Creating separate networks with current router

Hi, is it possible to create distinct networks (2..3) using a single router and IP connection?

We currenty have a wireless LAN working and plan on renting some rooms to students who want to hook up to the web. Because the foreseeable stay will be short, we do not want to add an additional ADSL line.

To preserve security, I thought of adding dedicated LAN networks and assign them to each student. Would that work? Is there a simple work-around?

TIA for any suggestions, Mark

Reply to
msch-prv
Loading thread data ...

snipped-for-privacy@bluewin.ch hath wroth:

Yes, but don't bother. You have bigger problems.

This is a very common problem that has been solved many time by everything from coffee shop wireless networks to schools. The basic problem is that 802.11 wireless is bridging, not routeing. Therefore, the wireless really knows nothing about IP addresses and dividing a network by subnets. It can divide a network using VLAN's, but that becomes an administrative problem.

The basic requirement is to isolate each connection. It's sometimes called "AP isolation" or more correctly "client isolation". This prevents any packets from going between clients. Everything goes to or from the internet.

The way the local college does it may be a bit of overkill.

formatting link
are assigned an IP address via a DHCP server. The MAC address of their router or PC/Mac is stored in a RADIUS authentication database. Individual users must also authenticate with the RADIUS server to get past the router. Most residents have cheap routers, with the MAC address of the router setup as registered hardware. They can do whatever they want behind their own router.

I'm not sure what you mean by a "short stay". If that's only a few days, then I would look into a commercial (or home made) wireless hotspot system.

formatting link
it's more like several months of the skool year, then something more like the previously mentioned university system would be more appropriate.

Reply to
Jeff Liebermann

If you're going to ask questions about a router, at least say what MODEL router!

Some routers like a Linksys WRT54GS can load a 3rd party firmware. Those firmware often include the ability to setup virtual LAN (vlan) configurations, along with iptable routing restrictions. Then you'd also have to setup the necessary DHCP or other static address info. But bear in mind this is targeted toward the WIRED ports on the switch, not wireless. It might be possible to perform more fine-grained control over multiple client machines over the single wireless link but it'd be a bit complicated to manage. You could also put separate wifi access points on the wired ports. This would be "better" but would also present some wifi configuration issues like overlapping channels and coverage. But putting them on their own WPA-secured access point, separate from your other one, and then setting up a VLAN controlling that access point's connection would probably handle it. Not for the unexperienced but not impossible either, provided you've got the right equipment.

Reply to
Bill Kearney

Thanks for your answers.

We have a small XP-home based LAN. I was looking for something simpler along the lines of changing the firewall or perhaps adding an additional router to segregate one network from the other. Would that make sense?

TIA, Mark

Reply to
msch-prv

On Sun, 3 Sep 2006 12:51:41 -0400, "Bill Kearney" wrote: : : > Hi, is it possible to create distinct networks (2..3) using a single : > router and IP connection? : >

: > We currenty have a wireless LAN working and plan on renting some rooms : > to students who want to hook up to the web. Because the foreseeable : > stay will be short, we do not want to add an additional ADSL line. : >

: > To preserve security, I thought of adding dedicated LAN networks and : > assign them to each student. Would that work? Is there a simple : > work-around? : : If you're going to ask questions about a router, at least say what MODEL : router! : : Some routers like a Linksys WRT54GS can load a 3rd party firmware. Those : firmware often include the ability to setup virtual LAN (vlan) : configurations, along with iptable routing restrictions. Then you'd also : have to setup the necessary DHCP or other static address info. But bear in : mind this is targeted toward the WIRED ports on the switch, not wireless. : It might be possible to perform more fine-grained control over multiple : client machines over the single wireless link but it'd be a bit complicated : to manage. You could also put separate wifi access points on the wired : ports. This would be "better" but would also present some wifi : configuration issues like overlapping channels and coverage. But putting : them on their own WPA-secured access point, separate from your other one, : and then setting up a VLAN controlling that access point's connection would : probably handle it. Not for the unexperienced but not impossible either, : provided you've got the right equipment.

The (relatively) new Linksys WRT54GP handles up to eight wireless VLANs. You can, for example, assign a separate WPA passphrase to each SSID. I've deployed four of these routers so far and found them to work well. The only tricky part is setting up the trunk for the wireless VLANs. I guess you'll need a managed switch, and that could run into some money. (Sorry to be vague, but our network engineer handled the trunk setup for me.)

You can read about the WRT54GP on the Linksys Web site. Oddly (IMO), what they emphasize is the router's native POE capability, not the VLANs.

Reply to
Robert Coe

Sorry, the router is Prestige 660HW-61 ZyXel (I live in Switzerland, so I don't know if there is something similar in the US)

Reply to
msch-prv

Do you have a URL? The web site's search engine doesn't know about it.

Reply to
Neill Massello

On Sun, 03 Sep 2006 22:22:09 GMT, snipped-for-privacy@earthlink.net (Neill Massello) wrote: : Robert Coe wrote: : : > You can read about the WRT54GP on the Linksys Web site. : : Do you have a URL? The web site's search engine doesn't know about it.

I'm sorry; I misspoke. It's an access point, not a router. So I guess the model number is WAP54GP. That shouldn't make it any less usable for the purpose under discussion.

Reply to
Robert Coe

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.