Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

TIA

Phil

On Thursday 01 August 2013 09:10 thescullster wrote in uk.d-i-y:

Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

TIA

Phil

I did have mine on separate routed networks with a firewall in between. But
it was more trouble than it was worth - particularly if I plugged my laptop
in and the IP changed and locked up all my ssh sesssions.

In the end I merged them (WIFI in bridged mode).

In theory you can still stick a bridging firewall between then or make use
of whatever firewalling is in the WIFI AP - but having a flat IP space seems
to be less hassle - at least with my usage patterns.
--
Tim Watts Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage

Reading this on the web? See:
http://wiki.diyfaq.org.uk/index.php?title=Usenet

On 01/08/2013 09:10, thescullster wrote:
Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

TIA

Phil

IIRC, the DG834G is an ADSL router, so it has 4 LAN ports and the WAN
side is via the ADSL modem, therefore unless you can obtain different
firmware that will allow you to change one of the LAN ports to a WAN
port, you cant do what you are thinking with this router...

To separate into two completely separate network you either need a
"Cable" wireless router, that has a WAN Ethernet port, you would then
configure the WAN Ethernet port with an IP address in the range of your
current wired LAN and connect it to that, then configure the LAN of the
wireless router to a new range. While this will work most of the time,
it causes a double NAT, which can cause issues, especially with things
like VPN connections.

To do it properly, you either need an enterprise level firewall that can
manage all this in one box, like a SonicWall, or you need three "home"
routers, and multiple public IP addresses from your ISP.

The three routers way is where you have the primary router connecting to
your broadband, and then the two other routers connect to this, each
getting a different public IP address from the primary router, the
networks are then as separate as yours and mine are now.

--
Toby...
Remove pants to reply

On 01/08/2013 09:10, thescullster wrote:
Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

TIA

Phil

Personally I wouldn't bother with NATs/firewalls internally. I have my
LAN and WLANs (two of them) on different subnets, and each wireless
router has it's own DHCP server (it is authoritative for its own
subnet), but I have it all routed rather than NATted to make it easy,
and don't bother with firewalls internally. But then I'm in the sticks
at low risk of drive by hacking.

As an example, of why I want it set up this way - I have a print server
set up on one of my wireless networks - to be able to access it from the
other requires either routed network (or bridged) or some manual NAT
configuration (which just isn't worth the hassle).

Personally I favour the Linksys WRT54g series of APs - they're simple
and they just work. I also have some new fangled 802.11n TP-Link AP and
it's total crap - just can't hold a connection - I recently replaced it
with another wrt54g off ebay.

In article , Piers
scribeth thus
On 01/08/2013 09:10, thescullster wrote:
Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

TIA

Phil

Personally I wouldn't bother with NATs/firewalls internally. I have my
LAN and WLANs (two of them) on different subnets, and each wireless
router has it's own DHCP server (it is authoritative for its own
subnet), but I have it all routed rather than NATted to make it easy,
and don't bother with firewalls internally. But then I'm in the sticks
at low risk of drive by hacking.

As an example, of why I want it set up this way - I have a print server
set up on one of my wireless networks - to be able to access it from the
other requires either routed network (or bridged) or some manual NAT
configuration (which just isn't worth the hassle).

Personally I favour the Linksys WRT54g series of APs - they're simple
and they just work. I also have some new fangled 802.11n TP-Link AP and
it's total crap - just can't hold a connection - I recently replaced it
with another wrt54g off ebay.

Which ever route you go;!, make sure to use WPA rather then WEP
encryption WEP is very easy to crack WPA much less so...

WPA2 if it offers you the option...
--
Tony Sayer

On 01/08/2013 09:10, thescullster wrote:
Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

No need. The DG834 supports a "wireless isolation" option if you want.
Turn that on, and wireless clients won't be able to communicate with
each other, or with devices on the wired section of the LAN.

This may do what you want, but may also prove a bit restrictive.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

Yup, however if you want more flexibility, then having a more
sophisticated router helps. Something like a Vigor 2830 will let you
configure up to 4 SSIDs on the same WAP, and each can have different
levels of access - and can be allocated to separate VLANs as well. So
you can have things like guest wifi that can see the internet - perhaps
with upload and download rate limits in place, and no access to LAN
machines, and then a more priviledged wifi that can see other machines
and has no limit etc.

