- Posts: 8
- Thank you received: 0
Setting up 2 networks with 1 gateway
- Richardbee
- Topic Author
- Offline
- New Member
Less
More
11 years 9 months ago #38217
by Richardbee
Setting up 2 networks with 1 gateway was created by Richardbee
Hi
I would like to setup a wireless access point for guests. We have only 1 gateway to the internet.
I would like the network to be safe from guest hacking into the network.
What I tried:
Network - Router A (Linksys WRTG) (192.168.168.200) acting as Gateway (as internal wireless access point)
Router B (Linksys WRTG), (192.168.1.1), dhcp enabled (to be used as guest access point), Wan port connected to Router A (different network, so should be safe?)
Guest was able to connect to Router B and access internet (setup correct). Security? I was able to connect to our network,
What I need is guest to be able to access the internet and not able to access our network.
Help and advice on how to set up a secure access point is appreciated.
Thank you in advance
Richard
I would like to setup a wireless access point for guests. We have only 1 gateway to the internet.
I would like the network to be safe from guest hacking into the network.
What I tried:
Network - Router A (Linksys WRTG) (192.168.168.200) acting as Gateway (as internal wireless access point)
Router B (Linksys WRTG), (192.168.1.1), dhcp enabled (to be used as guest access point), Wan port connected to Router A (different network, so should be safe?)
Guest was able to connect to Router B and access internet (setup correct). Security? I was able to connect to our network,
What I need is guest to be able to access the internet and not able to access our network.
Help and advice on how to set up a secure access point is appreciated.
Thank you in advance
Richard
11 years 8 months ago #38218
by Nevins
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
Replied by Nevins on topic Re: Setting up 2 networks with 1 gateway
Hello Richardbee,
Have you considered using Vlans and Port security? What is the usage of the network? Who are the guests and what level of access do you want them to have on your network?
-Nevins
Have you considered using Vlans and Port security? What is the usage of the network? Who are the guests and what level of access do you want them to have on your network?
-Nevins
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
- Richardbee
- Topic Author
- Offline
- New Member
Less
More
- Posts: 8
- Thank you received: 0
11 years 8 months ago #38219
by Richardbee
Replied by Richardbee on topic Re: Setting up 2 networks with 1 gateway
Hi Nevins
Thanks for taking time to help. Sorry, but I don't know anything about vlans and port security. Will be reading up on those. Well, sometimes guest/participants wants to access the internet and to do that will need to log on our network.
I would like to have a complete 'no access' to the network and just be able to surf the internet wirelessly.
Thanks
Richard
Thanks for taking time to help. Sorry, but I don't know anything about vlans and port security. Will be reading up on those. Well, sometimes guest/participants wants to access the internet and to do that will need to log on our network.
I would like to have a complete 'no access' to the network and just be able to surf the internet wirelessly.
Thanks
Richard
11 years 8 months ago #38220
by Nevins
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
Replied by Nevins on topic Re: Setting up 2 networks with 1 gateway
Yep no problem. I understand. Anyways I see you are online right now check your pm's I'll help you out.
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
- Richardbee
- Topic Author
- Offline
- New Member
Less
More
- Posts: 8
- Thank you received: 0
11 years 8 months ago #38221
by Richardbee
Replied by Richardbee on topic Re: Setting up 2 networks with 1 gateway
Hi Nevins
Read up on it, don't really understand it..
Anyway, am I able to do, what I intend to do with a WRT54G router? I have another router (to use as guest access) with dd-wrt firmware.
If yes, can you point me to the right direction?
Thanks in advance.
richard
Read up on it, don't really understand it..
Anyway, am I able to do, what I intend to do with a WRT54G router? I have another router (to use as guest access) with dd-wrt firmware.
If yes, can you point me to the right direction?
Thanks in advance.
richard
11 years 8 months ago #38222
by Nevins
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
Replied by Nevins on topic Re: Setting up 2 networks with 1 gateway
Alright lets work from bottom to top on this one. The simplest thing to understand is port security. To understand port security lets first talk about what it is we want to secure:
[img]http://http://imgur.com/EVAg9Vt[/img]
In port security the goal is to only allow specific mac addresses to pass data though the interface.
For example if you take the above switch and wanted to only allow the unique address physically burned in to your network card (mac address) so that nobody else could use the switch port you could. Additionally if you attached a hub or other network devices to that interface devices attached to that hub would only work if they had an allowed mac address.
