wifi hotspot design

I am an owner of a coffee shop and interested in building a free
wireless hotspot. I have 2 desktops networked thru a linksys router
which is connected to a cable/dsl modem. My main concern with offering
a hotspot is of course security. I am considering purchasing a
wireless access point "Belkin 802.11g" to serve as a hub for both my
networked computers and my "customer's" access. I understand that
security will be low to enable easy access for my customers but I want
to maintain security for my network. Can I accompolish my goals by
hard wiring my linksys router to the wireless access point and using
the router firewall to protect my network? Any thoughts would be
greatly appreciated.

First, you can save some money by just getting an 802.11b access point.
It'll probably still be 3 times faster than the internet connection. Also,
most of your customers (at this time) will only have "b" equipment. As soon
as one "b" device connects, the whole system slows down to that speed. Kind
of makes "g" a waste.

Your best bet, security wise would be to check with your ISP about having
two IP addresses on your cable/dsl modem. Then you could connect a cheap
switch or hub to the modem. Plug your Linksys router into that & it will
get one IP address, as it does now.

Plug another wireless router into the switch for your customers. It will
get the second IP address and provide DHCP services to your customers.

You will gain will be having your Linksys router's NAT firewall between your
customers and your network. Also, you should consider installing one of the
many free firewalls on each of your own PC's.

It won't be 100% bullet-proof, but it WILL keep out all but the most
determined hacker.

Bob


"Danny" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I am an owner of a coffee shop and interested in building a free
> wireless hotspot. I have 2 desktops networked thru a linksys router
> which is connected to a cable/dsl modem. My main concern with offering
> a hotspot is of course security. I am considering purchasing a
> wireless access point "Belkin 802.11g" to serve as a hub for both my
> networked computers and my "customer's" access. I understand that
> security will be low to enable easy access for my customers but I want
> to maintain security for my network. Can I accompolish my goals by
> hard wiring my linksys router to the wireless access point and using
> the router firewall to protect my network? Any thoughts would be
> greatly appreciated.
>

One more thing...

Assuming most of your customers are business types, a large number of them
will be using their VPN software to connect to their companies' LANs.

Most consumer-grade routers will only allow one VPN connection at a time.
If this is a concern (and it should be), you probably should look at
comercial-grade gear. There went that 802.11g savings!


Bob


"Bob Hall" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> First, you can save some money by just getting an 802.11b access point.
> It'll probably still be 3 times faster than the internet connection.
Also,
> most of your customers (at this time) will only have "b" equipment. As
soon
> as one "b" device connects, the whole system slows down to that speed.
Kind
> of makes "g" a waste.
>
> Your best bet, security wise would be to check with your ISP about having
> two IP addresses on your cable/dsl modem. Then you could connect a cheap
> switch or hub to the modem. Plug your Linksys router into that & it will
> get one IP address, as it does now.
>
> Plug another wireless router into the switch for your customers. It will
> get the second IP address and provide DHCP services to your customers.
>
> You will gain will be having your Linksys router's NAT firewall between
your
> customers and your network. Also, you should consider installing one of
the
> many free firewalls on each of your own PC's.
>
> It won't be 100% bullet-proof, but it WILL keep out all but the most
> determined hacker.
>
> Bob
>
>
> "Danny" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > I am an owner of a coffee shop and interested in building a free
> > wireless hotspot. I have 2 desktops networked thru a linksys router
> > which is connected to a cable/dsl modem. My main concern with offering
> > a hotspot is of course security. I am considering purchasing a
> > wireless access point "Belkin 802.11g" to serve as a hub for both my
> > networked computers and my "customer's" access. I understand that
> > security will be low to enable easy access for my customers but I want
> > to maintain security for my network. Can I accompolish my goals by
> > hard wiring my linksys router to the wireless access point and using
> > the router firewall to protect my network? Any thoughts would be
> > greatly appreciated.
> >
>
>

bumtracks <(E-Mail Removed)> wrote:
> i dunno ... copy/paste di-624 dlink 4port wireless gateway/router says ;;;
> Additional security features include pass-through of multiple concurrent
> IPSec and PPTP VPN sessions for tele-commuters or for anyone who needs to
> transmit sensitive information more securely.

> "Bob Hall" <(E-Mail Removed)> wrote in message

>> Most consumer-grade routers will only allow one VPN connection at a time.

