I have a home network on the farm connected to the outside world via a BT
Home Hub - (the original white one). I have wireless access points in
several buildings for my own use and can limit their access as I wish. The
home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which enjoy
the benefit of a dedicated wireless access point. Of course the ip address
that they pick up is in the same sub net as everything else. I'd like
somehow to implement a bit more control to stop them having access to 'my'
network behind the firewall for added security and also to stop them using
ip addresses in my common range. Is it somehow possible to set up an access
point to also do DHCP from it's own limited pool of addresses on a different
subnet?

As far as I am aware so far we haven't had problems, but it's probably only
time before some computer savvy kid is here and starts playing!

Andrew

On Sun, 11 Jan 2015 10:24:32 +0000, Andrew Mawson wrote:

I have a home network on the farm connected to the outside world via a
BT Home Hub - (the original white one). I have wireless access points in
several buildings for my own use and can limit their access as I wish.
The home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which
enjoy the benefit of a dedicated wireless access point. Of course the ip
address that they pick up is in the same sub net as everything else. I'd
like somehow to implement a bit more control to stop them having access
to 'my' network behind the firewall for added security and also to stop
them using ip addresses in my common range. Is it somehow possible to
set up an access point to also do DHCP from it's own limited pool of
addresses on a different subnet?

As far as I am aware so far we haven't had problems, but it's probably
only time before some computer savvy kid is here and starts playing!

Some routers have the option to have two wireless networks - one
"internal", one "public". If you've got that choice, go for it for the
really low-hassle route.

Apart from that, the easiest way would be to have them connecting to the
actual router, then have a firewall (cheap and easy would be a cable
router) hanging off the inside of that with your internal network
connecting to that.

If you want a bit better security, then have your internal wireless using
MAC security, perhaps a hidden SSID. Wireless will never be absolutely
secure, but it'll certainly help to prevent idle fingers from being
mischevious.

On 11/01/15 10:24, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a
BT Home Hub - (the original white one). I have wireless access points in
several buildings for my own use and can limit their access as I wish.
The home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which
enjoy the benefit of a dedicated wireless access point. Of course the ip
address that they pick up is in the same sub net as everything else. I'd
like somehow to implement a bit more control to stop them having access
to 'my' network behind the firewall for added security and also to stop
them using ip addresses in my common range. Is it somehow possible to
set up an access point to also do DHCP from it's own limited pool of
addresses on a different subnet?

As far as I am aware so far we haven't had problems, but it's probably
only time before some computer savvy kid is here and starts playing!

Andrew

Yes.

The TP-Link TL-WA901N WIFI AP I have can run its own DHCP server.

However, you will still need a device before it that can act as a true
router/NAT/Firewall and split you off 2-3 networks:

1) Your personal "private" network for your house;

2) Cottage 1;

3) Cottage 2;


So you are looking for something that can run 3 subnets (or 2 min if you
combine the cottages), prevent traffic between the two and handle NAT
for each independently.


In principle the Vigo 2830 can do this, but in practise it makes a pigs
ear of more than one LAN side subnet and the firewalling setup breaks my
brain (whereas I find linux iptables quite straightforward).

A Firebrick might be more suitable, but they are expensive.

If you are up for a little more DIY, any router that can handle the
speed (do you have FTTC yet - as it's recently gone live in
Robertsbridge) running DD-WRT which is a router based linux distro with
a nice GUI.

On Sun, 11 Jan 2015 10:24:32 +0000, Andrew Mawson wrote:

I have a home network on the farm connected to the outside world via a
BT Home Hub - (the original white one). I have wireless access points in
several buildings for my own use and can limit their access as I wish.
The home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which
enjoy the benefit of a dedicated wireless access point. Of course the ip
address that they pick up is in the same sub net as everything else. I'd
like somehow to implement a bit more control to stop them having access
to 'my' network behind the firewall for added security and also to stop
them using ip addresses in my common range. Is it somehow possible to
set up an access point to also do DHCP from it's own limited pool of
addresses on a different subnet?

As far as I am aware so far we haven't had problems, but it's probably
only time before some computer savvy kid is here and starts playing!

