Home |
Search |
Today's Posts |
|
UK diy (uk.d-i-y) For the discussion of all topics related to diy (do-it-yourself) in the UK. All levels of experience and proficency are welcome to join in to ask questions or offer solutions. |
Reply |
|
LinkBack | Thread Tools | Display Modes |
#1
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
I have a home network on the farm connected to the outside world via a BT
Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Andrew |
#2
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On Sun, 11 Jan 2015 10:24:32 +0000, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a BT Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Some routers have the option to have two wireless networks - one "internal", one "public". If you've got that choice, go for it for the really low-hassle route. Apart from that, the easiest way would be to have them connecting to the actual router, then have a firewall (cheap and easy would be a cable router) hanging off the inside of that with your internal network connecting to that. If you want a bit better security, then have your internal wireless using MAC security, perhaps a hidden SSID. Wireless will never be absolutely secure, but it'll certainly help to prevent idle fingers from being mischevious. |
#3
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On 11/01/15 10:24, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a BT Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Andrew Yes. The TP-Link TL-WA901N WIFI AP I have can run its own DHCP server. However, you will still need a device before it that can act as a true router/NAT/Firewall and split you off 2-3 networks: 1) Your personal "private" network for your house; 2) Cottage 1; 3) Cottage 2; So you are looking for something that can run 3 subnets (or 2 min if you combine the cottages), prevent traffic between the two and handle NAT for each independently. In principle the Vigo 2830 can do this, but in practise it makes a pigs ear of more than one LAN side subnet and the firewalling setup breaks my brain (whereas I find linux iptables quite straightforward). A Firebrick might be more suitable, but they are expensive. If you are up for a little more DIY, any router that can handle the speed (do you have FTTC yet - as it's recently gone live in Robertsbridge) running DD-WRT which is a router based linux distro with a nice GUI. |
#4
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On Sun, 11 Jan 2015 10:24:32 +0000, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a BT Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Andrew Just trying to get my head around this. I assume (just checking I understand) that you are accepting that the IP address which gets to the Internet will be the same for all devices on your internal networks. So your requirement is to provide DHCP services to the guest networks from a wireless AP, and a different sub-net. Thus implementing "double NAT". You also want the AP interface to the rest of your LAN to be hard wired to a different sub-net so that the AP cannot see your devices, but the second sub-net has to be supported and routed by your primary router which connects to the Internet. We really need to know the make and model of the AP before we can say if this is possible. The make and model of your main router would also be helpful. It appears that the device you want for your guests is not an AP at all (which just extends your internal network) but a NAT router which can manage its own little network and NAT through to your main router which will in turn NAT through to the Internet. You should also get things like parental controls and other useful management facilities. The bad news is that you've already bought the APs. The good news is that NAT routers are cheaper than APs, even though they can do considerably more than APs. An example of warped industry pricing. I ended up buying a router then configuring it to work as an AP because it was cheaper (and the router would also take 3rd party firmware such as DD- WRT). I think what you probably need to use the APS unmodified is a VLAN tied to a physical port on your main router and/or an IP address (range?). This should allow you to define a route from the AP to the Internet which is separate from your home VLAN on another port/subnet. However I haven't experimented with VLANs yet so I can't be sure. Cheers Dave R -- Windows 8.1 on PCSpecialist box |
#5
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
In article ,
Adrian writes: Apart from that, the easiest way would be to have them connecting to the actual router, then have a firewall (cheap and easy would be a cable router) hanging off the inside of that with your internal network connecting to that. A wifi router for cable use (i.e. intended to connect over ethernet to a separate cable modem) would work if it had a suitable firewall capability built in. Daisy-chain it off your internal network, and configure the firewall to block access to your internal network, except for the address of the BT home hub. It will need a separate private network for itself. I do something similar at home - I have 3 internal networks which are all firewalled from each other (home, work, visitor's wifi). However, I use a server to do the routing/firewalling with 4 ethernet ports on it, and it also does things like the DHCP and DNS caching for all of them. If you want a bit better security, then have your internal wireless using MAC security, perhaps a hidden SSID. Wireless will never be absolutely secure, but it'll certainly help to prevent idle fingers from being mischevious. MAC security never was "secure" ;-) Newer mobile operating systems are going to be changing their mac randomly from time to time anyway (to prevent tracking), although it will probably be a configurable option. -- Andrew Gabriel [email address is not usable -- followup in the newsgroup] |
#6
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
"David" wrote in message ...