(note that MAC address filtering does not really offer security as such
- since someone wanting access can simply sniff the MAC addresses that
are talking then clone one later. Hiding the SSID is also a fairly
feeble security measure in this day and age)


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 01/08/2013 09:10, thescullster wrote:
Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will only
connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless router
as a WAP OK, but wondered if it is possible to configure it as a DHCP
server with a different address range to the wired router.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on that
router is in place.

Anyone setup a separate wired and wireless network?

TIA

Phil

If you want your wired and wireless devices to share the same internet
connection, they all really need to be in the same subnet. You could use
separate ranges within that if you were to allocate fixed addresses to
all the wired devices, and use DHCP to allocate a restricted
non-overlapping range of addresses for the wireless devices. If you then
used a software firewall (e.g. Zone Alarm) on each wired device, you
could define your 'home network' as just being the address range used by
the wired devices. They could then see each other, but the wireless
devices wouldn't be able to see them.
--
Cheers,
Roger
____________
Please reply to Newsgroup. Whilst email address is valid, it is seldom
checked.

On Thursday 01 August 2013 12:28 Roger Mills wrote in uk.d-i-y:

If you want your wired and wireless devices to share the same internet
connection, they all really need to be in the same subnet.

Why?

--
Tim Watts Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage

Reading this on the web? See:
http://wiki.diyfaq.org.uk/index.php?title=Usenet

On Thu, 01 Aug 2013 09:10:24 +0100, thescullster wrote:

Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

TIA

Phil

Set one up a long while back, but not recently. So I am well out of date :-
)

Back in the day you needed three things to create the setup you seem to
want - the classic De Militarised Zone or DMZ.

(1) Internet facing (firewall) router - any old NAT router will do. The
connects to the outside world and to the internal DMZ.

(2) House router with all your current cabled devices - this connects on
one side to the DMZ and on the other side to the house LAN.

(3) Wireless router - connects to the DMZ on one side and wireless devices
on the other.

The idea is that all your routers will not take incoming calls from the
WAN side, only call out from the LAN side.

So any wireless devices can call into the DMZ then out through the
firewall router to the Internet, but cannot call into the DMZ and then
into the house LAN router.

Same applies to calling from the house LAN to a wireless device.

Each router can run its own subnet and be a DHCP server for that subnet.
The nice thing about NAT is that it takes a single IP address on the WAN
side and maps all the different LAN IP addresses to and from that.

So in theory you can have a row of NAT routers all onto the same LAN each
with only one IP address, or you can cascade the NAT routers in a tree
structure.

Each router runs its own environment and shouldn't be dependant on any
other device apart from the one providing its WAN IP address.

Cheers

Dave R

On 01/08/2013 12:41, Tim Watts wrote:
On Thursday 01 August 2013 12:28 Roger Mills wrote in uk.d-i-y:

If you want your wired and wireless devices to share the same internet
connection, they all really need to be in the same subnet.

Why?


Because they need to be able to see the same gateway (usually the
router's LAN address).

I suppose there might be some scope for mucking about with subnet masks
so that not all devices see the same subnet 'width'.
--
Cheers,
Roger
____________
Please reply to Newsgroup. Whilst email address is valid, it is seldom
checked.

On 01/08/13 09:20, Tim Watts wrote:
On Thursday 01 August 2013 09:10 thescullster wrote in uk.d-i-y:

Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

TIA

Phil
I did have mine on separate routed networks with a firewall in between. But
it was more trouble than it was worth - particularly if I plugged my laptop
in and the IP changed and locked up all my ssh sesssions.

In the end I merged them (WIFI in bridged mode).

In theory you can still stick a bridging firewall between then or make use
of whatever firewalling is in the WIFI AP - but having a flat IP space seems
to be less hassle - at least with my usage patterns.
+1 it aint worth the hassle


--
Ineptocracy

(in-ep-toc-ra-cy) €“ a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.

