1. Home
  2. Networking Firewalls
  3. Would like to have open wireless AP

Would like to have open wireless AP

My home setup is a Linksys WRT54G reflashed with Sveasoft Alchemy3.37. Various devices use the wireless and wired router ports.

What's the best way for me to setup an additional access point that's open to visitors for internet use but they can't see the rest of my network? I would still need to keep the existing secured AP.

All I can think of so far is I've got an old Adaptec wireless access point designed to extend wired Ethernet networks to wireless-enabled devices. Haven't used it for a while but I think it's a fairly dumb box. If I plugged it into a spare wired port on the Linksys it would offer a new AP and appear as a local IP address to the rest of the network. I don't understand how VLAN's work but the Linksys can support them so it could be on its own VLAN if necessary. I can SSH into the Linksys box and change its IPtables rules and other commandline stuff, not that I know how to use IPtables or what it is capable of.

So does any of this help me achieve an additional separate open AP? The only other thing I can think of is add a PC running a software firewall into the equation and I don't really want to do that on grounds of noise, space, heat, etc.

Joe

Reply to
Joe Harrison
Loading thread data ...

you need the ISP data (gateway, dns, dhcp, subnetmask), then setup your systems to have static ip-addresses OR map your NIC MAC addresss to fixed ip-addresses and each system declares a firewall rule to trust all your static addresses, eg allow i/o 192.168.0.1--192.168.0.4 for tcp+upd all ports you can then setup file/print sharing and your systems will be fine

the default rule is always to deny, and any wireless on your net will get (via dhcp) addresses above your last system and thus not be able to access anything BUT the internet itself

Reply to
Jeff B

Since posting earlier today I went ahead and plugged it all together. It does work, I now have one (built-in to Linksys) secure AP with MAC filtering and encryption, and one completely open AP courtesy of the Adaptec box which is wired into one of the four Linksys ports.

Most of my systems do have 192.168.1.x private static addresses, including the new AP. Are you suggesting that I now need to build a firewall on each internal system configured to trust each of the legit192.168.1.x addresses? I was hoping not to have to do that. What I really would like is something that tells the Linksys switch that any traffic on port 3 (the open AP) can see the ISP and use the internet but not talk to any of the other Linksys ports.

I've started on the IPtables tutorial but it's hard going! Also supposing I could create a suitable configuration change such as a new IPtables rule I can't figure out how to save it into the "linux filestore" flash memory so that it will persist across power outages.

Reply to
Joe Harrison

then you'll need a router which has firewall capability or a router + a firewall 'appliance' like this

1) modem --- router --- router with firewall -- one/more systems | AP | wireless or 2) modem --- router --- firewall -router- -- one/more systems | AP | wireless
Reply to
Jeff B

Since you don't have a firewall, only a NAT/Wireless router, you need to have two of them in series, if you want to use those type of devices:

INTERNET || PUBLIC DEVICE || INTERNAL DEVICE

So, you would setup the public device so that users enter a WPA-PSK key when they want to use your network, this is not quite open, but it means that everyone you give the key too can access the network.

Since the public device does NAT it means anyone connecting can get to the Internet.

Now, the Internal device is also a NAT, and it has it's WAN port connected via fixed IP to the LAN of the PUBLIC DEVICE. This also means that the public users can get INTO your INTERNAL LAN unless you port forward inbound to the internal lan. Your internal LAN can get out without any issues.

So, two NAT routers for $50 each and you have a poor-mans DMZ/LAN network.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.