Home |
Search |
Today's Posts |
|
UK diy (uk.d-i-y) For the discussion of all topics related to diy (do-it-yourself) in the UK. All levels of experience and proficency are welcome to join in to ask questions or offer solutions. |
Reply |
|
LinkBack | Thread Tools | Display Modes |
#1
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
Hi all
OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? TIA Phil |
#2
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On Thursday 01 August 2013 09:10 thescullster wrote in uk.d-i-y:
Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? TIA Phil I did have mine on separate routed networks with a firewall in between. But it was more trouble than it was worth - particularly if I plugged my laptop in and the IP changed and locked up all my ssh sesssions. In the end I merged them (WIFI in bridged mode). In theory you can still stick a bridging firewall between then or make use of whatever firewalling is in the WIFI AP - but having a flat IP space seems to be less hassle - at least with my usage patterns. -- Tim Watts Personal Blog: http://squiddy.blog.dionic.net/ http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage Reading this on the web? See: http://wiki.diyfaq.org.uk/index.php?title=Usenet |
#3
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 09:10, thescullster wrote:
Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? TIA Phil IIRC, the DG834G is an ADSL router, so it has 4 LAN ports and the WAN side is via the ADSL modem, therefore unless you can obtain different firmware that will allow you to change one of the LAN ports to a WAN port, you cant do what you are thinking with this router... To separate into two completely separate network you either need a "Cable" wireless router, that has a WAN Ethernet port, you would then configure the WAN Ethernet port with an IP address in the range of your current wired LAN and connect it to that, then configure the LAN of the wireless router to a new range. While this will work most of the time, it causes a double NAT, which can cause issues, especially with things like VPN connections. To do it properly, you either need an enterprise level firewall that can manage all this in one box, like a SonicWall, or you need three "home" routers, and multiple public IP addresses from your ISP. The three routers way is where you have the primary router connecting to your broadband, and then the two other routers connect to this, each getting a different public IP address from the primary router, the networks are then as separate as yours and mine are now. -- Toby... Remove pants to reply |
#4
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 09:10, thescullster wrote:
Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? TIA Phil Personally I wouldn't bother with NATs/firewalls internally. I have my LAN and WLANs (two of them) on different subnets, and each wireless router has it's own DHCP server (it is authoritative for its own subnet), but I have it all routed rather than NATted to make it easy, and don't bother with firewalls internally. But then I'm in the sticks at low risk of drive by hacking. As an example, of why I want it set up this way - I have a print server set up on one of my wireless networks - to be able to access it from the other requires either routed network (or bridged) or some manual NAT configuration (which just isn't worth the hassle). Personally I favour the Linksys WRT54g series of APs - they're simple and they just work. I also have some new fangled 802.11n TP-Link AP and it's total crap - just can't hold a connection - I recently replaced it with another wrt54g off ebay. |
#5
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
In article , Piers
scribeth thus On 01/08/2013 09:10, thescullster wrote: Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? TIA Phil Personally I wouldn't bother with NATs/firewalls internally. I have my LAN and WLANs (two of them) on different subnets, and each wireless router has it's own DHCP server (it is authoritative for its own subnet), but I have it all routed rather than NATted to make it easy, and don't bother with firewalls internally. But then I'm in the sticks at low risk of drive by hacking. As an example, of why I want it set up this way - I have a print server set up on one of my wireless networks - to be able to access it from the other requires either routed network (or bridged) or some manual NAT configuration (which just isn't worth the hassle). Personally I favour the Linksys WRT54g series of APs - they're simple and they just work. I also have some new fangled 802.11n TP-Link AP and it's total crap - just can't hold a connection - I recently replaced it with another wrt54g off ebay. Which ever route you go;!, make sure to use WPA rather then WEP encryption WEP is very easy to crack WPA much less so... WPA2 if it offers you the option... -- Tony Sayer |
#6
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 09:10, thescullster wrote:
Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. No need. The DG834 supports a "wireless isolation" option if you want. Turn that on, and wireless clients won't be able to communicate with each other, or with devices on the wired section of the LAN. This may do what you want, but may also prove a bit restrictive. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? Yup, however if you want more flexibility, then having a more sophisticated router helps. Something like a Vigor 2830 will let you configure up to 4 SSIDs on the same WAP, and each can have different levels of access - and can be allocated to separate VLANs as well. So you can have things like guest wifi that can see the internet - perhaps with upload and download rate limits in place, and no access to LAN machines, and then a more priviledged wifi that can see other machines and has no limit etc. (note that MAC address filtering does not really offer security as such - since someone wanting access can simply sniff the MAC addresses that are talking then clone one later. Hiding the SSID is also a fairly feeble security measure in this day and age) -- Cheers, John. /================================================== ===============\ | Internode Ltd - http://www.internode.co.uk | |-----------------------------------------------------------------| | John Rumm - john(at)internode(dot)co(dot)uk | \================================================= ================/ |
#7
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 09:10, thescullster wrote:
Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? TIA Phil If you want your wired and wireless devices to share the same internet connection, they all really need to be in the same subnet. You could use separate ranges within that if you were to allocate fixed addresses to all the wired devices, and use DHCP to allocate a restricted non-overlapping range of addresses for the wireless devices. If you then used a software firewall (e.g. Zone Alarm) on each wired device, you could define your 'home network' as just being the address range used by the wired devices. They could then see each other, but the wireless devices wouldn't be able to see them. -- Cheers, Roger ____________ Please reply to Newsgroup. Whilst email address is valid, it is seldom checked. |
#8
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On Thursday 01 August 2013 12:28 Roger Mills wrote in uk.d-i-y:
If you want your wired and wireless devices to share the same internet connection, they all really need to be in the same subnet. Why? -- Tim Watts Personal Blog: http://squiddy.blog.dionic.net/ http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage Reading this on the web? See: http://wiki.diyfaq.org.uk/index.php?title=Usenet |
#9
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On Thu, 01 Aug 2013 09:10:24 +0100, thescullster wrote:
Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? TIA Phil Set one up a long while back, but not recently. So I am well out of date :- ) Back in the day you needed three things to create the setup you seem to want - the classic De Militarised Zone or DMZ. (1) Internet facing (firewall) router - any old NAT router will do. The connects to the outside world and to the internal DMZ. (2) House router with all your current cabled devices - this connects on one side to the DMZ and on the other side to the house LAN. (3) Wireless router - connects to the DMZ on one side and wireless devices on the other. The idea is that all your routers will not take incoming calls from the WAN side, only call out from the LAN side. So any wireless devices can call into the DMZ then out through the firewall router to the Internet, but cannot call into the DMZ and then into the house LAN router. Same applies to calling from the house LAN to a wireless device. Each router can run its own subnet and be a DHCP server for that subnet. The nice thing about NAT is that it takes a single IP address on the WAN side and maps all the different LAN IP addresses to and from that. So in theory you can have a row of NAT routers all onto the same LAN each with only one IP address, or you can cascade the NAT routers in a tree structure. Each router runs its own environment and shouldn't be dependant on any other device apart from the one providing its WAN IP address. Cheers Dave R |
#10
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 12:41, Tim Watts wrote:
On Thursday 01 August 2013 12:28 Roger Mills wrote in uk.d-i-y: If you want your wired and wireless devices to share the same internet connection, they all really need to be in the same subnet. Why? Because they need to be able to see the same gateway (usually the router's LAN address). I suppose there might be some scope for mucking about with subnet masks so that not all devices see the same subnet 'width'. -- Cheers, Roger ____________ Please reply to Newsgroup. Whilst email address is valid, it is seldom checked. |
#11
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/13 09:20, Tim Watts wrote:
On Thursday 01 August 2013 09:10 thescullster wrote in uk.d-i-y: Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? TIA Phil I did have mine on separate routed networks with a firewall in between. But it was more trouble than it was worth - particularly if I plugged my laptop in and the IP changed and locked up all my ssh sesssions. In the end I merged them (WIFI in bridged mode). In theory you can still stick a bridging firewall between then or make use of whatever firewalling is in the WIFI AP - but having a flat IP space seems to be less hassle - at least with my usage patterns. +1 it aint worth the hassle -- Ineptocracy (in-ep-toc-ra-cy) €“ a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers. |
#12
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
The Natural Philosopher :
On 01/08/13 09:20, Tim Watts wrote: In theory you can still stick a bridging firewall between then or make use of whatever firewalling is in the WIFI AP - but having a flat IP space seems to be less hassle - at least with my usage patterns. +1 it aint worth the hassle + another 1 I tried it for a while with a spare router, but in the end it was more trouble than it was worth. Complexity can be the enemy of security, and IMO it's better (in an ordinary domestic environment) to keep things simple. So, one flat network, and save your energy for securing the wireless network. -- Mike Barnes |
#13
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On Thu, 01 Aug 2013 16:28:05 +0100, Roger Mills wrote:
On 01/08/2013 12:41, Tim Watts wrote: On Thursday 01 August 2013 12:28 Roger Mills wrote in uk.d-i-y: If you want your wired and wireless devices to share the same internet connection, they all really need to be in the same subnet. Why? Because they need to be able to see the same gateway (usually the router's LAN address). I suppose there might be some scope for mucking about with subnet masks so that not all devices see the same subnet 'width'. As others have suggested, I'm not sure that you have fully grasped how subnets and IP address ranges work. Or conversely, you are expressing yourself in a way that is not clear. I assume you know that a physical LAN (set of wires) can support several logical LANs (IP subnets). So for example one physical Ethernet network could support 192.168.0.0, 192.168.1.0, 192.168.2.0. As long as the router can support multiple logical LANs then there is no requirement for all your local devices to share the same subnet. Alternatively you can put some of them behind a NAT router on a different subnet. In the OP's case it is highly desirable that they do not share the same subnet, and if possible they use different NAT routers. However many modern wireless routers can support multiple subnets - this just doesn't give physical separation which is always a good idea. Old style routers (business routers) would support a number of logical LANs on a single physical LAN and route between them or block as required. Cheers Dave R |
#14
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 20:55, David.WE.Roberts wrote:
I assume you know that a physical LAN (set of wires) can support several logical LANs (IP subnets). So for example one physical Ethernet network could support 192.168.0.0, 192.168.1.0, 192.168.2.0. As long as the router can support multiple logical LANs then there is no requirement for all your local devices to share the same subnet. I'm not aware that ordinary domestic routers *can* support multiple logical LANs, hence my reference to mucking about with subnet masks. In the example you give, if you use the 'default' subnet mask of 255.255.255.0, all devices on the 168.0 subnet can see each other but can't see anything on the 168.1 or 168.2 subnets. However, if you were to change the mask to 255.255.252.0 the 3 subnets would merge into one, and everything would be able to see everything. But in that case, you'd no longer achieve the desired isolation! -- Cheers, Roger ____________ Please reply to Newsgroup. Whilst email address is valid, it is seldom checked. |
#15
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
Roger Mills wrote:
On 01/08/2013 20:55, David.WE.Roberts wrote: I assume you know that a physical LAN (set of wires) can support several logical LANs (IP subnets). So for example one physical Ethernet network could support 192.168.0.0, 192.168.1.0, 192.168.2.0. As long as the router can support multiple logical LANs then there is no requirement for all your local devices to share the same subnet. I'm not aware that ordinary domestic routers *can* support multiple logical LANs, hence my reference to mucking about with subnet masks. Draytek |
#16
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On Thursday 01 August 2013 22:34 Roger Mills wrote in uk.d-i-y:
On 01/08/2013 20:55, David.WE.Roberts wrote: I assume you know that a physical LAN (set of wires) can support several logical LANs (IP subnets). So for example one physical Ethernet network could support 192.168.0.0, 192.168.1.0, 192.168.2.0. As long as the router can support multiple logical LANs then there is no requirement for all your local devices to share the same subnet. I'm not aware that ordinary domestic routers *can* support multiple logical LANs, hence my reference to mucking about with subnet masks. A half decent one can - eg some of the Drayteks. In the example you give, if you use the 'default' subnet mask of 255.255.255.0, all devices on the 168.0 subnet can see each other but can't see anything on the 168.1 or 168.2 subnets. However, if you were to change the mask to 255.255.252.0 the 3 subnets would merge into one, and everything would be able to see everything. But in that case, you'd no longer achieve the desired isolation! -- Tim Watts Personal Blog: http://squiddy.blog.dionic.net/ http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage Reading this on the web? See: http://wiki.diyfaq.org.uk/index.php?title=Usenet |