The Natural Philosopher :
On 01/08/13 09:20, Tim Watts wrote:
In theory you can still stick a bridging firewall between then or make use
of whatever firewalling is in the WIFI AP - but having a flat IP space seems
to be less hassle - at least with my usage patterns.
+1 it aint worth the hassle

+ another 1

I tried it for a while with a spare router, but in the end it was more
trouble than it was worth. Complexity can be the enemy of security, and
IMO it's better (in an ordinary domestic environment) to keep things
simple. So, one flat network, and save your energy for securing the
wireless network.

--
Mike Barnes

On Thu, 01 Aug 2013 16:28:05 +0100, Roger Mills wrote:

On 01/08/2013 12:41, Tim Watts wrote:
On Thursday 01 August 2013 12:28 Roger Mills wrote in uk.d-i-y:

If you want your wired and wireless devices to share the same internet
connection, they all really need to be in the same subnet.

Why?


Because they need to be able to see the same gateway (usually the
router's LAN address).

I suppose there might be some scope for mucking about with subnet masks
so that not all devices see the same subnet 'width'.

As others have suggested, I'm not sure that you have fully grasped how
subnets and IP address ranges work.

Or conversely, you are expressing yourself in a way that is not clear.

I assume you know that a physical LAN (set of wires) can support several
logical LANs (IP subnets).

So for example one physical Ethernet network could support 192.168.0.0,
192.168.1.0, 192.168.2.0.

As long as the router can support multiple logical LANs then there is no
requirement for all your local devices to share the same subnet.

Alternatively you can put some of them behind a NAT router on a different
subnet.

In the OP's case it is highly desirable that they do not share the same
subnet, and if possible they use different NAT routers.

However many modern wireless routers can support multiple subnets - this
just doesn't give physical separation which is always a good idea.

Old style routers (business routers) would support a number of logical LANs
on a single physical LAN and route between them or block as required.

Cheers

Dave R

On 01/08/2013 20:55, David.WE.Roberts wrote:


I assume you know that a physical LAN (set of wires) can support several
logical LANs (IP subnets).

So for example one physical Ethernet network could support 192.168.0.0,
192.168.1.0, 192.168.2.0.

As long as the router can support multiple logical LANs then there is no
requirement for all your local devices to share the same subnet.


I'm not aware that ordinary domestic routers *can* support multiple
logical LANs, hence my reference to mucking about with subnet masks.

In the example you give, if you use the 'default' subnet mask of
255.255.255.0, all devices on the 168.0 subnet can see each other but
can't see anything on the 168.1 or 168.2 subnets.

However, if you were to change the mask to 255.255.252.0 the 3 subnets
would merge into one, and everything would be able to see everything.
But in that case, you'd no longer achieve the desired isolation!
--
Cheers,
Roger
____________
Please reply to Newsgroup. Whilst email address is valid, it is seldom
checked.

Roger Mills wrote:
On 01/08/2013 20:55, David.WE.Roberts wrote:


I assume you know that a physical LAN (set of wires) can support several
logical LANs (IP subnets).

So for example one physical Ethernet network could support 192.168.0.0,
192.168.1.0, 192.168.2.0.

As long as the router can support multiple logical LANs then there is no
requirement for all your local devices to share the same subnet.


I'm not aware that ordinary domestic routers *can* support multiple
logical LANs, hence my reference to mucking about with subnet masks.

Draytek

On Thursday 01 August 2013 22:34 Roger Mills wrote in uk.d-i-y:

On 01/08/2013 20:55, David.WE.Roberts wrote:


I assume you know that a physical LAN (set of wires) can support several
logical LANs (IP subnets).

So for example one physical Ethernet network could support 192.168.0.0,
192.168.1.0, 192.168.2.0.

As long as the router can support multiple logical LANs then there is no
requirement for all your local devices to share the same subnet.


I'm not aware that ordinary domestic routers *can* support multiple
logical LANs, hence my reference to mucking about with subnet masks.

A half decent one can - eg some of the Drayteks.

In the example you give, if you use the 'default' subnet mask of
255.255.255.0, all devices on the 168.0 subnet can see each other but
can't see anything on the 168.1 or 168.2 subnets.