The SMC7004WFW has it's own VPN endpoint client/server, but does allow only
one VPN/IPSEC Tunnel, according to the data sheet. The firmware must have
changed, though. The setup screen for IPsec allows 10 tunnels to be built.
The setup screen for PPTP has twenty entries, and doesn't say there's a
limit.

I use my Nortel Contivity VPN client to work without using the setup
of that VPN tunnel, so I don't know if that "limit" of one affects the
casual visitor running VPN.

Are you talking about a VPN from the equipment itself or just passing a VPN
link through your equipment. Most equipment can only cope with one VPN link
being established to/from it. The other VPN links should just be passsed
through it along with all the other traffic.

Bob Hall wrote:
> That would be a very good thing, then. I know from personal
> experience (and researching the KB) the Linksys gear only allows one.
> I've read that others had the same limitation. Good to know some
> gear doesn't have this limitation.
>
>
> "bumtracks" <(E-Mail Removed)> wrote in message
> news:U35Qa.16089$(E-Mail Removed)...
>> i dunno ... copy/paste di-624 dlink 4port wireless gateway/router
>> says ;;; Additional security features include pass-through of
>> multiple concurrent IPSec and PPTP VPN sessions for tele-commuters
>> or for anyone who needs to transmit sensitive information more
>> securely.
>>
>> "Bob Hall" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> One more thing...
>>>
>>> Assuming most of your customers are business types, a large number
>>> of them will be using their VPN software to connect to their
>>> companies' LANs.
>>>
>>> Most consumer-grade routers will only allow one VPN connection at a
>>> time. If this is a concern (and it should be), you probably should
>>> look at comercial-grade gear. There went that 802.11g savings!
>>>
>>>
>>> Bob
>>>
>>>
>>> "Bob Hall" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> First, you can save some money by just getting an 802.11b access
>>>> point. It'll probably still be 3 times faster than the internet
>>>> connection. Also, most of your customers (at this time) will only
>>>> have "b" equipment. As soon as one "b" device connects, the whole
>>>> system slows down to that speed. Kind of makes "g" a waste.
>>>>
>>>> Your best bet, security wise would be to check with your ISP about
>>>> having two IP addresses on your cable/dsl modem. Then you could
>>>> connect a cheap switch or hub to the modem. Plug your Linksys
>>>> router into that & it will get one IP address, as it does now.
>>>>
>>>> Plug another wireless router into the switch for your customers.
>>>> It will get the second IP address and provide DHCP services to
>>>> your customers.
>>>>
>>>> You will gain will be having your Linksys router's NAT firewall
>>>> between your customers and your network. Also, you should
>>>> consider installing one of the many free firewalls on each of your
>>>> own PC's.
>>>>
>>>> It won't be 100% bullet-proof, but it WILL keep out all but the
>>>> most determined hacker.
>>>>
>>>> Bob
>>>>
>>>>
>>>> "Danny" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed) om...
>>>>> I am an owner of a coffee shop and interested in building a free
>>>>> wireless hotspot. I have 2 desktops networked thru a linksys
>>>>> router which is connected to a cable/dsl modem. My main concern
>>>>> with offering a hotspot is of course security. I am considering
>>>>> purchasing a wireless access point "Belkin 802.11g" to serve as a
>>>>> hub for both my networked computers and my "customer's" access. I
>>>>> understand that security will be low to enable easy access for my
>>>>> customers but I want to maintain security for my network. Can I
>>>>> accompolish my goals by hard wiring my linksys router to the
>>>>> wireless access point and using the router firewall to protect my
>>>>> network? Any thoughts would be greatly appreciated.

Bob Hall <(E-Mail Removed)> wrote:
> I'm talking about a laptop using VPN client software making a connection to
> a remote (corporate) server.

> The Linksys knowledge base (which I can't seem to access at the moment)
> specifically states their equipment only allows one VPN tunnel at a time.

I see a similar statement for the SMC7004WFW, but it seems to be
in reference to some tunnelling setup that I've never done, so I'm not sure
it applies.

> As far as personal experience, I was at a co-worker's house and helped him
> set up a Linksys BEFSR41.

> He had a VPN connection running to our company. When I also established a
> connection, his died. That prompted me to do the research.