Andrew

Just trying to get my head around this.
I assume (just checking I understand) that you are accepting that the IP
address which gets to the Internet will be the same for all devices on
your internal networks.
So your requirement is to provide DHCP services to the guest networks from
a wireless AP, and a different sub-net.
Thus implementing "double NAT".

You also want the AP interface to the rest of your LAN to be hard wired to
a different sub-net so that the AP cannot see your devices, but the second
sub-net has to be supported and routed by your primary router which
connects to the Internet.

We really need to know the make and model of the AP before we can say if
this is possible. The make and model of your main router would also be
helpful.

It appears that the device you want for your guests is not an AP at all
(which just extends your internal network) but a NAT router which can
manage its own little network and NAT through to your main router which
will in turn NAT through to the Internet. You should also get things like
parental controls and other useful management facilities.

The bad news is that you've already bought the APs.

The good news is that NAT routers are cheaper than APs, even though they
can do considerably more than APs. An example of warped industry pricing.
I ended up buying a router then configuring it to work as an AP because it
was cheaper (and the router would also take 3rd party firmware such as DD-
WRT).

I think what you probably need to use the APS unmodified is a VLAN tied to
a physical port on your main router and/or an IP address (range?).
This should allow you to define a route from the AP to the Internet which
is separate from your home VLAN on another port/subnet.
However I haven't experimented with VLANs yet so I can't be sure.


Cheers


Dave R

--
Windows 8.1 on PCSpecialist box

In article ,
Adrian writes:
Apart from that, the easiest way would be to have them connecting to the
actual router, then have a firewall (cheap and easy would be a cable
router) hanging off the inside of that with your internal network
connecting to that.

A wifi router for cable use (i.e. intended to connect over ethernet
to a separate cable modem) would work if it had a suitable firewall
capability built in. Daisy-chain it off your internal network, and
configure the firewall to block access to your internal network,
except for the address of the BT home hub. It will need a separate
private network for itself.

I do something similar at home - I have 3 internal networks which
are all firewalled from each other (home, work, visitor's wifi).
However, I use a server to do the routing/firewalling with 4
ethernet ports on it, and it also does things like the DHCP and
DNS caching for all of them.

If you want a bit better security, then have your internal wireless using
MAC security, perhaps a hidden SSID. Wireless will never be absolutely
secure, but it'll certainly help to prevent idle fingers from being
mischevious.

MAC security never was "secure" ;-)

Newer mobile operating systems are going to be changing their mac
randomly from time to time anyway (to prevent tracking), although
it will probably be a configurable option.

--
Andrew Gabriel
[email address is not usable -- followup in the newsgroup]

"David" wrote in message ...

On Sun, 11 Jan 2015 10:24:32 +0000, Andrew Mawson wrote:

I have a home network on the farm connected to the outside world via a
BT Home Hub - (the original white one). I have wireless access points in
several buildings for my own use and can limit their access as I wish.
The home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which
enjoy the benefit of a dedicated wireless access point. Of course the ip
address that they pick up is in the same sub net as everything else. I'd
like somehow to implement a bit more control to stop them having access
to 'my' network behind the firewall for added security and also to stop
them using ip addresses in my common range. Is it somehow possible to
set up an access point to also do DHCP from it's own limited pool of
addresses on a different subnet?

As far as I am aware so far we haven't had problems, but it's probably
only time before some computer savvy kid is here and starts playing!

Andrew

Just trying to get my head around this.
I assume (just checking I understand) that you are accepting that the IP
address which gets to the Internet will be the same for all devices on
your internal networks.
So your requirement is to provide DHCP services to the guest networks from
a wireless AP, and a different sub-net.
Thus implementing "double NAT".

You also want the AP interface to the rest of your LAN to be hard wired to
a different sub-net so that the AP cannot see your devices, but the second
sub-net has to be supported and routed by your primary router which
connects to the Internet.

We really need to know the make and model of the AP before we can say if
this is possible. The make and model of your main router would also be
helpful.

It appears that the device you want for your guests is not an AP at all
(which just extends your internal network) but a NAT router which can
manage its own little network and NAT through to your main router which
will in turn NAT through to the Internet. You should also get things like
parental controls and other useful management facilities.

The bad news is that you've already bought the APs.