However, if you were to change the mask to 255.255.252.0 the 3 subnets
would merge into one, and everything would be able to see everything.
But in that case, you'd no longer achieve the desired isolation!
--
Tim Watts Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage

Reading this on the web? See:
http://wiki.diyfaq.org.uk/index.php?title=Usenet

In article , Tim Watts
scribeth thus
On Thursday 01 August 2013 22:34 Roger Mills wrote in uk.d-i-y:

On 01/08/2013 20:55, David.WE.Roberts wrote:


I assume you know that a physical LAN (set of wires) can support several
logical LANs (IP subnets).

So for example one physical Ethernet network could support 192.168.0.0,
192.168.1.0, 192.168.2.0.

As long as the router can support multiple logical LANs then there is no
requirement for all your local devices to share the same subnet.


I'm not aware that ordinary domestic routers *can* support multiple
logical LANs, hence my reference to mucking about with subnet masks.

A half decent one can - eg some of the Drayteks.

Yes they do .. as long as you can work out how to configure them..

Good units otherwise, bit pricey 'tho...


In the example you give, if you use the 'default' subnet mask of
255.255.255.0, all devices on the 168.0 subnet can see each other but
can't see anything on the 168.1 or 168.2 subnets.

However, if you were to change the mask to 255.255.252.0 the 3 subnets
would merge into one, and everything would be able to see everything.
But in that case, you'd no longer achieve the desired isolation!

--
Tony Sayer

thescullster wrote:
Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to a
number of rooms. There are clearly now numerous devices that will only
connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G
[snip].

Anyone setup a separate wired and wireless network?

OK, we'll I have to confess that I loathe Netgear WiFi. It always seems
flakey and unreliable. The last Netgear WIFi router that I owned went back
for a refund because it dropped the link to any device after a few minutes
of use.

What you want to do can be done, but not AFAIK using that Netgear router
which is an all in one design with DNS and DHCP shared between LAN and
WiFi.

With a separate wireless access point you have two main options, to use The
WAP as a router or as a bridge. I think the Netgear that you have only
supports bridge mode and all WIFI clients must be in the same address range
as the LAN.

With a separate WAP you can configure it as a router with its own DHCP and
DNS. All your WiFi clients can then be on a separate subnet and you route
to your existing LAN using NTP. This protects your WiFi clients from your
LAN to an extent but does not protect your LAN from the WiFI clients.

Having tried lots of these things I strongly recommend Apple's Airport
Express They cost about the same as the competition, are really well made
and provide two setup modes. A basic chimp mode that jets any idiot get it
working and an advanced user admin interface that is vastly superior to the
Netgear tat.

It will also support network printing and you can use it as a media
streaming box for your hifi. It has an optical and analogue output.

I would stay with or revert to your non-wifi router and run to Apple or PC
World or browse eBay to buy an airport express. Then set up the airport
express in router mode.

--
€¢DarWin|
_/ _/

Thanks Steve

[snip].


OK, we'll I have to confess that I loathe Netgear WiFi. It always seems
flakey and unreliable. The last Netgear WIFi router that I owned went back
for a refund because it dropped the link to any device after a few minutes
of use.


The wired network Netgear device seems pretty stable - the wireless was
inherited so worth investigating

What you want to do can be done, but not AFAIK using that Netgear router
which is an all in one design with DNS and DHCP shared between LAN and
WiFi.


I think you are right there.

With a separate wireless access point you have two main options, to use The
WAP as a router or as a bridge. I think the Netgear that you have only
supports bridge mode and all WIFI clients must be in the same address range
as the LAN.

With a separate WAP you can configure it as a router with its own DHCP and
DNS. All your WiFi clients can then be on a separate subnet and you route
to your existing LAN using NTP. This protects your WiFi clients from your
LAN to an extent but does not protect your LAN from the WiFI clients.

Surely it would be important that this worked the other way and
protected LAN clients from wireless clients!

Having tried lots of these things I strongly recommend Apple's Airport
Express They cost about the same as the competition, are really well made
and provide two setup modes. A basic chimp mode that jets any idiot get it
working and an advanced user admin interface that is vastly superior to the
Netgear tat.