That may have been your company's VPN server.
My son can be connected to his company's VPN at the same time that I am
connected to my company's VPN, both wireless through a Linksys BEFW11S4.

I do see a note on my Contivity client that I am using "NAT Traversal".
Perhaps your company only allows one connection from the same WAN address.

---
Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8-122.5

<(E-Mail Removed)> wrote in message
news:best9o$uca$(E-Mail Removed)...
>
> I see a similar statement for the SMC7004WFW, but it seems to be
> in reference to some tunnelling setup that I've never done, so I'm not
sure
> it applies.

The Linksys KB is down. I'd like to re-read that info to see if I'm
remembering it wrong.

> That may have been your company's VPN server.
> My son can be connected to his company's VPN at the same time that I am
> connected to my company's VPN, both wireless through a Linksys BEFW11S4.

We were using wired.

> I do see a note on my Contivity client that I am using "NAT Traversal".
> Perhaps your company only allows one connection from the same WAN address.

That is a possibilty, although that would be really dumb in today's
"networked" world.

We use Cisco VPN.

As I said, I wish the KB was working. You've got my interest, now.

Sam C. <(E-Mail Removed)> wrote:
> Anybody else using www.dnsredirector.com for thier public hotspots??

> It shows new users joining the wireless lan a welcome or advert page and can
> also act as a web filter for bandwidth stealing apps (P2P) or other content
> you might not want people to get at.

This would be a half-hearted blocker. If a client is allowing the DHCP
server to supply a DNS server address, it would work nicely, but what
if they specified their own DNS or used ip addresses directly? The web
site isn't clear about what "redirection" is used. It would have to be
something in the router to block non-default DNS traffic. The diagram
they provide looks like the Linksys is independent, just offering the
internal DNS server as the default to clients that want to accept it.
The FAQ on that web site would lead me not to have any further interest
in their product.

Yes, in the readme they mention blocking port 53 outbound in the router so
people who might have set a static DNS server can't get out or bypass
blocked sites.

Who comes to a public or wireless network with a static IP and DNS settings
anyway, thats the whole point of DHCP is it not?

What don't you like about thier FAQ? I thought it was very well done and
honest, althought it doens't speak much to the DNS Redirector product
specificly.

I've mailed them many times and there always very nice.

<(E-Mail Removed)> wrote in message
news:beumv7$vhs$(E-Mail Removed)...
> Sam C. <(E-Mail Removed)> wrote:
> > Anybody else using www.dnsredirector.com for thier public hotspots??
>
> > It shows new users joining the wireless lan a welcome or advert page and
can
> > also act as a web filter for bandwidth stealing apps (P2P) or other
content
> > you might not want people to get at.
>
> This would be a half-hearted blocker. If a client is allowing the DHCP
> server to supply a DNS server address, it would work nicely, but what
> if they specified their own DNS or used ip addresses directly? The web
> site isn't clear about what "redirection" is used. It would have to be
> something in the router to block non-default DNS traffic. The diagram
> they provide looks like the Linksys is independent, just offering the
> internal DNS server as the default to clients that want to accept it.
> The FAQ on that web site would lead me not to have any further interest
> in their product.
>

Sam C. <(E-Mail Removed)> wrote:
> Yes, in the readme they mention blocking port 53 outbound in the router so
> people who might have set a static DNS server can't get out or bypass
> blocked sites.

Okay. So in the Linksys you don't allow DNS lookups to pass through...
How does your designated DNS server do lookups? Does it need some other
route to the internet? That doesn't appear on the "Network Diagram"
which shows the default gateway for the DNS redirector machine as being
the same one that the new clients would use.

> Who comes to a public or wireless network with a static IP and DNS settings
> anyway, thats the whole point of DHCP is it not?

For quite a while, I had a static DNS because I needed it to get some
non-published addresses.
The reason I mention it in this thread is that if it ever became known
that the way to get around the "pay" portion of this style of hotspot
was to just set a static DNS, it would be used.

> What don't you like about thier FAQ? I thought it was very well done and
> honest, althought it doens't speak much to the DNS Redirector product
> specificly.

Is there anything in their FAQ that remotely relates to the technical
aspects of their program? No. "What is Spyware?" "What language did you
write your software in?" "Can I buy your product on CD?" "Is it safe to
order via the web?"

That is a turn off for me. YMMV.