On Sun, 11 Jan 2015 10:24:32 +0000, Andrew Mawson wrote: I have a home network on the farm connected to the outside world via a BT Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Andrew Just trying to get my head around this. I assume (just checking I understand) that you are accepting that the IP address which gets to the Internet will be the same for all devices on your internal networks. So your requirement is to provide DHCP services to the guest networks from a wireless AP, and a different sub-net. Thus implementing "double NAT". You also want the AP interface to the rest of your LAN to be hard wired to a different sub-net so that the AP cannot see your devices, but the second sub-net has to be supported and routed by your primary router which connects to the Internet. We really need to know the make and model of the AP before we can say if this is possible. The make and model of your main router would also be helpful. It appears that the device you want for your guests is not an AP at all (which just extends your internal network) but a NAT router which can manage its own little network and NAT through to your main router which will in turn NAT through to the Internet. You should also get things like parental controls and other useful management facilities. The bad news is that you've already bought the APs. The good news is that NAT routers are cheaper than APs, even though they can do considerably more than APs. An example of warped industry pricing. I ended up buying a router then configuring it to work as an AP because it was cheaper (and the router would also take 3rd party firmware such as DD- WRT). I think what you probably need to use the APS unmodified is a VLAN tied to a physical port on your main router and/or an IP address (range?). This should allow you to define a route from the AP to the Internet which is separate from your home VLAN on another port/subnet. However I haven't experimented with VLANs yet so I can't be sure. Cheers Dave R Dave, The AP's are all Netgear WG602 v4, but I have no problem providing a different one for the cottages - they are not hugely expensive Andrew |
#7
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
"Andrew Gabriel" wrote in message ...
In article , Adrian writes: Apart from that, the easiest way would be to have them connecting to the actual router, then have a firewall (cheap and easy would be a cable router) hanging off the inside of that with your internal network connecting to that. A wifi router for cable use (i.e. intended to connect over ethernet to a separate cable modem) would work if it had a suitable firewall capability built in. Daisy-chain it off your internal network, and configure the firewall to block access to your internal network, except for the address of the BT home hub. It will need a separate private network for itself. I do something similar at home - I have 3 internal networks which are all firewalled from each other (home, work, visitor's wifi). However, I use a server to do the routing/firewalling with 4 ethernet ports on it, and it also does things like the DHCP and DNS caching for all of them. If you want a bit better security, then have your internal wireless using MAC security, perhaps a hidden SSID. Wireless will never be absolutely secure, but it'll certainly help to prevent idle fingers from being mischevious. MAC security never was "secure" ;-) Newer mobile operating systems are going to be changing their mac randomly from time to time anyway (to prevent tracking), although it will probably be a configurable option. The aim is not so much an unbreakable system, just one a little less obviously open to abuse as it it currently Andrew |
#8
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On 11/01/2015 10:24, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a BT Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Andrew Have a similar situation. Originally had: Incoming ADSL Modem/router feeds 3 standard cable routers with wifi in 2 holiday cottages and for main house. So each network is isolated by a firewall and cannot see other networks. Have upgraded this to: ADSL modem/router - Netgear GS108e prosafe plus switch with VLANs setup for each location - standard cable wifi routers . This allows control of bandwidth used by each VLAN. Used cable routers with wifi ( I use netgear) can be obtained for next to nothing and the Prosafe switch was ~£28. To manage all these devices you have to connect to the incoming modem/router when necessary. |
#9
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On 11/01/2015 10:40, Tim Watts wrote:
On 11/01/15 10:24, Andrew Mawson wrote: I have a home network on the farm connected to the outside world via a BT Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Andrew Yes. The TP-Link TL-WA901N WIFI AP I have can run its own DHCP server. However, you will still need a device before it that can act as a true router/NAT/Firewall and split you off 2-3 networks: 1) Your personal "private" network for your house; 2) Cottage 1; 3) Cottage 2; So you are looking for something that can run 3 subnets (or 2 min if you combine the cottages), prevent traffic between the two and handle NAT for each independently. In principle the Vigo 2830 can do this, but in practise it makes a pigs ear of more than one LAN side subnet and the firewalling setup breaks my brain (whereas I find linux iptables quite straightforward). There is a slightly simpler setup using the 2830 that would probably work for the OPs requirement. You can group up to 4 different wireless SSIDs and the 4 ports on the internal switch in any combination of groups, that are independent of each other. So you can specify (say) one WiFi SSID (your private one) so it has access to the internet and also the LAN0 port. That in turn can connect to a switch for addition physical wired machines - or additional WAPs for wireless on your private side of the setup. Port 1 could then be assigned to one cottage, port 2 the next. (That would leave them sharing the same DHCP pool as the primary side, but comms between them would not be possible). If the OP wanted, he could also create additional LAN subnets and have separate ones for each cottage. A Firebrick might be more suitable, but they are expensive. If you are up for a little more DIY, any router that can handle the speed (do you have FTTC yet - as it's recently gone live in Robertsbridge) running DD-WRT which is a router based linux distro with a nice GUI. -- Cheers, John. /================================================== ===============\ | Internode Ltd - http://www.internode.co.uk | |-----------------------------------------------------------------| | John Rumm - john(at)internode(dot)co(dot)uk | \================================================= ================/ |
#10
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
"Robert" wrote in message ...