It will also support network printing and you can use it as a media
streaming box for your hifi. It has an optical and analogue output.

I would stay with or revert to your non-wifi router and run to Apple or PC
World or browse eBay to buy an airport express. Then set up the airport
express in router mode.


Not heard of these but will check it out.

Phil

On 01/08/2013 09:10, thescullster wrote:
Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

TIA

Phil

Thanks to all respondents - it looks like I will need to spend money, or
accept the run-of-the-mill security here.

Phil

On 01/08/2013 11:45, John Rumm wrote:
On 01/08/2013 09:10, thescullster wrote:

snip

Yup, however if you want more flexibility, then having a more
sophisticated router helps. Something like a Vigor 2830 will let you
configure up to 4 SSIDs on the same WAP, and each can have different
levels of access - and can be allocated to separate VLANs as well. So
you can have things like guest wifi that can see the internet - perhaps
with upload and download rate limits in place, and no access to LAN
machines, and then a more priviledged wifi that can see other machines
and has no limit etc.

(note that MAC address filtering does not really offer security as such
- since someone wanting access can simply sniff the MAC addresses that
are talking then clone one later. Hiding the SSID is also a fairly
feeble security measure in this day and age)



Thanks John

It looks like combining the above weakish measures with your wireless
isolation is probably the best I can do without spending on a more
sophisticated device.
Trouble is that family members are used to other vanilla setups where
there is no security and everything just works!
I suspec that they will be un-impressed if the wireless isolation
prevents printing...


Phil

On 02/08/2013 10:16, Steve Firth wrote:

With a separate wireless access point you have two main options, to use The
WAP as a router or as a bridge. I think the Netgear that you have only
supports bridge mode and all WIFI clients must be in the same address range
as the LAN.

That's because in common with most home wifi routers its a router
connected to a switch and the WAP hangs off the switch.


With a separate WAP you can configure it as a router with its own DHCP and
DNS.

Not with a WAP, you need something with a router in it and WAPs don't
have one.

All your WiFi clients can then be on a separate subnet and you route
to your existing LAN using NTP. This protects your WiFi clients from your
LAN to an extent but does not protect your LAN from the WiFI clients.

You can do that with a Netgear (or any other) cable router if you ignore
the LAN ports on the switch as you then have a LAN port a router and an AP.

You can't usually do that with an adsl router (like the dg834g) as the
LAN ports are all on the same switch along with the wap.

On 02/08/13 17:00, thescullster wrote:
On 01/08/2013 11:45, John Rumm wrote:
On 01/08/2013 09:10, thescullster wrote:

snip

Yup, however if you want more flexibility, then having a more
sophisticated router helps. Something like a Vigor 2830 will let you
configure up to 4 SSIDs on the same WAP, and each can have different
levels of access - and can be allocated to separate VLANs as well. So
you can have things like guest wifi that can see the internet - perhaps
with upload and download rate limits in place, and no access to LAN
machines, and then a more priviledged wifi that can see other machines
and has no limit etc.

(note that MAC address filtering does not really offer security as such
- since someone wanting access can simply sniff the MAC addresses that
are talking then clone one later. Hiding the SSID is also a fairly
feeble security measure in this day and age)



Thanks John

It looks like combining the above weakish measures with your wireless
isolation is probably the best I can do without spending on a more
sophisticated device.
Trouble is that family members are used to other vanilla setups where
there is no security and everything just works!
I suspec that they will be un-impressed if the wireless isolation
prevents printing...


Phil

exactly. you want access between people on the 'extended wifi lan' so
there is little point in separating them.

The only real use is to set up a 'guest room' lan' where guests can get
to the internet, but not to your lan.

I however, trust my guests.

--
Ineptocracy

(in-ep-toc-ra-cy) €“ a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.

On 01/08/2013 09:49, Toby wrote:
On 01/08/2013 09:10, thescullster wrote:
Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

TIA

Phil

IIRC, the DG834G is an ADSL router, so it has 4 LAN ports and the WAN
side is via the ADSL modem, therefore unless you can obtain different
firmware that will allow you to change one of the LAN ports to a WAN
port, you cant do what you are thinking with this router...

