1. Home
  2. Wireless Networking
  3. Separating wired and wireless clients on the same network?

Separating wired and wireless clients on the same network?

Hello all...

I would like to set up a network with both wired and wireless clients. That much I can do with ease. However, I'd like to keep anything on the wireless network from communicating with anything on the wired network. Both networks should be able to see the Internet (WAN) and use it.

I have some Buffalo routers running DD-WRT v23 SP2 that I'd like to use for this. I thought that "AP isolation" might do this, but from what I've read it isn't what I am looking for.

How can I go about doing this?

William

Reply to
wm_walsh
Loading thread data ...

Maybe, if such a router supports "vlan"s at its switch. Linksys' wired h/w router supports up to 4 vlan-s at its 4 switch ports.

You could then hook WAP to one of the ports, and cable from ethernet switch to another. Router would disable communication between the two groups of hosts; seems being on same IP subnet no problem?

It'd be interesting to see if this exists with WAP router- affordable one.

J
Reply to
barry

your need 2 networks / LANs isolated from each other - whether 1 of them is wireless is just a detail...

get a wireless router and plug it into your Internet feed.

get a cable router (one with an Ethernet WAN port) - plug that into the LAN on the wireless router.

wired devices go thru 2 routers and 2 sets of address translation, but can still get to the internet.

wireless devices cannot get thru the WAN port of the cable router.

done.

Reply to
stephen

On Fri, 20 Apr 2007 23:01:01 GMT, "stephen" wrote in :

Two isolated subnets.

True, but that's "double NAT", which generally works, but can cause problems with some (older) network apps, so better to avoid that if possible.

Only if you make assumptions that aren't necessarily true; i.e., that the wired router won't open an inbound hole if a client on the wired LAN makes an outbound connection to a client on the wireless LAN. To ensure that kind of thing can't happen you need more sophistication than is present in most low-end wired routers.

Better to setup wireless-to-wired isolation in a single wireless router, as featured in some wireless routers (e.g., SonicWALL), and also doable with DD-WRT firmware, which the OP already has, by means of VLAN. Google "dd-wrt vlan isolation".

Reply to
John Navas

i ran double NAT for a long time, and i didnt manage to find any apps that worked with 1 NAT but not 2.

The 1st router provided a URL checkers, and the 2nd acted as wireless LAN box.

more to the point, "double NAT" exists in many places anyway, since a big chunk of Internet servers live behind a firewalls / load balancers using NAT....

thats pretty much always true.... if you break the security model it doesnt do you much good.

but this is as good as a single router for insulation from the internet.

the insulation between the 2 wired and wireless groups isnt as good, since wired devices can kick off connections to wireless devices.

i dont know my way around that firmware....

FWIW vlan separation has its security shortcomings - but probably not an issue unless you trunk it on to another switch and an attacker knows how to jump between tags, or join the 2 vlans together in some way.

Reply to
stephen

On Sat, 21 Apr 2007 13:24:08 GMT, "stephen" wrote in :

In general, firewalls and load balancers don't use NAT. Double NAT is actually relatively rare.

This method isn't a security model.

And that's the point.

True, which is why I originally recommended a wireless router with a real wireless-to-wired isolation feature.

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.