The good news is that NAT routers are cheaper than APs, even though they
can do considerably more than APs. An example of warped industry pricing.
I ended up buying a router then configuring it to work as an AP because it
was cheaper (and the router would also take 3rd party firmware such as DD-
WRT).

I think what you probably need to use the APS unmodified is a VLAN tied to
a physical port on your main router and/or an IP address (range?).
This should allow you to define a route from the AP to the Internet which
is separate from your home VLAN on another port/subnet.
However I haven't experimented with VLANs yet so I can't be sure.


Cheers


Dave R

Dave,

The AP's are all Netgear WG602 v4, but I have no problem providing a
different one for the cottages - they are not hugely expensive

Andrew

"Andrew Gabriel" wrote in message ...

In article ,
Adrian writes:
Apart from that, the easiest way would be to have them connecting to the
actual router, then have a firewall (cheap and easy would be a cable
router) hanging off the inside of that with your internal network
connecting to that.

A wifi router for cable use (i.e. intended to connect over ethernet
to a separate cable modem) would work if it had a suitable firewall
capability built in. Daisy-chain it off your internal network, and
configure the firewall to block access to your internal network,
except for the address of the BT home hub. It will need a separate
private network for itself.

I do something similar at home - I have 3 internal networks which
are all firewalled from each other (home, work, visitor's wifi).
However, I use a server to do the routing/firewalling with 4
ethernet ports on it, and it also does things like the DHCP and
DNS caching for all of them.

If you want a bit better security, then have your internal wireless using
MAC security, perhaps a hidden SSID. Wireless will never be absolutely
secure, but it'll certainly help to prevent idle fingers from being
mischevious.

MAC security never was "secure" ;-)

Newer mobile operating systems are going to be changing their mac
randomly from time to time anyway (to prevent tracking), although
it will probably be a configurable option.


The aim is not so much an unbreakable system, just one a little less
obviously open to abuse as it it currently

Andrew

On 11/01/2015 10:24, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a
BT Home Hub - (the original white one). I have wireless access points in
several buildings for my own use and can limit their access as I wish.
The home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which
enjoy the benefit of a dedicated wireless access point. Of course the ip
address that they pick up is in the same sub net as everything else. I'd
like somehow to implement a bit more control to stop them having access
to 'my' network behind the firewall for added security and also to stop
them using ip addresses in my common range. Is it somehow possible to
set up an access point to also do DHCP from it's own limited pool of
addresses on a different subnet?

As far as I am aware so far we haven't had problems, but it's probably
only time before some computer savvy kid is here and starts playing!

Andrew
Have a similar situation.
Originally had:
Incoming ADSL Modem/router feeds 3 standard cable routers with wifi in
2 holiday cottages and for main house.
So each network is isolated by a firewall and cannot see other networks.
Have upgraded this to:
ADSL modem/router - Netgear GS108e prosafe plus switch with VLANs setup
for each location - standard cable wifi routers .
This allows control of bandwidth used by each VLAN.
Used cable routers with wifi ( I use netgear) can be obtained for next
to nothing and the Prosafe switch was ~£28.
To manage all these devices you have to connect to the incoming
modem/router when necessary.

On 11/01/2015 10:40, Tim Watts wrote:
On 11/01/15 10:24, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a
BT Home Hub - (the original white one). I have wireless access points in
several buildings for my own use and can limit their access as I wish.
The home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which
enjoy the benefit of a dedicated wireless access point. Of course the ip
address that they pick up is in the same sub net as everything else. I'd
like somehow to implement a bit more control to stop them having access
to 'my' network behind the firewall for added security and also to stop
them using ip addresses in my common range. Is it somehow possible to
set up an access point to also do DHCP from it's own limited pool of
addresses on a different subnet?

As far as I am aware so far we haven't had problems, but it's probably
only time before some computer savvy kid is here and starts playing!

Andrew

Yes.

The TP-Link TL-WA901N WIFI AP I have can run its own DHCP server.

However, you will still need a device before it that can act as a true
router/NAT/Firewall and split you off 2-3 networks:

1) Your personal "private" network for your house;

2) Cottage 1;

3) Cottage 2;


So you are looking for something that can run 3 subnets (or 2 min if you
combine the cottages), prevent traffic between the two and handle NAT
for each independently.