To separate into two completely separate network you either need a
"Cable" wireless router, that has a WAN Ethernet port, you would then
configure the WAN Ethernet port with an IP address in the range of your
current wired LAN and connect it to that, then configure the LAN of the
wireless router to a new range. While this will work most of the time,
it causes a double NAT, which can cause issues, especially with things
like VPN connections.

To do it properly, you either need an enterprise level firewall that can
manage all this in one box, like a SonicWall, or you need three "home"
routers, and multiple public IP addresses from your ISP.

The three routers way is where you have the primary router connecting to
your broadband, and then the two other routers connect to this, each
getting a different public IP address from the primary router, the
networks are then as separate as yours and mine are now.



If you happen to have a spare PC and some spare NICs, install smoothwall
or IPcop. That will do a WAN port, A wired network port, a wireless
network port and a DMZ network port.

On 01/08/2013 11:45, John Rumm wrote:
On 01/08/2013 09:10, thescullster wrote:
Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

No need. The DG834 supports a "wireless isolation" option if you want.
Turn that on, and wireless clients won't be able to communicate with
each other, or with devices on the wired section of the LAN.

This may do what you want, but may also prove a bit restrictive.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

Yup, however if you want more flexibility, then having a more
sophisticated router helps. Something like a Vigor 2830 will let you
configure up to 4 SSIDs on the same WAP, and each can have different
levels of access - and can be allocated to separate VLANs as well. So
you can have things like guest wifi that can see the internet - perhaps
with upload and download rate limits in place, and no access to LAN
machines, and then a more priviledged wifi that can see other machines
and has no limit etc.

(note that MAC address filtering does not really offer security as such
- since someone wanting access can simply sniff the MAC addresses that
are talking then clone one later. Hiding the SSID is also a fairly
feeble security measure in this day and age)



Some routers support Enterprise Authentication Protocol (EAP) where the
person wishing to access the wireless network needs to type in a user ID
and password and then the WIFi router can then authenticate the user as
well as the SSID, IP addy and MAC address.

On 02/08/2013 19:17, dennis@home wrote:
On 02/08/2013 10:16, Steve Firth wrote:

With a separate wireless access point you have two main options, to
use The
WAP as a router or as a bridge. I think the Netgear that you have only
supports bridge mode and all WIFI clients must be in the same address
range
as the LAN.

That's because in common with most home wifi routers its a router
connected to a switch and the WAP hangs off the switch.


With a separate WAP you can configure it as a router with its own DHCP
and
DNS.

Not with a WAP, you need something with a router in it and WAPs don't
have one.

All your WiFi clients can then be on a separate subnet and you route
to your existing LAN using NTP. This protects your WiFi clients from your
LAN to an extent but does not protect your LAN from the WiFI clients.

You can do that with a Netgear (or any other) cable router if you ignore
the LAN ports on the switch as you then have a LAN port a router and an AP.

You can't usually do that with an adsl router (like the dg834g) as the
LAN ports are all on the same switch along with the wap.

Although as I mentioned earlier, the 834G does support wireless
isolation as an option which means wireless clients can be restricted
from access to anything on the LAN, or each other, and can only use the
connection for access to the WAN connection. Likewise LAN clients can't
see the WiFi ones.

--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 01/08/2013 17:06, Mike Barnes wrote:
The Natural Philosopher :
On 01/08/13 09:20, Tim Watts wrote:
In theory you can still stick a bridging firewall between then or make use
of whatever firewalling is in the WIFI AP - but having a flat IP space seems
to be less hassle - at least with my usage patterns.
+1 it aint worth the hassle

+ another 1

I tried it for a while with a spare router, but in the end it was more
trouble than it was worth. Complexity can be the enemy of security, and
IMO it's better (in an ordinary domestic environment) to keep things
simple. So, one flat network, and save your energy for securing the
wireless network.

+1
keeping the firewall on a wireless router tends to stop sharing of files
and printers between wired and wireless PCs which can be a pain at times.
I wired everywhere up but still have had to add two APs ( using
redundant wireless routers) so smartphones. ebook readers and tablets
can hookup easily.
Keeping it simple pays dividends when something appears to misbehave
which will always happen at a critical moment.

