What is a list of options for setting up a public wifi network where each person that connects couldn't see the other person in network neighborhood, or even ping them, using 1 wireless router?
any suggestions?
"Robert Jacobs" wrote in news:40BOd.15481 $uc.9265@trnddc02:
this is for security in a hotel, with users not knowing how to do that kind of stuff, and the hotel staff doesn't want to interfere with any sharing, etc..of their work files. so that when they go home, all their mapped drives, etc...are still there.
Use DHCP to provide IP addresses, and simply do *not* route to those addresses, but *only* to an Internet gateway.
AS Lucas said, block the Netbios file sharing ports (135, 137,138,139 and 445). This will not block a ping. Ping is a different protocol. Blocking every port won't block a ping.
The user would need to take it upon himself to have a firewall installed on his computer to protect him from other wireless network users. Windows XP has a built in firewall and there are many free for personal use ones available such as Zone Alarm. --- Steve
I would just disable File and Printer sharing....
Smowk wrote in news:Xns95F8F2066A03ESmowkieBandit@216.196.97.131:
Just ensure that the Access Point you purchase has a protocol filter. Filter the Windows File Sharing Ports (Netbios).
Lucas Tam wrote in news:Xns95F99FF5D78Bnntprogerscom@
140.99.99.130:
a smart person would still be able to scan ip's and connect that way
snipped-for-privacy@barrow.com (Floyd L. Davidson) wrote in news: snipped-for-privacy@barrow.com:
what type of router would support this specifically
"Steven L Umbach" wrote in news: snipped-for-privacy@tk2msftngp13.phx.gbl:
well, it's a hotel, hospitality is our #1 priority. we want to provide the security for them, and not have to have them do anything...
How are you going to connect if the port you need to connect with is closed?
This is messy but doable. However, I don't think it can be done by any of the cheapo wireless routers. The reason is that wireless is really bridging, not routing. As has been suggested, you could do the trick by tweaking the routers routing table to send literally everything from the various clients to the default gateway, with nothing going to anything on the LAN IP block. However, a few minor routing commands on the client machine and they instantly can "see" the other wireless users. That's because the router is NOT located between users, just between the users and the internet. Between the users is a simple ethernet bridge (actually a switch or multi-port bridge).
Perhaps an easier way to visualize the problem is to just remove
802.11 wireless from the puzzle temporarily, and just deal with the wired equivalent components. After all, 802.11 is nothing move than encapsulation of 802.3 ethernet packets. What goes in and out of wireless is just ethernet. So, you have a common 4 port ethernet unintelligent switch and a router to the internet. Effectively, you've asked how does one prevent PC's, plugged into the ethernet switch, from seeing each other. That's not possible without some intelligence at the bridging level (Layer 2) in the switch. The router is out of the circuit between PC's and has no effect on traffic between PC's. It's just plugged into yet another port on the unintelligent ethernet switch.Well, the way this is done is to disable the dynamic bridging table feature of the switch, and implement a static bridging table. Each wireless MAC address goes to a specific ethernet port, which only allows traffic to one other ethernet port, which conveniently happens to be that of the router. Without the ability to add additional MAC address to ethernet port mapping, everything from a wireless client goes to one place. Again, note that this must happen at the bridge level (Layer 2), and not via IP routing (Layer 3).
Intelligent (or at least configurable bridging) is a common feature in radios used by WISP's (wireless ISP's). WISP's do not want their wireless customers to "see" each other. They also don't want users to turn their wireless networking into their private game network, where none of the packets ever go to the internet, and where the router has no control over traffic. Same with trojan infected machines that scan the wireless LAN for exploitable PC's and open shares, which also never hit the internet.
I think (not sure) that some of the higher end switch/routers made for wireless hot spots do this by default.
Fairly easily with LinkSys WRT54G(S) routers.
I'm not sure if it is possible to get the right route table configuration using the LinkSys firmware, but certainly with Sveasoft or HyperWRT firmware it is not difficult to do.
