We have a small network with about 30 users in a mac environment. We have a wireless router connected to our network. I was asked to setup a small wap for our conferance room. It wont be open but we dont want anybody who uses this wap to see any resources on our other wap. -only internet access. Is this a complex setup? if not, please send recommendations
On Tue, 9 Dec 2008 11:22:12 -0600, "UseNet" wrote in :
Most straightforward way to do this on the cheap:
Main wireless router with VLAN support
Attach the WAP to a specific port on the main wireless router
Establish a VLAN between the WAP port and the Internet
If, like most low-end products, your existing wireless router doesn't have VLAN support, but can run DD-WRT, you can use DD-WRT to do this.
But the approach I recommend is to replace your main wireless router with a more capable wireless router designed to do this. While my personal favorite is SonicWALL (TZ150/TZ170), the less expensive NETGEAR WG302 can also do this.
To hopefully clarify, in the line immediately above, I believe "the WAP port" refers to the "specific port on the main wireless router" to which the WAP is connected, and "the Internet" refers to the WAN port on the main wireless router.
"UseNet" wrote in news:wFA%k.7960$ snipped-for-privacy@nlpi069.nbdc.sbc.com:
If they are going to decide to spend any money, here's another solution.......
Mikrotik (mikrotik.com) offers many different 'RouterBoards', which comes with their 'RouterOS'. The least expensive model, is the RB450, which is a 5 port rtr/switch. You can buy it all over the web, bare board or in a small nifty enclosure. For under $100 enclosed w/pwr supply, you get a very effective routing device that is not too dis-similar to a Cisco or Enterasys device.
I've just recently started using a few of these, and I'll tell you, it is unbelievably powerful given the *very* low cost (relative to it's capabilities).
(Essentially, they are SBC's that run an embedded version of Linux, and Mikrotik has created a command-line management interface application that gives you access and configurability to the advanced routing and networking components of the Linux kernel. There's a GUI config tool as well.)
The device would be connected between the LAN you want to use for the internet connection, and the already existing WAP. One side of the rtr to the existing LAN, the other to the existing AP. The existing LAN would effectively become the gateway for internet traffic for the wireless network.
The rtr is configured with one interface on the LAN to a LAN IP. Another rtr interface going to the AP, and on a completely different subnet. The rtr can also be default gateway'd to the LAN d g/w. The rtr would DCHP for the AP network/subnet. DHCP would issue the rtr's AP network interface for the clients d g/w.
Existing LAN RB450 WAP -----(clients) [192.168.1.x] [.1.254 & .100.1] .100.2 .100.50 - .100.100 Def. g/w = .1.(d g/w) DNS = .1.x DNS DHCP to wireless --->
The rtr would need to be configured with a few rules.....
Maybe just one, it would be set to only accept packets destined for the LAN default gateway, which is the ultimate point of internet access. All other packets would be dropped. This would isolate the LAN resources from the WLAN.
The only other caveat would be that the device that is the ultimate point of internet access be capable of adding static routes to it. This is needed so return internet traffic destined for the WLAN will know where to go when it gets back. I'm sure most Linksys cable/DSL rtr's have that capability.
(And if not, the LAN side of the RB450 rtr can be configured to NAT the WLAN anyway, so return traffic would always go to a LAN IP anyway, so no route needed.)
Of course, this is the geeky way to do it, but very effective.
Then, there's the cheap way. $30-$40. Some routers have a dedicated "guest" type account built in. I have a few customers with a MyEssentials ME-1004R wireless router.
It has provisions for two WPA phrases. One give access to the wired LAN and other wireless devices. The guest WPA pass phrase, only gives access to the default gateway, and on to the internet. Download the manual and see page 52.
Like all good and cheap things, it's lacking in some features. There's no bandwidth control so you can't prevent the guest account from hogging all your bandwidth. There's no easy way to enable/disable the guest account after hours (i.e. cron). Lastly, MyEssentials is owned by Belkin, which is not famous for fabulous quality, updates, or support.
Back to the original question.... One thing to remember is that
802.11 wireless networking is all done on the MAC layer, not the IP layer. In order to have packets going only to a designated IP address (i.e. the internet gateway) you need to have the work done on the IP layer. That requires a router, which is exactly what you will NOT find inside a WAP (wireless access point). Therefore, just adding a WAP to an existing router will not do what you want. The router has to have the necessary features, not the WAP.
Skipping the intermediate solutions, there is also the "wireless switch". These are a central wired router, with all the features and functions necessary for central management, monitoring, and control, with very simple WAP's attached to each port. It's like the proposed solutions expanded beyond your imagination and budget. While these are probably overkill, it might be useful to read the docs and see if there's anything they offer you might find useful. Some random examples:
On Tue, 9 Dec 2008 22:25:21 +0000 (UTC), DanS wrote in :
If and only if you get it exactly right, and are prepared to keep it current indefinitely, which is why I recommend using a finished and supported product over any roll-your-own solution.