In principle the Vigo 2830 can do this, but in practise it makes a pigs
ear of more than one LAN side subnet and the firewalling setup breaks my
brain (whereas I find linux iptables quite straightforward).

There is a slightly simpler setup using the 2830 that would probably
work for the OPs requirement. You can group up to 4 different wireless
SSIDs and the 4 ports on the internal switch in any combination of
groups, that are independent of each other. So you can specify (say) one
WiFi SSID (your private one) so it has access to the internet and also
the LAN0 port. That in turn can connect to a switch for addition
physical wired machines - or additional WAPs for wireless on your
private side of the setup.

Port 1 could then be assigned to one cottage, port 2 the next. (That
would leave them sharing the same DHCP pool as the primary side, but
comms between them would not be possible).

If the OP wanted, he could also create additional LAN subnets and have
separate ones for each cottage.

A Firebrick might be more suitable, but they are expensive.

If you are up for a little more DIY, any router that can handle the
speed (do you have FTTC yet - as it's recently gone live in
Robertsbridge) running DD-WRT which is a router based linux distro with
a nice GUI.




--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

"Robert" wrote in message ...

Andrew
Have a similar situation.
Originally had:
Incoming ADSL Modem/router feeds 3 standard cable routers with wifi in 2
holiday cottages and for main house.
So each network is isolated by a firewall and cannot see other networks.
Have upgraded this to:
ADSL modem/router - Netgear GS108e prosafe plus switch with VLANs setup for
each location - standard cable wifi routers .
This allows control of bandwidth used by each VLAN.
Used cable routers with wifi ( I use netgear) can be obtained for next to
nothing and the Prosafe switch was ~£28.
To manage all these devices you have to connect to the incoming
modem/router when necessary.

Robert, this sounds just the thing I need to do. So as I understand your set
up you have:

Incoming ADSL router (ie my BT Home Hub), feeding the Netgear GS108e
Prosafe, which is set to create separate VLANS each with a wireless access
point on each vlan

or have I got that wrong ???

Andrew

In article ,
Adrian wrote:
Some routers have the option to have two wireless networks - one
"internal", one "public". If you've got that choice, go for it for the
really low-hassle route.
Not sure about the BT home hub, but can it be set up as a public hotspot?

I've set up my SFR (french equiv of BT I think) modem for our home use and
also for public use.

It shows as 3 distinct services: (1) Midi (our default home network)
(2) SFR public hotspot (allows other SFR users with similar set-ups to use
it)
(3) SFR FON (allows FON subscribers to use the FON network)

(2) and (3) require the user to already have their own username /password

--
John Mulrooney
NOTE Email address IS correct but might not be checked for a while.

John Rumm wrote:
In principle the Vigo 2830 can do this, but in practise it makes a pigs
ear of more than one LAN side subnet and the firewalling setup breaks my
brain (whereas I find linux iptables quite straightforward).

There is a slightly simpler setup using the 2830 that would probably
work for the OPs requirement. You can group up to 4 different wireless
SSIDs and the 4 ports on the internal switch in any combination of
groups, that are independent of each other. So you can specify (say) one
WiFi SSID (your private one) so it has access to the internet and also
the LAN0 port. That in turn can connect to a switch for addition
physical wired machines - or additional WAPs for wireless on your
private side of the setup.

Virtual LANs (VLANs), yes I was going to suggest this when I saw the
OP's message.

Quite a few routers support VLANs.

--
Chris Green
·

On 11/01/2015 14:18, Andrew Mawson wrote:
"Robert" wrote in message ...

Andrew
Have a similar situation.
Originally had:
Incoming ADSL Modem/router feeds 3 standard cable routers with wifi
in 2 holiday cottages and for main house.
So each network is isolated by a firewall and cannot see other networks.
Have upgraded this to:
ADSL modem/router - Netgear GS108e prosafe plus switch with VLANs
setup for each location - standard cable wifi routers .
This allows control of bandwidth used by each VLAN.
Used cable routers with wifi ( I use netgear) can be obtained for next
to nothing and the Prosafe switch was ~£28.
To manage all these devices you have to connect to the incoming
modem/router when necessary.

Robert, this sounds just the thing I need to do. So as I understand your
set up you have:

Incoming ADSL router (ie my BT Home Hub), feeding the Netgear GS108e
Prosafe, which is set to create separate VLANS each with a wireless
access point on each vlan

or have I got that wrong ???

