Mixed encryption network

You have two wireless routers.

Got an old spare computer collecting dust?

If so, have you considered a captive portal?

I'm doing just that. The AP on the captive portal is even running completetly open (unencrypted) for my neighbors (or anyone else) to use when they are outside on their porch. I like sharing.

Yep, everything that matters to me is secure and protected.

Bryant Smith hath wroth:

The Funk (Juniper) Software Odessy client will possibly provide WPA-PSK support for the X3i. See:

instructions. Try the 30 day free trial to be sure.

Thanks for the replies. The Juniper Odyssey client is a little too pricey for the use it will get and I don't want to have a machine running all the time. I think the solution I'll use is one from Jeff posted Nov 3 2005. I'll use a double NAT configuration for the insecure network. Here is a link to the previous thread for those interested:

My trusty old Speedstream should be able to handle this configuration. If it can't, I'll see if I can set up a virtual lan or something like it using my dd-wrt router.

On Tue, 10 Oct 2006 09:49:42 -0700, Bryant Smith wrote in :

LAN #1 WAN===[Router #1]===================[Router #2]=======LAN #2

WAN = xxx.xxx.xxx.xxx WAN = 192.168.1.2 WAN NM = 255.255.255.0 WAN NM = 255.255.255.252

John Navas hath wroth:

It works in at least 2 locations. I did some testing to see if I could "see" any of the clients on LAN #1 from LAN #2. Nope. As long as the Netmask of Router #2 was limited to a small subnet, nothing outside of that subnet was visible (or pingable).

Note that this is how ZoneCD sets up their "isolated" hot spot router: |

That's possible but unlikely. Most decent routers have a built in ACL rule set for the WAN port that prevents attackers from the WAN from spoofing LAN IP addresses. Unfortunately, there are routers that will allow spoofing of LAN addresses from the WAN side. I think one of the early versions of the DI-604 did just that.

On Wed, 11 Oct 2006 19:24:05 -0700, Jeff Liebermann wrote in :

My brother used to say he hadn't died, so smoking must not be all that harmful. ;)

I'd want to do more thorough analysis before reaching any conclusions.

Forgive me for being unimpressed, but I don't know ZoneCD. What I do know is that there are lots of crappy products on the market.

That's an assumption.

What relevance does that have to my scenario?

My spare router does allow me to set up routing tables, but I've never done that sort of thing before. I would assume that I could set up a rule that would route all traffic going from the insecure side to the WAN and not the LAN. I don't have access to my network right now, so I'll have to check this out later.

On Thu, 12 Oct 2006 08:41:09 -0700, Bryant Smith wrote in :

What you want is to *block* all traffic addressed to LAN #1, not send it to the WAN (gateway, actually Router #1), which might result in it being forwarded to LAN #1.

Excuse my ignorance, but will blocking all traffic to LAN #1 also block access to the internet since the main router (the one connected to the modem) is technically in LAN #1?

On Thu, 12 Oct 2006 13:38:38 -0700, Bryant Smith wrote in :

Sorry for not being clear -- what I meant was blocking all traffic with destination addresses on LAN #1 other than the WAN gateway (Router #2); i.e.,

Pass: 192.168.1.1 Block: 192.168.1.2 - 192.168.1.255