Andrew Have a similar situation. Originally had: Incoming ADSL Modem/router feeds 3 standard cable routers with wifi in 2 holiday cottages and for main house. So each network is isolated by a firewall and cannot see other networks. Have upgraded this to: ADSL modem/router - Netgear GS108e prosafe plus switch with VLANs setup for each location - standard cable wifi routers . This allows control of bandwidth used by each VLAN. Used cable routers with wifi ( I use netgear) can be obtained for next to nothing and the Prosafe switch was ~£28. To manage all these devices you have to connect to the incoming modem/router when necessary. Robert, this sounds just the thing I need to do. So as I understand your set up you have: Incoming ADSL router (ie my BT Home Hub), feeding the Netgear GS108e Prosafe, which is set to create separate VLANS each with a wireless access point on each vlan or have I got that wrong ??? Andrew |
#11
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
In article ,
Adrian wrote: Some routers have the option to have two wireless networks - one "internal", one "public". If you've got that choice, go for it for the really low-hassle route. Not sure about the BT home hub, but can it be set up as a public hotspot? I've set up my SFR (french equiv of BT I think) modem for our home use and also for public use. It shows as 3 distinct services: (1) Midi (our default home network) (2) SFR public hotspot (allows other SFR users with similar set-ups to use it) (3) SFR FON (allows FON subscribers to use the FON network) (2) and (3) require the user to already have their own username /password -- John Mulrooney NOTE Email address IS correct but might not be checked for a while. |
#12
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
John Rumm wrote:
In principle the Vigo 2830 can do this, but in practise it makes a pigs ear of more than one LAN side subnet and the firewalling setup breaks my brain (whereas I find linux iptables quite straightforward). There is a slightly simpler setup using the 2830 that would probably work for the OPs requirement. You can group up to 4 different wireless SSIDs and the 4 ports on the internal switch in any combination of groups, that are independent of each other. So you can specify (say) one WiFi SSID (your private one) so it has access to the internet and also the LAN0 port. That in turn can connect to a switch for addition physical wired machines - or additional WAPs for wireless on your private side of the setup. Virtual LANs (VLANs), yes I was going to suggest this when I saw the OP's message. Quite a few routers support VLANs. -- Chris Green · |
#13
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On 11/01/2015 14:18, Andrew Mawson wrote:
"Robert" wrote in message ... Andrew Have a similar situation. Originally had: Incoming ADSL Modem/router feeds 3 standard cable routers with wifi in 2 holiday cottages and for main house. So each network is isolated by a firewall and cannot see other networks. Have upgraded this to: ADSL modem/router - Netgear GS108e prosafe plus switch with VLANs setup for each location - standard cable wifi routers . This allows control of bandwidth used by each VLAN. Used cable routers with wifi ( I use netgear) can be obtained for next to nothing and the Prosafe switch was ~£28. To manage all these devices you have to connect to the incoming modem/router when necessary. Robert, this sounds just the thing I need to do. So as I understand your set up you have: Incoming ADSL router (ie my BT Home Hub), feeding the Netgear GS108e Prosafe, which is set to create separate VLANS each with a wireless access point on each vlan or have I got that wrong ??? Andrew Yes thats right. For wifi APs I use a netgear cable router for the house wifi and wired, an old WAG102 wifi AP in another and an old netgear cable router with wifi in another. All older used models with no special setups. The only reason I added the Prosafe was to provide bandwidth control, VLANS are I think the icing on the cake if each location is fed via a firewalled router. Others may/will disagree ? |
#14
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On 11/01/2015 10:24, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a BT Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Andrew Just putting them on a separate subnet isn't going to deter any computer savvy user. BT do a public access wifi using their latest hubs if you get one and enable the service. It gets you access to all the others that have joined the service while you are out. Its independent of your connection but does share bandwidth. I have no idea how secure it is as I have never looked at it since suggesting the possibility of doing such a service about 5 years ago in a meeting we had with BT. |
#15
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On 11/01/15 16:56, Dennis@home wrote:
On 11/01/2015 10:24, Andrew Mawson wrote: I have a home network on the farm connected to the outside world via a BT Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Andrew Just putting them on a separate subnet isn't going to deter any computer savvy user. I think we were probably assuming the subnets would have no routing between them, or a firewall. BT do a public access wifi using their latest hubs if you get one and enable the service. It gets you access to all the others that have joined the service while you are out. Its independent of your connection but does share bandwidth. I have no idea how secure it is as I have never looked at it since suggesting the possibility of doing such a service about 5 years ago in a meeting we had with BT. |
#16
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On Sun, 11 Jan 2015 13:02:24 +0000, Andrew Mawson wrote:
"David" wrote in message ... On Sun, 11 Jan 2015 10:24:32 +0000, Andrew Mawson wrote: I have a home network on the farm connected to the outside world via a BT Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Andrew Just trying to get my head around this. I assume (just checking I understand) that you are accepting that the IP address which gets to the Internet will be the same for all devices on your internal networks. So your requirement is to provide DHCP services to the guest networks from a wireless AP, and a different sub-net. Thus implementing "double NAT". You also want the AP interface to the rest of your LAN to be hard wired to a different sub-net so that the AP cannot see your devices, but the second sub-net has to be supported and routed by your primary router which connects to the Internet. We really need to know the make and model of the AP before we can say if this is possible. The make and model of your main router would also be helpful. It appears that the device you want for your guests is not an AP at all (which just extends your internal network) but a NAT router which can manage its own little network and NAT through to your main router which will in turn NAT through to the Internet. You should also get things like parental controls and other useful management facilities. The bad news is that you've already bought the APs. The good news is that NAT routers are cheaper than APs, even though they can do considerably more than APs. An example of warped industry pricing. I ended up buying a router then configuring it to work as an AP because it was cheaper (and the router would also take 3rd party firmware such as DD- WRT). I think what you probably need to use the APS unmodified is a VLAN tied to a physical port on your main router and/or an IP address (range?). This should allow you to define a route from the AP to the Internet which is separate from your home VLAN on another port/subnet. However I haven't experimented with VLANs yet so I can't be sure. Dave, The AP's are all Netgear WG602 v4, but I have no problem providing a different one for the cottages - they are not hugely expensive Andrew Andrew, one option is to replace your BT Home Hub with another ADSL router which supports VLANs or with one which supports Open Router software such as DD- WRT. I have not been impressed by the flexibility of the router software which comes with my Buffalo WZR-600DHP2 or my TP-Link TL-WDR3600 so I can't recommend a replacement router manufacturer (mine are cable routers not ADSL). As you are seeing from the responses there are many ways of skinning this particular cat. If I remember correctly you have an ADSL router in your main home, then Ethernet to the two cottages to serve the two APs. If this is correct then the minimum hardware is a smart ADSL router which can support multiple LANs each with its own DHCP and segregate the traffic. Using VLANs or something similar. I was planning to go down that route and bought an old CISCO router because it had much more functionality that the average consumer router (although it is a ******* to configure until you have learned how to speak CISCO IOS). However the ports are 10/100 and shortly after I got it the cable network from Virgin was bumped up to 150 Mbits/sec so I can't persuade myself to chop a third of my bandwidth for added security. I am planning to put DD-WRT or similar on my second wireless router. Soon. Honestly. ;-) Then it can replace my main router (which can then have DD- WRT installed). When my Tuit is finally round. Cheers Dave R -- Windows 8.1 on PCSpecialist box |
#17
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
David wrote:
one option is to replace your BT Home Hub with another ADSL router which supports VLANs or with one which supports Open Router software such as DD- WRT. I don't think openWRT et al support (the ATM interface of m)any of the ADSL routers, only the dual ethernet "cable" routers. I've always used a separate ADSL router combined with an openWRT firewall, recently upgraded from a WRT54GS to a WNDR3800, that setup can certainly handle multiple VLANs with separate DHCP scope/SSID per VLAN as required. Nice GUI these days, just requires a little knowledge and confidence to flash the opensource firmware over the manufacturer's firmware. |
#18
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On 11/01/2015 17:24, Tim Watts wrote:
Just putting them on a separate subnet isn't going to deter any computer savvy user. I think we were probably assuming the subnets would have no routing between them, or a firewall. I don't think the OP would know that. Anyway the vlans will work provided the router doesn't actually do any routing on the LAN. Mine can. Maybe one of these would be useful http://www.solwise.co.uk/wireless-ho...s-wg-500p.html |
#19
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On 11/01/15 19:39, Dennis@home wrote:
On 11/01/2015 17:24, Tim Watts wrote: Just putting them on a separate subnet isn't going to deter any computer savvy user. I think we were probably assuming the subnets would have no routing between them, or a firewall. I don't think the OP would know that. That may be underestimating the OP! Anyway the vlans will work provided the router doesn't actually do any routing on the LAN. Mine can. |
#20
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
"Tim Watts" wrote in message ...
On 11/01/15 19:39, Dennis@home wrote: On 11/01/2015 17:24, Tim Watts wrote: Just putting them on a separate subnet isn't going to deter any computer savvy user. I think we were probably assuming the subnets would have no routing between them, or a firewall. I don't think the OP would know that. That may be underestimating the OP! Anyway the vlans will work provided the router doesn't actually do any routing on the LAN. Mine can. Thanks for the vote of confidence Tim Andrew |
#21
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
"Dennis@home" wrote in message eb.com... On 11/01/2015 17:24, Tim Watts wrote: Just putting them on a separate subnet isn't going to deter any computer savvy user. I think we were probably assuming the subnets would have no routing between them, or a firewall. I don't think the OP would know that. Anyway the vlans will work provided the router doesn't actually do any routing on the LAN. Mine can. Maybe one of these would be useful http://www.solwise.co.uk/wireless-ho...s-wg-500p.html Pity about the price. |
#22
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
In message , Andrew Mawson
writes "Andrew Gabriel" wrote in message ... In article , Adrian writes: Apart from that, the easiest way would be to have them connecting to the actual router, then have a firewall (cheap and easy would be a cable router) hanging off the inside of that with your internal network connecting to that. A wifi router for cable use (i.e. intended to connect over ethernet to a separate cable modem) would work if it had a suitable firewall capability built in. Daisy-chain it off your internal network, and configure the firewall to block access to your internal network, except for the address of the BT home hub. It will need a separate private network for itself. I do something similar at home - I have 3 internal networks which are all firewalled from each other (home, work, visitor's wifi). However, I use a server to do the routing/firewalling with 4 ethernet ports on it, and it also does things like the DHCP and DNS caching for all of them. If you want a bit better security, then have your internal wireless using MAC security, perhaps a hidden SSID. Wireless will never be absolutely secure, but it'll certainly help to prevent idle fingers from being mischevious. MAC security never was "secure" ;-) Newer mobile operating systems are going to be changing their mac randomly from time to time anyway (to prevent tracking), although it will probably be a configurable option. The aim is not so much an unbreakable system, just one a little less obviously open to abuse as it it currently Andrew Does your router support the BT FON network? ISTR it is designed to provide this sort of service - and you can charge for it also. -- bert |
#23
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote:
Some routers have the option to have two wireless networks - one "internal", one "public". If you've got that choice, go for it for the really low-hassle route. Not sure about the BT home hub, but can it be set up as a public hotspot? The BT homehub has to be persuaded NOT to act as a public hotspot... |
#24
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On Sunday, 11 January 2015 10:24:30 UTC, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a BT Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Andrew This reminds me that just about every holiday home I've been to that provides WiFi via the owner's residential part of the property has had the main (or only!) router configured with the default username and password so that I've been able to get onto their router and adjust configurations had I been so minded. I know that many companies now issue routers with more complex usernames and passwords as default when they are supplied with a broadband package but owners often seem to be unaware that giving me the Wifi password gives me some access to their network. I can readily see teenagers getting onto the router via "Admin" "Password" type access controls, and leaving the homeowner with no access to their router at the end of the week after they have modified the password "for a laugh"! |