#17
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
In article , Tim Watts
scribeth thus On Thursday 01 August 2013 22:34 Roger Mills wrote in uk.d-i-y: On 01/08/2013 20:55, David.WE.Roberts wrote: I assume you know that a physical LAN (set of wires) can support several logical LANs (IP subnets). So for example one physical Ethernet network could support 192.168.0.0, 192.168.1.0, 192.168.2.0. As long as the router can support multiple logical LANs then there is no requirement for all your local devices to share the same subnet. I'm not aware that ordinary domestic routers *can* support multiple logical LANs, hence my reference to mucking about with subnet masks. A half decent one can - eg some of the Drayteks. Yes they do .. as long as you can work out how to configure them.. Good units otherwise, bit pricey 'tho... In the example you give, if you use the 'default' subnet mask of 255.255.255.0, all devices on the 168.0 subnet can see each other but can't see anything on the 168.1 or 168.2 subnets. However, if you were to change the mask to 255.255.252.0 the 3 subnets would merge into one, and everything would be able to see everything. But in that case, you'd no longer achieve the desired isolation! -- Tony Sayer |
#18
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
thescullster wrote:
Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G [snip]. Anyone setup a separate wired and wireless network? OK, we'll I have to confess that I loathe Netgear WiFi. It always seems flakey and unreliable. The last Netgear WIFi router that I owned went back for a refund because it dropped the link to any device after a few minutes of use. What you want to do can be done, but not AFAIK using that Netgear router which is an all in one design with DNS and DHCP shared between LAN and WiFi. With a separate wireless access point you have two main options, to use The WAP as a router or as a bridge. I think the Netgear that you have only supports bridge mode and all WIFI clients must be in the same address range as the LAN. With a separate WAP you can configure it as a router with its own DHCP and DNS. All your WiFi clients can then be on a separate subnet and you route to your existing LAN using NTP. This protects your WiFi clients from your LAN to an extent but does not protect your LAN from the WiFI clients. Having tried lots of these things I strongly recommend Apple's Airport Express They cost about the same as the competition, are really well made and provide two setup modes. A basic chimp mode that jets any idiot get it working and an advanced user admin interface that is vastly superior to the Netgear tat. It will also support network printing and you can use it as a media streaming box for your hifi. It has an optical and analogue output. I would stay with or revert to your non-wifi router and run to Apple or PC World or browse eBay to buy an airport express. Then set up the airport express in router mode. -- €¢DarWin| _/ _/ |
#19
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
Thanks Steve
[snip]. OK, we'll I have to confess that I loathe Netgear WiFi. It always seems flakey and unreliable. The last Netgear WIFi router that I owned went back for a refund because it dropped the link to any device after a few minutes of use. The wired network Netgear device seems pretty stable - the wireless was inherited so worth investigating What you want to do can be done, but not AFAIK using that Netgear router which is an all in one design with DNS and DHCP shared between LAN and WiFi. I think you are right there. With a separate wireless access point you have two main options, to use The WAP as a router or as a bridge. I think the Netgear that you have only supports bridge mode and all WIFI clients must be in the same address range as the LAN. With a separate WAP you can configure it as a router with its own DHCP and DNS. All your WiFi clients can then be on a separate subnet and you route to your existing LAN using NTP. This protects your WiFi clients from your LAN to an extent but does not protect your LAN from the WiFI clients. Surely it would be important that this worked the other way and protected LAN clients from wireless clients! Having tried lots of these things I strongly recommend Apple's Airport Express They cost about the same as the competition, are really well made and provide two setup modes. A basic chimp mode that jets any idiot get it working and an advanced user admin interface that is vastly superior to the Netgear tat. It will also support network printing and you can use it as a media streaming box for your hifi. It has an optical and analogue output. I would stay with or revert to your non-wifi router and run to Apple or PC World or browse eBay to buy an airport express. Then set up the airport express in router mode. Not heard of these but will check it out. Phil |