Port security has a number of features revolve around triggering an access violation on one or more interfaces. Access violations can be set to trigger 3 different modes:
MODE STATE ON TRIGGER
Shutdown(default) -- blocking all traffic *err-disabled*
Protect drop non-allowed mac addresses
Restrict drop non-allowed mac addresses & log violations
Now that you know what port security does you can see how to configure it here as well as check out the different Access violation types:
www.cisco.com/en/US/docs/switches/datace...ide/sec_portsec.html
VLANS (VIRTUAL LANS)
Virtual Lans
http://imageshack.us/f/580/broadcastdomainvlan.png/
The point of a virtual local area network is to logically subdivide an existing local area network using existing hardware. It's basically like saying devices attached to each vlan assigned interface is it's own physical local area network group. So if you look at the above image all the devices are physically sharing router0,switch0 and the trunk link between them but logically the company user group and accounting department are different local area networks.
Without VLANs to get the same results you would have to buy devices and links for each network. Typically speaking most cisco routers allow virtual lans.
The key to VLANS is to understand that interfaces are a member of a VLAN or a shared trunk between networking devices and gateways. A nice feature for VLANS is you can apply policy at your gateway router though Access Control Lists or DNS to force everyone in one VLAN to participate in those polices. Those policies are typically applied to the sub-interface for that VLAN trunk link.
Another possibility I forgot to mention is RADIUS Authentication (stops outsiders from accessing your network), you basically set up an authentication server give it some codes, give your clients access to the codes and they can log into your network and use it. Anyone without the code can't get on.
packetlife.net/blog/2008/aug/6/simple-wired-8021x-lab/
Because you would like them to have "complete 'no access' to the network" I would say VLANS are what you need. You need the same hardware but you need them to not be connected to your existing network.
Here is the cisco whitepaper for configuring VLANS:
www.cisco.com/en/US/docs/switches/lan/ca...on/guide/swvlan.html
Let me know where you stand on this we'll work from there.
[img]http://http://imgur.com/EVAg9Vt[/img]
In port security the goal is to only allow specific mac addresses to pass data though the interface.
For example if you take the above switch and wanted to only allow the unique address physically burned in to your network card (mac address) so that nobody else could use the switch port you could. Additionally if you attached a hub or other network devices to that interface devices attached to that hub would only work if they had an allowed mac address.
Port security has a number of features revolve around triggering an access violation on one or more interfaces. Access violations can be set to trigger 3 different modes:
MODE STATE ON TRIGGER
Shutdown(default) -- blocking all traffic *err-disabled*
Protect drop non-allowed mac addresses
Restrict drop non-allowed mac addresses & log violations
Now that you know what port security does you can see how to configure it here as well as check out the different Access violation types:
www.cisco.com/en/US/docs/switches/datace...ide/sec_portsec.html
VLANS (VIRTUAL LANS)
Virtual Lans
http://imageshack.us/f/580/broadcastdomainvlan.png/
The point of a virtual local area network is to logically subdivide an existing local area network using existing hardware. It's basically like saying devices attached to each vlan assigned interface is it's own physical local area network group. So if you look at the above image all the devices are physically sharing router0,switch0 and the trunk link between them but logically the company user group and accounting department are different local area networks.
Without VLANs to get the same results you would have to buy devices and links for each network. Typically speaking most cisco routers allow virtual lans.
The key to VLANS is to understand that interfaces are a member of a VLAN or a shared trunk between networking devices and gateways. A nice feature for VLANS is you can apply policy at your gateway router though Access Control Lists or DNS to force everyone in one VLAN to participate in those polices. Those policies are typically applied to the sub-interface for that VLAN trunk link.
Another possibility I forgot to mention is RADIUS Authentication (stops outsiders from accessing your network), you basically set up an authentication server give it some codes, give your clients access to the codes and they can log into your network and use it. Anyone without the code can't get on.
packetlife.net/blog/2008/aug/6/simple-wired-8021x-lab/
I would like to have a complete 'no access' to the network and just be able to surf the internet wirelessly.
Because you would like them to have "complete 'no access' to the network" I would say VLANS are what you need. You need the same hardware but you need them to not be connected to your existing network.
Here is the cisco whitepaper for configuring VLANS:
www.cisco.com/en/US/docs/switches/lan/ca...on/guide/swvlan.html
Let me know where you stand on this we'll work from there.
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
Time to create page: 0.131 seconds