New user on Wired/Wireless setup

Hello group,

I essentially have a wired business network with about 8 PCs on it, spread over 2 workgroups.

We use a fairly basic router that also has a wireless function on it. We don't use this function but it's there as a sort of "Plan B" in case we have a problem with our cables.

Another occupier in our building, has asked if they can access the internet via our network. I don't mind in principle but this user is unlikely to be here very long and we don't want to go to the trouble and expense of running new cables etc. I thought therefore it might be possible to allow access using the wireless connection. I obviously don't want this user to be able to access any of our business data.

What I need to know is whether there is a way to set up the other user's connection so that they can access the internet, but without allowing them to see any of the other machines on our network or access any of our data. Is this possible, or once connected will they have access to everything?

As things stand every PC can see the data on every other PC, since that suits our way of working, would we have to change this on all the PCs and set specific permissions, excluding the new user, or is there a way for the new user to access the internet without becoming part of our network at all?

Regards,

Tanel.

Reply to
Tanel Kagan
Loading thread data ...

The way you have it configured, yes they'll have access to everything. but you can trivially test - just bring your own wireless laptop in and connect to your network. What do you see?

All the data? You mean the entire contents of c:\\ or do you have some specific area eg c:\\data which is shared out? If the former, you have a massively insecure config which is ripe for hacking.

By the way - is your wireless currently disabled or merely unused? If its active then someone could sit in a nearby building and hack you. What wireless security are you using?

You'd need to configure all your PCs differently. You need to configure all the shares with user-level security and set up usernames on all the PCs which are then permissioned to read these shares. Note:

The alternative is to use something called double-nat, You don't want to go there, its complicated.

Reply to
Mark McIntyre
[...]

I have not yet run into a situation where double NAT was complicated. Granted, it's a relatively uncommon configuration in SOHO and residential situations, but only because it's not generally necessary, not because it's complicated. If the circumstances call for it, by all means use it.

Reply to
Char Jackson

Maker and model or your router please? DSL, cable, satellite, fiber, T1, or two tin cans and a string?

This is the classic coffee shop problem. The idea is to give coffee shop visitors access to the internet, without also giving them access to the cash register, office computah, etc.

If you just hang another wireless access point on your existing network, the neighbors will have access to everything.

The easy way to do this is to use two IP addresses from your ISP. Many ISP's will sell you a 2nd IP address for a reasonable price. Your modem can possibly bridge multiple IP's. That would go to a cheap 4 port ethernet switch. From there, two seperate routers. One would be your existing unspecified "fairly basic" router, while the other would go to a 2nd router, which would go to the neighbors. I've been doing that in my palatial office complex, with 5 businesses sharing a single DSL account using 5ea static IP's:

Many not-so-basic wireless routers have provisions for multiple SSID's, each with their own configuration. They generally include a method of isolating the wired LAN from at least one wireless network. In effect, it's two or more wireless AP's in one box. The default and only route for the "guest" wireless zone points to the ISP's gateway IP and on to the internet. For example, Sonicwall has their "wireless guest service" and Security Zones:

Another way is to use a router with 3 or more ports. One for the WAN interface, and one LAN port each for you and your neighbor. Each has their own subnet with IP tables setup so that no packets go between the two LAN ports. It's fairly easy with a PC based router, where multiple ethernet cards can easily be added. One of these ethernet cards can be an internal PCI wireless card, so the amount of added hardware is minimal. I used to do this using Freesco, which can handle 10 ethernet cards on a floppy or CF card boot:

There are also ways to do this using double NAT and VPN tunnels. Double NAT can get messy if you have to do port forwarding (for VoIP for example). VPN tunnels are probably more complicated than you want to deal with.

Reply to
Jeff Liebermann

With a basic router? No. With one that supports access control lists, yes but with a fair amount of technical knowledge (aka configuring it).

Reply to
Bill Kearney

Hint: If you ask such questions, try to include:

  1. What problem are you trying to solve?
  2. What do you have to work with? (hardware, software, makers, models, versions, location, environment, user count, etc)
  3. What have you done so far, and what happened? (only for troubleshooting type questions).

It looks fairly basic. I'm not a big fan of all-in-one DSL/router/wireless boxes. I like to have the DSL modem seperate. One reason is that you cannot use the trick of having the ISP deliver multiple IP addresses, through the DSL modem, and then connect two or more routers to the single DSL modem as in:

You have to have access to the connection between the DSL modem and the router for this to work.

I sometimes like to have the wireless access point section seperate from the router. That's because the wireless wants to live up high in the room, for best wireless coverage, while the router wants to live low on the floor, behind someone's desk, amid the tangle of CAT5 cables, wall warts, power strips, etc. It's difficult to reconcile the requirements for neatness and wireless coverage unless you use seperate boxes.

IT experts are easy to recognize. They never guess.

Reply to
Jeff Liebermann

Perhaps you can have your guest user provide his own wireless router and then put it on a different subnet.

I'm not sure how that goes, just throwing this out there as an idea that the other folks might be able to comment on.

Basic idea is run two subnets off the same internet connection. Keeps them isolated, I believe.

Steve

Reply to
seaweedsl

Nope. With two routers in the system, they would need to share the same WAN IP address. That won't work. That's why one of my suggestions involved having the ISP supply two or more routeable IP addresses, so that two or more routers can be used.

It also won't work if you try to do it with one router. In this case, both sub-nets will be connected to the same ethernet switch. Everyone will see each others broadcasts. A proper subnet mask will limit a users visibility but all they have to do is tweak the subnet, and everything is exposed.

It is possible to do this using VLAN's on a single router/switch. I haven't tried this yet, but it looks very plausible:

(Yeah, I know. Why didn't I think of this before...)

Reply to
Jeff Liebermann

OK. Now i know. Thanks Jeff

Reply to
seaweedsl

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.