Hi Doug -

On Sun, 2 Mar 2008 18:10:54 -0500, "Douglas Handy" <dhandy@xxxxxxxxx>

It is because I want the wireless devices (behind the WRT) to be able to
talk to the PCs, but *only* the PCs in the showroom and not the rest of the
LAN, the 520, or the internet.

Okay. Because of not following the first part of thread closely, I
wasn't aware of that.

That led to the original suggestion of having them in a separate mini LAN,
using a second NIC with no bridging between the dual NICs. Given that
configuration, it is easy for me to see how it would work the way I want.

If I fed the WRT WAN port to the regular LAN switches and don't have them
using a different IP address, how do I route the wireless devices to the
desired PCs without them also seeing the other PCs and 520 etc?

For that matter, once the WRT is in a different IP range and subnet, won't
it need a default gateway or route to the LAN to find the desired PCs even
if they are in a different subnet? And once I do that, why can't they see
everything else too?

You don't really need to isolate the wireless-to-showroom connection
on a different physical network. Doing so *would* provide a slight
amount of additional protection, but unless there is some kind of
malware or something, each PC sees only its own traffic, so its
reasonably safe to run all of the subnets on the same physical media.

You could run multiple IP addresses on one NIC in the showroom PCs so
that they are on both LANs (in which case no gateway address is needed
on the mini-LAN). Or you could have the showroom PCs running just the
one address each, and have a router sitting on the network which
limits the wireless to only what you allow.

The latter is what I have on my network at home to keep a PC from work
isolated from my LAN. It's on the same physical media, but it's in a
different subnet, so everything goes through the router, which I have
programmed to allow that PC to only access certain IP addresses and
certain ports.

I use a Linux-based system as my main router, handling my two internet
connections, LAN, and DMZ, so it was simple to add this mini-LAN to
the programming. If you're using some kind of router/firewall
applicance, you may not be able to do this with it, in which case the
two IP addresses per NIC in the showroom is the cheapest way to handle

Opinions expressed are my own and do not necessarily represent the views
of my employer or anyone in their right mind.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].