And what's its annual electricity bill compared with a
small-is-beautiful dedicated router?

On 3 Aug 2013 15:58:17 GMT, Huge wrote:

The PC running my Smoothwall cost £10 on eBay & the NICs came out of the
junk box at work.
--
================================================== =======
Please always reply to ng as the email in this post's
header does not exist. Or use a contact address at:
http://www.macfh.co.uk/JavaJive/JavaJive.html
http://www.macfh.co.uk/Macfarlane/Macfarlane.html

"dennis@home" wrote:
On 02/08/2013 10:16, Steve Firth wrote:

With a separate wireless access point you have two main options, to use The
WAP as a router or as a bridge. I think the Netgear that you have only
supports bridge mode and all WIFI clients must be in the same address range
as the LAN.

That's because in common with most home wifi routers its a router
connected to a switch and the WAP hangs off the switch.


With a separate WAP you can configure it as a router with its own DHCP and
DNS.

Not with a WAP, you need something with a router in it and WAPs don't have one.

Sorry dennis old fruity but that's incorrect. A good proportion of WAPs
have a router built in.

--
€¢DarWin|
_/ _/

On 05/08/2013 13:55, Steve Firth wrote:
"dennis@home" wrote:
On 02/08/2013 10:16, Steve Firth wrote:

With a separate wireless access point you have two main options, to use The
WAP as a router or as a bridge. I think the Netgear that you have only
supports bridge mode and all WIFI clients must be in the same address range
as the LAN.

That's because in common with most home wifi routers its a router
connected to a switch and the WAP hangs off the switch.


With a separate WAP you can configure it as a router with its own DHCP and
DNS.

Not with a WAP, you need something with a router in it and WAPs don't have one.

Sorry dennis old fruity but that's incorrect. A good proportion of WAPs
have a router built in.


Then its not a WAP then is it.

"dennis@home" wrote:
On 05/08/2013 13:55, Steve Firth wrote:
"dennis@home" wrote:
On 02/08/2013 10:16, Steve Firth wrote:

With a separate wireless access point you have two main options, to use The
WAP as a router or as a bridge. I think the Netgear that you have only
supports bridge mode and all WIFI clients must be in the same address range
as the LAN.

That's because in common with most home wifi routers its a router
connected to a switch and the WAP hangs off the switch.


With a separate WAP you can configure it as a router with its own DHCP and
DNS.

Not with a WAP, you need something with a router in it and WAPs don't have one.

Sorry dennis old fruity but that's incorrect. A good proportion of WAPs
have a router built in.


Then its not a WAP then is it.

Listen carefully grasshopper and you can hear the familiar sound of one
dennis wriggling.

--
€¢DarWin|
_/ _/

On 01/08/2013 09:10, thescullster wrote:
Hi all

OK so this is maybe a bit OT for the group, but here goes.

I've never been a fan of wireless, so cabled the house up with Cat 5 to
a number of rooms. There are clearly now numerous devices that will
only connect wirelessly and I am under pressure to add a WAP.

I've inherited a Netgear DG834G wireless router, our existing network
uses the wired version of this device. I have set up the wireless
router as a WAP OK, but wondered if it is possible to configure it as a
DHCP server with a different address range to the wired router.

Not sure how much security this would add, but I'm inclined to do as
much as possible to separate the wireless network from certain wired
devices. The SSID of the WAP is hidden and MAC address filtering on
that router is in place.

Anyone setup a separate wired and wireless network?

If you want to truly isolate ALL wifi network from LAN (including shared
printers, files etc) there's no problem.
Doing as you suggest should be straight forward.

I have done this myself through purchasing a Fon WAP/router purely to
give me access to ALL the BT/Openzone hot-spots when out and about. It
handles all it's network address allocation etc and keeps everything safe.

Another way to do it depends on your main router.
If it allows separation via vlan. you can isolate router ports from one
another which is an easy way of keeping networks apart.

Pete@
--
http://www.GymRatZ.co.uk
Heavy Duty Commercial Gym Equipment & Flooring