#20
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 09:10, thescullster wrote:
Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? TIA Phil Thanks to all respondents - it looks like I will need to spend money, or accept the run-of-the-mill security here. Phil |
#21
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 11:45, John Rumm wrote:
On 01/08/2013 09:10, thescullster wrote: snip Yup, however if you want more flexibility, then having a more sophisticated router helps. Something like a Vigor 2830 will let you configure up to 4 SSIDs on the same WAP, and each can have different levels of access - and can be allocated to separate VLANs as well. So you can have things like guest wifi that can see the internet - perhaps with upload and download rate limits in place, and no access to LAN machines, and then a more priviledged wifi that can see other machines and has no limit etc. (note that MAC address filtering does not really offer security as such - since someone wanting access can simply sniff the MAC addresses that are talking then clone one later. Hiding the SSID is also a fairly feeble security measure in this day and age) Thanks John It looks like combining the above weakish measures with your wireless isolation is probably the best I can do without spending on a more sophisticated device. Trouble is that family members are used to other vanilla setups where there is no security and everything just works! I suspec that they will be un-impressed if the wireless isolation prevents printing... Phil |
#22
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 02/08/2013 10:16, Steve Firth wrote:
With a separate wireless access point you have two main options, to use The WAP as a router or as a bridge. I think the Netgear that you have only supports bridge mode and all WIFI clients must be in the same address range as the LAN. That's because in common with most home wifi routers its a router connected to a switch and the WAP hangs off the switch. With a separate WAP you can configure it as a router with its own DHCP and DNS. Not with a WAP, you need something with a router in it and WAPs don't have one. All your WiFi clients can then be on a separate subnet and you route to your existing LAN using NTP. This protects your WiFi clients from your LAN to an extent but does not protect your LAN from the WiFI clients. You can do that with a Netgear (or any other) cable router if you ignore the LAN ports on the switch as you then have a LAN port a router and an AP. You can't usually do that with an adsl router (like the dg834g) as the LAN ports are all on the same switch along with the wap. |
#23
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 02/08/13 17:00, thescullster wrote:
On 01/08/2013 11:45, John Rumm wrote: On 01/08/2013 09:10, thescullster wrote: snip Yup, however if you want more flexibility, then having a more sophisticated router helps. Something like a Vigor 2830 will let you configure up to 4 SSIDs on the same WAP, and each can have different levels of access - and can be allocated to separate VLANs as well. So you can have things like guest wifi that can see the internet - perhaps with upload and download rate limits in place, and no access to LAN machines, and then a more priviledged wifi that can see other machines and has no limit etc. (note that MAC address filtering does not really offer security as such - since someone wanting access can simply sniff the MAC addresses that are talking then clone one later. Hiding the SSID is also a fairly feeble security measure in this day and age) Thanks John It looks like combining the above weakish measures with your wireless isolation is probably the best I can do without spending on a more sophisticated device. Trouble is that family members are used to other vanilla setups where there is no security and everything just works! I suspec that they will be un-impressed if the wireless isolation prevents printing... Phil exactly. you want access between people on the 'extended wifi lan' so there is little point in separating them. The only real use is to set up a 'guest room' lan' where guests can get to the internet, but not to your lan. I however, trust my guests. -- Ineptocracy (in-ep-toc-ra-cy) €“ a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers. |
#24
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 09:49, Toby wrote:
On 01/08/2013 09:10, thescullster wrote: Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? TIA Phil IIRC, the DG834G is an ADSL router, so it has 4 LAN ports and the WAN side is via the ADSL modem, therefore unless you can obtain different firmware that will allow you to change one of the LAN ports to a WAN port, you cant do what you are thinking with this router... To separate into two completely separate network you either need a "Cable" wireless router, that has a WAN Ethernet port, you would then configure the WAN Ethernet port with an IP address in the range of your current wired LAN and connect it to that, then configure the LAN of the wireless router to a new range. While this will work most of the time, it causes a double NAT, which can cause issues, especially with things like VPN connections. To do it properly, you either need an enterprise level firewall that can manage all this in one box, like a SonicWall, or you need three "home" routers, and multiple public IP addresses from your ISP. The three routers way is where you have the primary router connecting to your broadband, and then the two other routers connect to this, each getting a different public IP address from the primary router, the networks are then as separate as yours and mine are now. If you happen to have a spare PC and some spare NICs, install smoothwall or IPcop. That will do a WAN port, A wired network port, a wireless network port and a DMZ network port. |
#25
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 11:45, John Rumm wrote:
On 01/08/2013 09:10, thescullster wrote: Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. No need. The DG834 supports a "wireless isolation" option if you want. Turn that on, and wireless clients won't be able to communicate with each other, or with devices on the wired section of the LAN. This may do what you want, but may also prove a bit restrictive. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? Yup, however if you want more flexibility, then having a more sophisticated router helps. Something like a Vigor 2830 will let you configure up to 4 SSIDs on the same WAP, and each can have different levels of access - and can be allocated to separate VLANs as well. So you can have things like guest wifi that can see the internet - perhaps with upload and download rate limits in place, and no access to LAN machines, and then a more priviledged wifi that can see other machines and has no limit etc. (note that MAC address filtering does not really offer security as such - since someone wanting access can simply sniff the MAC addresses that are talking then clone one later. Hiding the SSID is also a fairly feeble security measure in this day and age) Some routers support Enterprise Authentication Protocol (EAP) where the person wishing to access the wireless network needs to type in a user ID and password and then the WIFi router can then authenticate the user as well as the SSID, IP addy and MAC address. |
#26
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 02/08/2013 19:17, dennis@home wrote:
On 02/08/2013 10:16, Steve Firth wrote: With a separate wireless access point you have two main options, to use The WAP as a router or as a bridge. I think the Netgear that you have only supports bridge mode and all WIFI clients must be in the same address range as the LAN. That's because in common with most home wifi routers its a router connected to a switch and the WAP hangs off the switch. With a separate WAP you can configure it as a router with its own DHCP and DNS. Not with a WAP, you need something with a router in it and WAPs don't have one. All your WiFi clients can then be on a separate subnet and you route to your existing LAN using NTP. This protects your WiFi clients from your LAN to an extent but does not protect your LAN from the WiFI clients. You can do that with a Netgear (or any other) cable router if you ignore the LAN ports on the switch as you then have a LAN port a router and an AP. You can't usually do that with an adsl router (like the dg834g) as the LAN ports are all on the same switch along with the wap. Although as I mentioned earlier, the 834G does support wireless isolation as an option which means wireless clients can be restricted from access to anything on the LAN, or each other, and can only use the connection for access to the WAN connection. Likewise LAN clients can't see the WiFi ones. -- Cheers, John. /================================================== ===============\ | Internode Ltd - http://www.internode.co.uk | |-----------------------------------------------------------------| | John Rumm - john(at)internode(dot)co(dot)uk | \================================================= ================/ |
#27
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 17:06, Mike Barnes wrote:
The Natural Philosopher : On 01/08/13 09:20, Tim Watts wrote: In theory you can still stick a bridging firewall between then or make use of whatever firewalling is in the WIFI AP - but having a flat IP space seems to be less hassle - at least with my usage patterns. +1 it aint worth the hassle + another 1 I tried it for a while with a spare router, but in the end it was more trouble than it was worth. Complexity can be the enemy of security, and IMO it's better (in an ordinary domestic environment) to keep things simple. So, one flat network, and save your energy for securing the wireless network. +1 keeping the firewall on a wireless router tends to stop sharing of files and printers between wired and wireless PCs which can be a pain at times. I wired everywhere up but still have had to add two APs ( using redundant wireless routers) so smartphones. ebook readers and tablets can hookup easily. Keeping it simple pays dividends when something appears to misbehave which will always happen at a critical moment. |