Andrew
Yes thats right.
For wifi APs I use a netgear cable router for the house wifi and wired,
an old WAG102 wifi AP in another and an old netgear cable router with
wifi in another. All older used models with no special setups.
The only reason I added the Prosafe was to provide bandwidth control,
VLANS are I think the icing on the cake if each location is fed via a
firewalled router.
Others may/will disagree ?

On 11/01/2015 10:24, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a
BT Home Hub - (the original white one). I have wireless access points in
several buildings for my own use and can limit their access as I wish.
The home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which
enjoy the benefit of a dedicated wireless access point. Of course the ip
address that they pick up is in the same sub net as everything else. I'd
like somehow to implement a bit more control to stop them having access
to 'my' network behind the firewall for added security and also to stop
them using ip addresses in my common range. Is it somehow possible to
set up an access point to also do DHCP from it's own limited pool of
addresses on a different subnet?

As far as I am aware so far we haven't had problems, but it's probably
only time before some computer savvy kid is here and starts playing!

Andrew

Just putting them on a separate subnet isn't going to deter any computer
savvy user.
BT do a public access wifi using their latest hubs if you get one and
enable the service. It gets you access to all the others that have
joined the service while you are out.
Its independent of your connection but does share bandwidth.
I have no idea how secure it is as I have never looked at it since
suggesting the possibility of doing such a service about 5 years ago in
a meeting we had with BT.

On 11/01/15 16:56, Dennis@home wrote:
On 11/01/2015 10:24, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a
BT Home Hub - (the original white one). I have wireless access points in
several buildings for my own use and can limit their access as I wish.
The home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which
enjoy the benefit of a dedicated wireless access point. Of course the ip
address that they pick up is in the same sub net as everything else. I'd
like somehow to implement a bit more control to stop them having access
to 'my' network behind the firewall for added security and also to stop
them using ip addresses in my common range. Is it somehow possible to
set up an access point to also do DHCP from it's own limited pool of
addresses on a different subnet?

As far as I am aware so far we haven't had problems, but it's probably
only time before some computer savvy kid is here and starts playing!

Andrew

Just putting them on a separate subnet isn't going to deter any computer
savvy user.

I think we were probably assuming the subnets would have no routing
between them, or a firewall.

BT do a public access wifi using their latest hubs if you get one and
enable the service. It gets you access to all the others that have
joined the service while you are out.
Its independent of your connection but does share bandwidth.
I have no idea how secure it is as I have never looked at it since
suggesting the possibility of doing such a service about 5 years ago in
a meeting we had with BT.

On Sun, 11 Jan 2015 13:02:24 +0000, Andrew Mawson wrote:

"David" wrote in message ...

On Sun, 11 Jan 2015 10:24:32 +0000, Andrew Mawson wrote:

I have a home network on the farm connected to the outside world via a
BT Home Hub - (the original white one). I have wireless access points
in several buildings for my own use and can limit their access as I
wish. The home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which
enjoy the benefit of a dedicated wireless access point. Of course the
ip address that they pick up is in the same sub net as everything
else. I'd like somehow to implement a bit more control to stop them
having access to 'my' network behind the firewall for added security
and also to stop them using ip addresses in my common range. Is it
somehow possible to set up an access point to also do DHCP from it's
own limited pool of addresses on a different subnet?

As far as I am aware so far we haven't had problems, but it's probably
only time before some computer savvy kid is here and starts playing!

Andrew

Just trying to get my head around this.
I assume (just checking I understand) that you are accepting that the IP
address which gets to the Internet will be the same for all devices on
your internal networks.
So your requirement is to provide DHCP services to the guest networks
from a wireless AP, and a different sub-net.
Thus implementing "double NAT".

You also want the AP interface to the rest of your LAN to be hard wired
to a different sub-net so that the AP cannot see your devices, but the
second sub-net has to be supported and routed by your primary router
which connects to the Internet.

We really need to know the make and model of the AP before we can say if
this is possible. The make and model of your main router would also be
helpful.

It appears that the device you want for your guests is not an AP at all
(which just extends your internal network) but a NAT router which can
manage its own little network and NAT through to your main router which
will in turn NAT through to the Internet. You should also get things
like parental controls and other useful management facilities.

