× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2008

Network config for isolating WiFi

What is the preferred topology or configuration for the following scenario?

Client currently uses wired CAT5 only. The corporate office location also
includes a public showroom which includes a few PCs that are on the LAN and
need access to their 520.

In the showroom, we want to add wireless capability for handheld scanners to
be able to talk to the showroom PCs running some sales automation software.
The handhelds do NOT need access to anything on the LAN beyond the showroom
PCs, including they do NOT need (or want) internet access, access to the
520, etc. I can configure the ports used for the wireless traffic used for
the sales software -- it does not need port 80 or other well-known ports.
In essence I want either:

1) WiFi to have access to ONLY the ports needed for the sales software, or
2) WiFi to be on its own subnet (VLAN?) with access to the PCs in the
showroom, but not beyond that. However the PCs need access to both the
handhelds and the regular corporate LAN plus internet, etc.

I haven't worked with VLANs yet. Are scenarios like this part of what they
are good for?

The client does have a spare Linksys WRT54G which they'd like to use to
become the access point in the showroom (ie, avoid purchase of new
hardware). It has a 4-port switch plus WiFi for its LAN side, then a WLAN
port for attaching to the corporate LAN. It includes the ability to define
access restrictions such as blocking port ranges and those restrictions can
be limited to certain local IPs.

Here is one possible configuration, but I'm looking for feedback if there is
a better way to do it.

1) Put WRT54G WAN port to corporate LAN; using DHCP to get config should be
fine (I think).
2) Define router IP/subnet to be completely separate from corporate LAN
subnet
3) Enable DHCP on router for sake of handheld scanners
4) Put showroom PCs on router switch LAN ports, using static IPs
5) Define router access restrictions which:
a) Affect only the DHCP range of IPs, not the static IPs for the PCs
b) Block all ports except the port range for the sales automation
software

Does this seem reasonable or is there a better way to achieve the goals of
limiting WiFi to reaching just the PCs yet allowing the PCs full access to
the corporate LAN and internet?

Doug

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.