#28
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
And what's its annual electricity bill compared with a
small-is-beautiful dedicated router? On 3 Aug 2013 15:58:17 GMT, Huge wrote: The PC running my Smoothwall cost £10 on eBay & the NICs came out of the junk box at work. -- ================================================== ======= Please always reply to ng as the email in this post's header does not exist. Or use a contact address at: http://www.macfh.co.uk/JavaJive/JavaJive.html http://www.macfh.co.uk/Macfarlane/Macfarlane.html |
#29
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
"dennis@home" wrote:
On 02/08/2013 10:16, Steve Firth wrote: With a separate wireless access point you have two main options, to use The WAP as a router or as a bridge. I think the Netgear that you have only supports bridge mode and all WIFI clients must be in the same address range as the LAN. That's because in common with most home wifi routers its a router connected to a switch and the WAP hangs off the switch. With a separate WAP you can configure it as a router with its own DHCP and DNS. Not with a WAP, you need something with a router in it and WAPs don't have one. Sorry dennis old fruity but that's incorrect. A good proportion of WAPs have a router built in. -- €¢DarWin| _/ _/ |
#30
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 05/08/2013 13:55, Steve Firth wrote:
"dennis@home" wrote: On 02/08/2013 10:16, Steve Firth wrote: With a separate wireless access point you have two main options, to use The WAP as a router or as a bridge. I think the Netgear that you have only supports bridge mode and all WIFI clients must be in the same address range as the LAN. That's because in common with most home wifi routers its a router connected to a switch and the WAP hangs off the switch. With a separate WAP you can configure it as a router with its own DHCP and DNS. Not with a WAP, you need something with a router in it and WAPs don't have one. Sorry dennis old fruity but that's incorrect. A good proportion of WAPs have a router built in. Then its not a WAP then is it. |
#31
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
"dennis@home" wrote:
On 05/08/2013 13:55, Steve Firth wrote: "dennis@home" wrote: On 02/08/2013 10:16, Steve Firth wrote: With a separate wireless access point you have two main options, to use The WAP as a router or as a bridge. I think the Netgear that you have only supports bridge mode and all WIFI clients must be in the same address range as the LAN. That's because in common with most home wifi routers its a router connected to a switch and the WAP hangs off the switch. With a separate WAP you can configure it as a router with its own DHCP and DNS. Not with a WAP, you need something with a router in it and WAPs don't have one. Sorry dennis old fruity but that's incorrect. A good proportion of WAPs have a router built in. Then its not a WAP then is it. Listen carefully grasshopper and you can hear the familiar sound of one dennis wriggling. -- €¢DarWin| _/ _/ |
#32
Posted to uk.d-i-y
|
|||
|
|||
Separating Wired and Wireless Networks
On 01/08/2013 09:10, thescullster wrote:
Hi all OK so this is maybe a bit OT for the group, but here goes. I've never been a fan of wireless, so cabled the house up with Cat 5 to a number of rooms. There are clearly now numerous devices that will only connect wirelessly and I am under pressure to add a WAP. I've inherited a Netgear DG834G wireless router, our existing network uses the wired version of this device. I have set up the wireless router as a WAP OK, but wondered if it is possible to configure it as a DHCP server with a different address range to the wired router. Not sure how much security this would add, but I'm inclined to do as much as possible to separate the wireless network from certain wired devices. The SSID of the WAP is hidden and MAC address filtering on that router is in place. Anyone setup a separate wired and wireless network? If you want to truly isolate ALL wifi network from LAN (including shared printers, files etc) there's no problem. Doing as you suggest should be straight forward. I have done this myself through purchasing a Fon WAP/router purely to give me access to ALL the BT/Openzone hot-spots when out and about. It handles all it's network address allocation etc and keeps everything safe. Another way to do it depends on your main router. If it allows separation via vlan. you can isolate router ports from one another which is an easy way of keeping networks apart. Pete@ -- http://www.GymRatZ.co.uk Heavy Duty Commercial Gym Equipment & Flooring |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
Alarm, Wireless V wired | UK diy | |||
Converting a wired to a wireless doorbell | UK diy | |||
Intruder alarms - wired or wireless? | UK diy | |||
Wired or Wireless Alarms | UK diy | |||
Wireless addition to wired alarm? | UK diy |