On Wed, 10 Dec 2008 12:16:53 +0000 (UTC), DanS wrote in :
What I'm saying is that it's hard to get it right even with real expertise, much less no real expertise, and hard to keep it updated to deal with new threats. Thus roll-your-own is not a good option for most people, who are much better served by products "finished and supported" by experts.
Trying to go cheaper is simply false economy. You have to consider the total cost of ownership, including the cost of making a mistake and being compromised. Jeff's suggestion of the basic My Essential ME-1004R is only $30-40. My suggestion of the more capable and powerful NETGEAR WG302 is about $150, which is still affordable for even a small business of value.
Respectfully, what gives you such confidence in the abovementioned vendors' products considering history of 'try a firmware upgrade to fix it', 'yes, they have poor customer support but what do you expect in a commodity router', 'indeed, it uses linux under the hood but they seem to flaunt the GPL', etc., etc. from commodity WiFi vendors? The considerable interest in opensource replacement firmwares and even hardware hacks IMHO testifies to a need to be skeptical of the 'trust the big vendor's expertise' philosophy. Or are you suggesting that somehow if compromised, a user has legal standing to seek damages from such a vendor and that for issues of liability a roll-your-own solution isn't practical?
It seems to me that for the most part, Jeff suggests DD-WRT on appropriate hardware as a platform for many solutions in preference to the stock product offerings.
Do you have some studies that support your claim? This is certainly a real issue that deserves scrutiny and I hope that you'll indulge a little more probing ;)
On Wed, 10 Dec 2008 11:39:10 -0600, msg wrote in :
I don't have great confidence in them in general -- some are of course better than others -- I just have a lot more confidence in them than in the skills of the average person.
I think it has more to do with (a) hacking fun factor, (b) feature envy, and most important (c) cheapness.
There's little real evidence that any given replacement firmware is secure and reliable; if anything, just the opposite.
Replacement firmware is daunting for the average user, especially for something tricky like VLAN isolation -- it's not simple and easy.
No.
In some cases, yes; in other cases, no. I don't speak for him, but I think it's more accurate to say his generally preferred solution is better equipment. And Jeff is a professional, not an average user.
With all due respect, the burden of proof is on proponents of replacement firmware, not those skeptical of its suitability for average users.
John Navas wrote in news: snipped-for-privacy@4ax.com:
So what are you trying to say ? That Mikrotik products are unsupported ? And a roll-your-own solution ? Far from it. Taking a typical consumer rtr and flashing DD-WRT on it is totally an unsupported roll-your-own solution. RouterOS is far more capable than any standard commodity cable/DSL rtr.
On Thu, 11 Dec 2008 12:43:37 +0000 (UTC), DanS wrote in :
Just what I actually wrote.
Configuring a router with "a few rules" is roll-your-own ("the geeky way to do it" in your words), and MicroTik is a Latvian company with no presence in the USA.
That may be, but it's not a simple and straightforward solution that's suitable for the average user or small business. I wouldn't recommend that route (pun intended) without hiring a local expert like Jeff to approve, assemble, configure and support it.
About what? That fly by the seat of your ass is a good idea? ;)
That it works for knowledgeable folks like you is cool, but doesn't necessarily mean it's a good idea for average folks.
John Navas wrote in news: snipped-for-privacy@4ax.com:
No, it's not a roll-your-own solution. It's a COTS product. Plug in and configure and use. No 'roll-your-own' involved. I said you *could* buy it w/o an enclosure....if that was desired.
("the geeky way
So only US companies can have good products ? If what you mean by no presence is that they don't have headquarters here, yeah, so. If you meant that noone uses those products in the US, you are sadly mistaken.
Actually, it IS a simple solution. And yes, it is straight forward. You have to configure the exact same things as if you were using a commodity rtr, except for adding 1 rule. An, it's obvious that if a company has 30 users, there has to be someone taking care of the network, whether it be an internal geek worker, or some company/consultant they hire.
No...that you are an ass.
I didn't say it was good for everyone, but an option that would work with the stated requirement. Nothing more, nothing less.
On Thu, 11 Dec 2008 19:25:09 +0000 (UTC), DanS wrote in :
Your straw man arguments were off point, failing to address my points. You had nothing persuasive to say, so you stooped to ad hominem, thus conceding the discussion.
No, it's not a roll-your-own solution. It's a COTS product. Plug in and configure and use. No 'roll-your-own' involved. I said you *could* buy it w/o an enclosure....if that was desired.
So only US companies can have good products ? If what you mean by no presence is that they don't have headquarters here, yeah, so. If you meant that noone uses those products in the US, you are sadly mistaken.
Actually, it IS a simple solution. And yes, it is straight forward. You have to configure the exact same things as if you were using a commodity rtr, except for adding 1 rule. An, it's obvious that if a company has 30 users, there has to be someone taking care of the network, whether it be an internal geek worker, or some company/consultant they hire.
There you go.....black and white.....your comments and my points un- snipped.....
What, do you think I'd forget what I said or that you can't go back and look at the earlier posts.....YOU are the one failing to address MY points, as seen by YOUR creative snipping.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.