Creating separate networks with current router
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by on September 3, 2006, 4:12 am
Please log in for more thread options Hi, is it possible to create distinct networks (2..3) using a single router and IP connection? We currenty have a wireless LAN working and plan on renting some rooms to students who want to hook up to the web. Because the foreseeable stay will be short, we do not want to add an additional ADSL line. To preserve security, I thought of adding dedicated LAN networks and assign them to each student. Would that work? Is there a simple work-around? TIA for any suggestions, Mark | |||||||||||||||||||
|
Posted by Jeff Liebermann on September 3, 2006, 12:26 pm
Please log in for more thread options msch-prv@bluewin.ch hath wroth: Yes, but don't bother. You have bigger problems. >We currenty have a wireless LAN working and plan on renting some rooms
>to students who want to hook up to the web. Because the foreseeable >stay will be short, we do not want to add an additional ADSL line. > >To preserve security, I thought of adding dedicated LAN networks and >assign them to each student. Would that work? Is there a simple >work-around? > >TIA for any suggestions, Mark This is a very common problem that has been solved many time by everything from coffee shop wireless networks to schools. The basic problem is that 802.11 wireless is bridging, not routeing. Therefore, the wireless really knows nothing about IP addresses and dividing a network by subnets. It can divide a network using VLAN's, but that becomes an administrative problem. The basic requirement is to isolate each connection. It's sometimes called "AP isolation" or more correctly "client isolation". This prevents any packets from going between clients. Everything goes to or from the internet. The way the local college does it may be a bit of overkill. http://resnet.ucsc.edu Users are assigned an IP address via a DHCP server. The MAC address of their router or PC/Mac is stored in a RADIUS authentication database. Individual users must also authenticate with the RADIUS server to get past the router. Most residents have cheap routers, with the MAC address of the router setup as registered hardware. They can do whatever they want behind their own router. I'm not sure what you mean by a "short stay". If that's only a few days, then I would look into a commercial (or home made) wireless hotspot system. http://wireless.wikia.com/wiki/Wi-Fi_How_To#Setup_a_hotspot If it's more like several months of the skool year, then something more like the previously mentioned university system would be more appropriate. -- Jeff Liebermann jeffl@comix.santa-cruz.ca.us 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558 | |||||||||||||||||||
|
Posted by Bill Kearney on September 3, 2006, 12:51 pm
Please log in for more thread options
> Hi, is it possible to create distinct networks (2..3) using a single
> router and IP connection? > > We currenty have a wireless LAN working and plan on renting some rooms > to students who want to hook up to the web. Because the foreseeable > stay will be short, we do not want to add an additional ADSL line. > > To preserve security, I thought of adding dedicated LAN networks and > assign them to each student. Would that work? Is there a simple > work-around? If you're going to ask questions about a router, at least say what MODEL router! Some routers like a Linksys WRT54GS can load a 3rd party firmware. Those firmware often include the ability to setup virtual LAN (vlan) configurations, along with iptable routing restrictions. Then you'd also have to setup the necessary DHCP or other static address info. But bear in mind this is targeted toward the WIRED ports on the switch, not wireless. It might be possible to perform more fine-grained control over multiple client machines over the single wireless link but it'd be a bit complicated to manage. You could also put separate wifi access points on the wired ports. This would be "better" but would also present some wifi configuration issues like overlapping channels and coverage. But putting them on their own WPA-secured access point, separate from your other one, and then setting up a VLAN controlling that access point's connection would probably handle it. Not for the unexperienced but not impossible either, provided you've got the right equipment. | |||||||||||||||||||
|
Posted by on September 3, 2006, 1:59 pm
Please log in for more thread options
Thanks for your answers. We have a small XP-home based LAN. I was looking for something simpler along the lines of changing the firewall or perhaps adding an additional router to segregate one network from the other. Would that make sense? TIA, Mark | |||||||||||||||||||
|
Posted by Robert Coe on September 3, 2006, 3:21 pm
Please log in for more thread options
wrote: : : > Hi, is it possible to create distinct networks (2..3) using a single
:
: > router and IP connection? : > : > We currenty have a wireless LAN working and plan on renting some rooms : > to students who want to hook up to the web. Because the foreseeable : > stay will be short, we do not want to add an additional ADSL line. : > : > To preserve security, I thought of adding dedicated LAN networks and : > assign them to each student. Would that work? Is there a simple : > work-around? : If you're going to ask questions about a router, at least say what MODEL : router! : : Some routers like a Linksys WRT54GS can load a 3rd party firmware. Those : firmware often include the ability to setup virtual LAN (vlan) : configurations, along with iptable routing restrictions. Then you'd also : have to setup the necessary DHCP or other static address info. But bear in : mind this is targeted toward the WIRED ports on the switch, not wireless. : It might be possible to perform more fine-grained control over multiple : client machines over the single wireless link but it'd be a bit complicated : to manage. You could also put separate wifi access points on the wired : ports. This would be "better" but would also present some wifi : configuration issues like overlapping channels and coverage. But putting : them on their own WPA-secured access point, separate from your other one, : and then setting up a VLAN controlling that access point's connection would : probably handle it. Not for the unexperienced but not impossible either, : provided you've got the right equipment. The (relatively) new Linksys WRT54GP handles up to eight wireless VLANs. You can, for example, assign a separate WPA passphrase to each SSID. I've deployed four of these routers so far and found them to work well. The only tricky part is setting up the trunk for the wireless VLANs. I guess you'll need a managed switch, and that could run into some money. (Sorry to be vague, but our network engineer handled the trunk setup for me.) You can read about the WRT54GP on the Linksys Web site. Oddly (IMO), what they emphasize is the router's native POE capability, not the VLANs. | |||||||||||||||||||
>router and IP connection?