I would like to add a wifi access point to the network which passes
>> only HTTP/HTTPS, plus DHCP.
>>
>> The reason for this is that my teenage son has a laptop which is
>> infected with various viruses. But he won't let anybody touch it.
>> Obviously I could just block his wifi access but I probably won't see
>> him again if I do that...
>
><snip>
>>
>> I'd be grateful for any suggestions.
>
>I'm not a networking expert at all, but how about this ? :-
>
>Give every client on your network fixed IPs, and assign your son's laptop's
>IP address a DMZ allocation.

I don't think my router supports a DMZ. I already run a fixed IP on
one of the desktop machines because I need that for PC Anywhere to get
through to it, via a VPN.

>This will expose his machine 'raw' to the net, but also isolate it from the
>other clients on your LAN. For added security set up the software firewalls,
>that I hope are running on your clients, with a rule to reject in both
>directions any communication with your son's IP address.
>
>http://en.wikipedia.org/wiki/Demilit...28computing%29

I have a mixture of win2000 and winXP. Only the latter has a firewall.

One option is to put some AV software on his laptop, but IME these
programs fail to catch most malware; also any half smart virus
disables the AV software anyway.

Basically I am after a wifi access point, perhaps some standalone
Cisco one, which supports access lists so one can open up port 80,
443, and whatever ports are used by DHCP.

"Peter Crosland" <(E-Mail Removed)> wrote

>He needs to learn to behave in a responsible manner. Don't be a wimp! Just
>tell him unless, and until, he allows it to be sorted then he has no access.

Well you are right of course. But he is fighting with the parents,
like most teenagers do.

If I give him AV software he will just pass on a copy to everybody in
the playground, and (as I posted elsewhere) the stuff rarely works
anyway. He picked up the latest virus via MSN messenger, apparently...

>> He needs to learn to behave in a responsible manner. Don't be a
>> wimp! Just tell him unless, and until, he allows it to be sorted
>> then he has no access.
>
> Well you are right of course. But he is fighting with the parents,
> like most teenagers do.

But you don't have to let him win!

> If I give him AV software he will just pass on a copy to everybody in
> the playground, and (as I posted elsewhere) the stuff rarely works
> anyway. He picked up the latest virus via MSN messenger, apparently...

Install AVG free edition that automatically updates and should keep most
nasties out. He might learn something from the experience.

Peter Crosland

In message <(E-Mail Removed)>, Peter
<(E-Mail Removed)> writes
>"Peter Crosland" <(E-Mail Removed)> wrote
>
>>He needs to learn to behave in a responsible manner. Don't be a wimp! Just
>>tell him unless, and until, he allows it to be sorted then he has no access.
>
>Well you are right of course. But he is fighting with the parents,
>like most teenagers do.
>
>If I give him AV software he will just pass on a copy to everybody in
>the playground, and (as I posted elsewhere) the stuff rarely works
>anyway. He picked up the latest virus via MSN messenger, apparently...

Free AV software is available which would be better than nothing. It
wouldn't hurt if he told all his friends about it either.

http://free.grisoft.com/doc/1

Why do you have a software firewall only on your XP m/c? Free firewalls
are available - Sygate Personal Firewall for instance.

Keep communicating - it's very very unlikely that things won't improve
eventually - as long as you don't sweat the small stuff and try only to
get wound up by the important things - like keeping your other PCs
secure despite his experimentation with limits.