The bad news is that you've already bought the APs.

The good news is that NAT routers are cheaper than APs, even though they
can do considerably more than APs. An example of warped industry
pricing. I ended up buying a router then configuring it to work as an AP
because it was cheaper (and the router would also take 3rd party
firmware such as DD-
WRT).

I think what you probably need to use the APS unmodified is a VLAN tied
to a physical port on your main router and/or an IP address (range?).
This should allow you to define a route from the AP to the Internet
which is separate from your home VLAN on another port/subnet.
However I haven't experimented with VLANs yet so I can't be sure.

Dave,

The AP's are all Netgear WG602 v4, but I have no problem providing a
different one for the cottages - they are not hugely expensive

Andrew

Andrew,

one option is to replace your BT Home Hub with another ADSL router which
supports VLANs or with one which supports Open Router software such as DD-
WRT. I have not been impressed by the flexibility of the router software
which comes with my Buffalo WZR-600DHP2 or my TP-Link TL-WDR3600 so I
can't recommend a replacement router manufacturer (mine are cable routers
not ADSL).

As you are seeing from the responses there are many ways of skinning this
particular cat.

If I remember correctly you have an ADSL router in your main home, then
Ethernet to the two cottages to serve the two APs.

If this is correct then the minimum hardware is a smart ADSL router which
can support multiple LANs each with its own DHCP and segregate the
traffic. Using VLANs or something similar.

I was planning to go down that route and bought an old CISCO router
because it had much more functionality that the average consumer router
(although it is a ******* to configure until you have learned how to speak
CISCO IOS). However the ports are 10/100 and shortly after I got it the
cable network from Virgin was bumped up to 150 Mbits/sec so I can't
persuade myself to chop a third of my bandwidth for added security.

I am planning to put DD-WRT or similar on my second wireless router. Soon.
Honestly. ;-) Then it can replace my main router (which can then have DD-
WRT installed).

When my Tuit is finally round.

Cheers

Dave R

--
Windows 8.1 on PCSpecialist box

David wrote:

one option is to replace your BT Home Hub with another ADSL router which
supports VLANs or with one which supports Open Router software such as DD-
WRT.

I don't think openWRT et al support (the ATM interface of m)any of the
ADSL routers, only the dual ethernet "cable" routers.

I've always used a separate ADSL router combined with an openWRT
firewall, recently upgraded from a WRT54GS to a WNDR3800, that setup can
certainly handle multiple VLANs with separate DHCP scope/SSID per VLAN
as required.

Nice GUI these days, just requires a little knowledge and confidence to
flash the opensource firmware over the manufacturer's firmware.

On 11/01/2015 17:24, Tim Watts wrote:

Just putting them on a separate subnet isn't going to deter any computer
savvy user.

I think we were probably assuming the subnets would have no routing
between them, or a firewall.

I don't think the OP would know that.

Anyway the vlans will work provided the router doesn't actually do any
routing on the LAN. Mine can.

Maybe one of these would be useful

http://www.solwise.co.uk/wireless-ho...s-wg-500p.html

On 11/01/15 19:39, Dennis@home wrote:
On 11/01/2015 17:24, Tim Watts wrote:

Just putting them on a separate subnet isn't going to deter any computer
savvy user.

I think we were probably assuming the subnets would have no routing
between them, or a firewall.

I don't think the OP would know that.

That may be underestimating the OP!

Anyway the vlans will work provided the router doesn't actually do any
routing on the LAN. Mine can.

"Tim Watts" wrote in message ...

On 11/01/15 19:39, Dennis@home wrote:
On 11/01/2015 17:24, Tim Watts wrote:

Just putting them on a separate subnet isn't going to deter any
computer
savvy user.

I think we were probably assuming the subnets would have no routing
between them, or a firewall.

I don't think the OP would know that.

That may be underestimating the OP!

Anyway the vlans will work provided the router doesn't actually do any
routing on the LAN. Mine can.

Thanks for the vote of confidence Tim

Andrew

"Dennis@home" wrote in message
eb.com...
On 11/01/2015 17:24, Tim Watts wrote:

Just putting them on a separate subnet isn't going to deter any computer
savvy user.