#25
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
"larkim" wrote in message
... On Sunday, 11 January 2015 10:24:30 UTC, Andrew Mawson wrote: I have a home network on the farm connected to the outside world via a BT Home Hub - (the original white one). I have wireless access points in several buildings for my own use and can limit their access as I wish. The home hub does the DHCP dishing out ip addresses. However we have two 'holiday cottages' on site, the occupants of which enjoy the benefit of a dedicated wireless access point. Of course the ip address that they pick up is in the same sub net as everything else. I'd like somehow to implement a bit more control to stop them having access to 'my' network behind the firewall for added security and also to stop them using ip addresses in my common range. Is it somehow possible to set up an access point to also do DHCP from it's own limited pool of addresses on a different subnet? As far as I am aware so far we haven't had problems, but it's probably only time before some computer savvy kid is here and starts playing! Andrew This reminds me that just about every holiday home I've been to that provides WiFi via the owner's residential part of the property has had the main (or only!) router configured with the default username and password so that I've been able to get onto their router and adjust configurations had I been so minded. I know that many companies now issue routers with more complex usernames and passwords as default when they are supplied with a broadband package but owners often seem to be unaware that giving me the Wifi password gives me some access to their network. I can readily see teenagers getting onto the router via "Admin" "Password" type access controls, and leaving the homeowner with no access to their router at the end of the week after they have modified the password "for a laugh"! And it's just that scenario I'm planning to forestall rather than a determined hacker Andrew |
#26
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
Adrian wrote:
On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote: Some routers have the option to have two wireless networks - one "internal", one "public". If you've got that choice, go for it for the really low-hassle route. Not sure about the BT home hub, but can it be set up as a public hotspot? The BT homehub has to be persuaded NOT to act as a public hotspot... .... but only for people who have a BT account or a FON account. It doesn't really help the OP unless all their visitors have BT broadband. -- Chris Green · |
#27
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
|
#28
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
On 12/01/15 18:27, bert wrote:
In message , writes Adrian wrote: On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote: Some routers have the option to have two wireless networks - one "internal", one "public". If you've got that choice, go for it for the really low-hassle route. Not sure about the BT home hub, but can it be set up as a public hotspot? The BT homehub has to be persuaded NOT to act as a public hotspot... ... but only for people who have a BT account or a FON account. It doesn't really help the OP unless all their visitors have BT broadband. I think FON accounts can be made available to non-bt users They are - you just sign up and pay. |
#29
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
bert ] wrote:
In message , writes Adrian wrote: On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote: Some routers have the option to have two wireless networks - one "internal", one "public". If you've got that choice, go for it for the really low-hassle route. Not sure about the BT home hub, but can it be set up as a public hotspot? The BT homehub has to be persuaded NOT to act as a public hotspot... ... but only for people who have a BT account or a FON account. It doesn't really help the OP unless all their visitors have BT broadband. I think FON accounts can be made available to non-bt users Yes, but you have to have a FON modem yourself or subscribe to one of the other 'BT's that are part of the FON network. -- Chris Green · |
#30
Posted to uk.d-i-y
|
|||
|
|||
LAN segregation ?
Tim Watts wrote:
On 12/01/15 18:27, bert wrote: In message , writes Adrian wrote: On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote: Some routers have the option to have two wireless networks - one "internal", one "public". If you've got that choice, go for it for the really low-hassle route. Not sure about the BT home hub, but can it be set up as a public hotspot? The BT homehub has to be persuaded NOT to act as a public hotspot... ... but only for people who have a BT account or a FON account. It doesn't really help the OP unless all their visitors have BT broadband. I think FON accounts can be made available to non-bt users They are - you just sign up and pay. .... again, true, but no help to the OP. -- Chris Green · |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|