--
dave @ stejonda (has son 19yrs and still (mostly) sane)

"Peter" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
: Hi All
:
: I have a standard home network, comprising of a Draytek 2900Gi wifi
: router, a few PCs, etc.
:
: All the PCs need to be able to see each other via windows networking,
: and this works fine.
:
: I would like to add a wifi access point to the network which passes
: only HTTP/HTTPS, plus DHCP.
:
: The reason for this is that my teenage son has a laptop which is
: infected with various viruses. But he won't let anybody touch it.
: Obviously I could just block his wifi access but I probably won't see
: him again if I do that...
:
: It "should" be OK because he doesn't have an admin-level login into
: any of the other computers, so any virus should not be able to login,
: but this is assuming windoze networking is totally secure.
:
: He does have a non-admin login into one of the machines, on which I
: also have an admin account, so if that machine got infected and then I
: logged in, the virus could spread from there. However, that machine is
: running current Kaspersky AV, which is something I suppose.
:
: So I think the best thing is for him to have HTTP-only access on the
: wifi and then his laptop can have whatever viruses. Eventually it will
: get totally trashed and he will have learnt a lesson about downloading
: every piece of software he finds on the internet.
:
: I have some spare routers, but the problem with all the consumer
: routers on the market is that their ethernet ports are on the same net
: as their wifi ports. I need something which will implement the packet
: filtering *between* a wifi port and an ethernet port.
:
: I'd be grateful for any suggestions.


1/Fixed IP then control access from the route..
2/ Stand up to the kid you are the parent sort the laptop or no
internet,this is what a good parent would do.

Chris


--
Cheap As Chips Broadband http://yeah.kick-butt.co.uk
Superb hosting & domain name deals http://host.kick-butt.co.uk

Sorry but you shouldn't let him use the Internet until he sorts it. His
PC will be causing all kinds of problems for other internet users while
it is infected. At the moment it may be sending spam emails, filling
blogs and forums with comment spam, hosting pirated videos etc. It
could be serving up child pornography to all and sundry, who knows!

He may have a keylogger installed in which case everything he types
will be sent out for the world to view (including his email account
password, credit card numbers of anyone unfortunate enough to use his
laptop etc.)

You are his parent, he should do what you tell him to do, not the other
way round.

Philip

Peter wrote:

> Hi All
>
> I have a standard home network, comprising of a Draytek 2900Gi wifi
> router, a few PCs, etc.
>
> All the PCs need to be able to see each other via windows networking,
> and this works fine.
>
> I would like to add a wifi access point to the network which passes
> only HTTP/HTTPS, plus DHCP.
>
> The reason for this is that my teenage son has a laptop which is
> infected with various viruses. But he won't let anybody touch it.
> Obviously I could just block his wifi access but I probably won't see
> him again if I do that...
>
> It "should" be OK because he doesn't have an admin-level login into
> any of the other computers, so any virus should not be able to login,
> but this is assuming windoze networking is totally secure.
>
> He does have a non-admin login into one of the machines, on which I
> also have an admin account, so if that machine got infected and then I
> logged in, the virus could spread from there. However, that machine is
> running current Kaspersky AV, which is something I suppose.
>
> So I think the best thing is for him to have HTTP-only access on the
> wifi and then his laptop can have whatever viruses. Eventually it will
> get totally trashed and he will have learnt a lesson about downloading
> every piece of software he finds on the internet.
>
> I have some spare routers, but the problem with all the consumer
> routers on the market is that their ethernet ports are on the same net
> as their wifi ports. I need something which will implement the packet
> filtering *between* a wifi port and an ethernet port.
>
> I'd be grateful for any suggestions.

Peter wrote:
> "Peter Crosland" <(E-Mail Removed)> wrote
>
>
> If I give him AV software he will just pass on a copy to everybody in
> the playground, and (as I posted elsewhere) the stuff rarely works
> anyway. He picked up the latest virus via MSN messenger, apparently...

As mentioned AVG freeware or what I use, Avast freeware.

<http://www.avast.com/eng/download-avast-home.html>

I have Avast on all my PCs, including my two teenage lads, they spend a
hell of a lot of time on MSN, swapping files, using web cams etc.
Viruses have certainly been caught in MSN by Avast. I regularly
(weekly) run virus scans, and SpyBot on their machines. As far as I can
tell the machines are clean. I've also crippled OE and IE on their
machines, so they are 'forced' to use Thunderbird and FireFox for mail
and browsing just for good measure.