I think we were probably assuming the subnets would have no routing
between them, or a firewall.

I don't think the OP would know that.

Anyway the vlans will work provided the router doesn't actually do any
routing on the LAN. Mine can.

Maybe one of these would be useful

http://www.solwise.co.uk/wireless-ho...s-wg-500p.html

Pity about the price.

In message , Andrew Mawson
writes
"Andrew Gabriel" wrote in message ...

In article ,
Adrian writes:
Apart from that, the easiest way would be to have them connecting to the
actual router, then have a firewall (cheap and easy would be a cable
router) hanging off the inside of that with your internal network
connecting to that.

A wifi router for cable use (i.e. intended to connect over ethernet
to a separate cable modem) would work if it had a suitable firewall
capability built in. Daisy-chain it off your internal network, and
configure the firewall to block access to your internal network,
except for the address of the BT home hub. It will need a separate
private network for itself.

I do something similar at home - I have 3 internal networks which
are all firewalled from each other (home, work, visitor's wifi).
However, I use a server to do the routing/firewalling with 4
ethernet ports on it, and it also does things like the DHCP and
DNS caching for all of them.

If you want a bit better security, then have your internal wireless using
MAC security, perhaps a hidden SSID. Wireless will never be absolutely
secure, but it'll certainly help to prevent idle fingers from being
mischevious.

MAC security never was "secure" ;-)

Newer mobile operating systems are going to be changing their mac
randomly from time to time anyway (to prevent tracking), although
it will probably be a configurable option.


The aim is not so much an unbreakable system, just one a little less
obviously open to abuse as it it currently

Andrew
Does your router support the BT FON network? ISTR it is designed to
provide this sort of service - and you can charge for it also.
--
bert

On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote:

Some routers have the option to have two wireless networks - one
"internal", one "public". If you've got that choice, go for it for the
really low-hassle route.

Not sure about the BT home hub, but can it be set up as a public
hotspot?

The BT homehub has to be persuaded NOT to act as a public hotspot...

On Sunday, 11 January 2015 10:24:30 UTC, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a BT
Home Hub - (the original white one). I have wireless access points in
several buildings for my own use and can limit their access as I wish. The
home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which enjoy
the benefit of a dedicated wireless access point. Of course the ip address
that they pick up is in the same sub net as everything else. I'd like
somehow to implement a bit more control to stop them having access to 'my'
network behind the firewall for added security and also to stop them using
ip addresses in my common range. Is it somehow possible to set up an access
point to also do DHCP from it's own limited pool of addresses on a different
subnet?

As far as I am aware so far we haven't had problems, but it's probably only
time before some computer savvy kid is here and starts playing!

Andrew

This reminds me that just about every holiday home I've been to that
provides WiFi via the owner's residential part of the property has had
the main (or only!) router configured with the default username and password
so that I've been able to get onto their router and adjust configurations
had I been so minded.

I know that many companies now issue routers with more complex usernames
and passwords as default when they are supplied with a broadband package
but owners often seem to be unaware that giving me the Wifi password gives
me some access to their network.

I can readily see teenagers getting onto the router via "Admin" "Password"
type access controls, and leaving the homeowner with no access to their
router at the end of the week after they have modified the password "for a
laugh"!

"larkim" wrote in message
...

On Sunday, 11 January 2015 10:24:30 UTC, Andrew Mawson wrote:
I have a home network on the farm connected to the outside world via a BT
Home Hub - (the original white one). I have wireless access points in
several buildings for my own use and can limit their access as I wish.
The
home hub does the DHCP dishing out ip addresses.

However we have two 'holiday cottages' on site, the occupants of which
enjoy
the benefit of a dedicated wireless access point. Of course the ip
address
that they pick up is in the same sub net as everything else. I'd like
somehow to implement a bit more control to stop them having access to
'my'
network behind the firewall for added security and also to stop them
using
ip addresses in my common range. Is it somehow possible to set up an
access
point to also do DHCP from it's own limited pool of addresses on a
different
subnet?

As far as I am aware so far we haven't had problems, but it's probably
only
time before some computer savvy kid is here and starts playing!