Welllll... the WRT54G is actually routing, and has three network interfaces, one each for wireless, the LAN switch (with 4 ports), and another for the single WAN/Internet port. That last one is what makes it possible.
Won't work with this example though.
Except that isn't true on the WRT54G!
Here's a route table copied from a WRT54G which will not allow packets to be routed between anything on the 192.168.1.0 subnet, but will send everything to a firewall on the 192.168.0.0 subnet if it is connected via wired ethernet on one of the LAN ports of the WRT54G,
Kernel IP routing table Destination Gateway Genmask Flags ... Iface 192.168.0.2 * 255.255.255.255 UH ... br0 192.168.1.0 * 255.255.255.0 U ... vlan1 192.168.0.0 * 255.255.255.0 U ... br0 127.0.0.0 * 255.0.0.0 U ... lo default 192.168.0.2 0.0.0.0 UG ... br0
Without the route to the vlan1 (the WAN port) interface, all of the 192.168.1.0 traffic was going to br0 (the bridge to the LAN switch, which also connects to the wireless port, vlan0). By routing that subnet to vlan1, and assigning an IP address on that subnet to the bridge (192.168.1.2 in this particular case), it prevents any traffic on that subnet from going to the bridge. It does allow traffic from wireless to the wired LAN though, for the subnet 192.168.0.0, so anything in that address range has to be hardened.
I would also expect that the default route could also be to vlan1, but haven't actually tried that. The results should be the same.
Here's the output of ifconfig on the router, just for information, edited to remove at least some of the useless parts. Note there are three unique MAC address, and (the lo device excluded) there are two of them with assigned IP addresses (br0 and vlan1, the LAN and WAN ports respectively):
br0 Link encap:Ethernet HWaddr 00:12:17:27:FE:B8 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
eth0 Link encap:Ethernet HWaddr 00:12:17:27:FE:B8
eth1 Link encap:Ethernet HWaddr 00:12:17:27:FE:BA
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0
vlan0 Link encap:Ethernet HWaddr 00:12:17:27:FE:B8
vlan1 Link encap:Ethernet HWaddr 00:12:17:27:FE:B9 inet addr:192.168.0.3 Bcast:192.168.255.255 Mask:255.255.0.0
wds0.2 Link encap:Ethernet HWaddr 00:12:17:27:FE:BA
wds0.3 Link encap:Ethernet HWaddr 00:12:17:27:FE:BA
Whether this can be done on any other wireless router I don't know. It requires a router that will route 192.168.0.0 addresses, and with separately routed ports for the wireless and wired network.
Very good explaination Jeff!
I was under the impression that some of the wireless protocols themselves had some kind of "privacy features" built into them that did just what the guy is asking about. This is why some home users add a wireless element to the already "wired" home LAN and then complain that their laptop on the wirless can see all the wired machines on their LAN just fine but nothing on the wired can see the laptop on the wireless. I wasn't sure enough to say anything earlier but doesn't a lot of wireless equipment ahve some sort of privacy features built into them?
Smowk wrote in news:Xns95F957B288965SmowkieBandit@216.196.97.131:
Well, if you've blocked the File Sharing Points on the AP... the person can't connect!
Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:
yea, but we would have to register all of the mac addresses of the guests who use the hotels wifi and set it up manually for each new user (around 20 or so per day peak season).
right?
other than that, i agree with phil...VERY GOOD EXPLANATION
smowk
Relatively easy to do with LinkSys equipment.
I would contact the various manufactures to see if they have a device that can isolate wireless users. The WAPs that I know of will not do such. D-link has some Hot Spot products but they did not have any manuals to download. Cisco would be someone to look at. Maybe someone at CDW would know if they a product that would do what you need. Make sure you are very specific about your needs, take names who you talked to/ordered from, etc.. --- Steve
"Steven L Umbach" wrote in news:Od9prQ#DFHA.3368 @TK2MSFTNGP10.phx.gbl:
we have an acct with cdw...ill look into it
Buffalo's products also have a "privacy separator" option that supposedly bars communication between wireless clients.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.