Andrew

This reminds me that just about every holiday home I've been to that
provides WiFi via the owner's residential part of the property has had
the main (or only!) router configured with the default username and
password
so that I've been able to get onto their router and adjust configurations
had I been so minded.

I know that many companies now issue routers with more complex usernames
and passwords as default when they are supplied with a broadband package
but owners often seem to be unaware that giving me the Wifi password gives
me some access to their network.

I can readily see teenagers getting onto the router via "Admin" "Password"
type access controls, and leaving the homeowner with no access to their
router at the end of the week after they have modified the password "for a
laugh"!

And it's just that scenario I'm planning to forestall rather than a
determined hacker

Andrew

Adrian wrote:
On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote:

Some routers have the option to have two wireless networks - one
"internal", one "public". If you've got that choice, go for it for the
really low-hassle route.

Not sure about the BT home hub, but can it be set up as a public
hotspot?

The BT homehub has to be persuaded NOT to act as a public hotspot...

.... but only for people who have a BT account or a FON account. It
doesn't really help the OP unless all their visitors have BT broadband.


--
Chris Green
·

In message , writes
Adrian wrote:
On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote:

Some routers have the option to have two wireless networks - one
"internal", one "public". If you've got that choice, go for it for the
really low-hassle route.

Not sure about the BT home hub, but can it be set up as a public
hotspot?

The BT homehub has to be persuaded NOT to act as a public hotspot...

... but only for people who have a BT account or a FON account. It
doesn't really help the OP unless all their visitors have BT broadband.


I think FON accounts can be made available to non-bt users
--
bert

On 12/01/15 18:27, bert wrote:
In message , writes
Adrian wrote:
On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote:

Some routers have the option to have two wireless networks - one
"internal", one "public". If you've got that choice, go for it for
the
really low-hassle route.

Not sure about the BT home hub, but can it be set up as a public
hotspot?

The BT homehub has to be persuaded NOT to act as a public hotspot...

... but only for people who have a BT account or a FON account. It
doesn't really help the OP unless all their visitors have BT broadband.


I think FON accounts can be made available to non-bt users

They are - you just sign up and pay.

bert ] wrote:
In message , writes
Adrian wrote:
On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote:

Some routers have the option to have two wireless networks - one
"internal", one "public". If you've got that choice, go for it for the
really low-hassle route.

Not sure about the BT home hub, but can it be set up as a public
hotspot?

The BT homehub has to be persuaded NOT to act as a public hotspot...

... but only for people who have a BT account or a FON account. It
doesn't really help the OP unless all their visitors have BT broadband.


I think FON accounts can be made available to non-bt users

Yes, but you have to have a FON modem yourself or subscribe to one of
the other 'BT's that are part of the FON network.

--
Chris Green
·

Tim Watts wrote:
On 12/01/15 18:27, bert wrote:
In message , writes
Adrian wrote:
On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote:

Some routers have the option to have two wireless networks - one
"internal", one "public". If you've got that choice, go for it for
the
really low-hassle route.

Not sure about the BT home hub, but can it be set up as a public
hotspot?

The BT homehub has to be persuaded NOT to act as a public hotspot...

... but only for people who have a BT account or a FON account. It
doesn't really help the OP unless all their visitors have BT broadband.


I think FON accounts can be made available to non-bt users

They are - you just sign up and pay.

.... again, true, but no help to the OP.

--
Chris Green
·

On 12/01/2015 21:09, wrote:
bert ] wrote:
In message , writes
Adrian wrote:
On Sun, 11 Jan 2015 16:04:39 +0100, John Mulrooney wrote:

Some routers have the option to have two wireless networks - one
"internal", one "public". If you've got that choice, go for it for the
really low-hassle route.

Not sure about the BT home hub, but can it be set up as a public
hotspot?

The BT homehub has to be persuaded NOT to act as a public hotspot...

... but only for people who have a BT account or a FON account. It
doesn't really help the OP unless all their visitors have BT broadband.


I think FON accounts can be made available to non-bt users

Yes, but you have to have a FON modem yourself or subscribe to one of
the other 'BT's that are part of the FON network.

With the older FONs = foneras 2100 etc you used to be able to set up
"friends and family" logins which gave free access to the PUBLIC wifi
network.
These Foneras no longer provide any FON PUBLIC network access and are
only any use as normal wifi APs.