The simplest way is to not use DHCP on the WAN of the WRT but configure
a static IP on your normal LAN. Do not put this gateway into your
default router or any other routers or server that you do not want to
have access to the wireless. The PC you want to have access to the
wireless will need the route added manually. From a command window,
route -p add WWW.WWWW.WWW.WWW mask MMM.MMM.MMM.MMM RRR.RRR.RRR.RRR where
"W" is the wireless subnet, "M" is the subnet mast and "R" is the
router's static IP on the wired LAN.

While the wireless devices will know how to get to your LAN, your LAN
devices will not know how to get to your wireless devices. This causes
the wireless devices to not get a reply from your LAN, thus hiding it.

This is not the most secure method but it will work.

The other method would be to put all PC you need to access the wireless
on the WRT and put the WRT WAN port on the public side of your network.
The use VPN on the PC's to gain access into your corporate network.


Chris Bipes
Director of Information Services
CrossCheck, Inc.


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Ken Sims
Sent: Sunday, March 02, 2008 9:12 PM
To: midrange-l@xxxxxxxxxxxx
Subject: Re: Network config for isolating WiFi

Hi Doug -

On Sun, 2 Mar 2008 18:10:54 -0500, "Douglas Handy" <dhandy@xxxxxxxxx>
wrote:

It is because I want the wireless devices (behind the WRT) to be able
to talk to the PCs, but *only* the PCs in the showroom and not the rest

of the LAN, the 520, or the internet.

Okay. Because of not following the first part of thread closely, I
wasn't aware of that.

That led to the original suggestion of having them in a separate mini
LAN, using a second NIC with no bridging between the dual NICs. Given
that configuration, it is easy for me to see how it would work the way
I want.

If I fed the WRT WAN port to the regular LAN switches and don't have
them using a different IP address, how do I route the wireless devices
to the desired PCs without them also seeing the other PCs and 520 etc?

For that matter, once the WRT is in a different IP range and subnet,
won't it need a default gateway or route to the LAN to find the desired

PCs even if they are in a different subnet? And once I do that, why
can't they see everything else too?

You don't really need to isolate the wireless-to-showroom connection on
a different physical network. Doing so *would* provide a slight amount
of additional protection, but unless there is some kind of malware or
something, each PC sees only its own traffic, so its reasonably safe to
run all of the subnets on the same physical media.

You could run multiple IP addresses on one NIC in the showroom PCs so
that they are on both LANs (in which case no gateway address is needed
on the mini-LAN). Or you could have the showroom PCs running just the
one address each, and have a router sitting on the network which limits
the wireless to only what you allow.

The latter is what I have on my network at home to keep a PC from work
isolated from my LAN. It's on the same physical media, but it's in a
different subnet, so everything goes through the router, which I have
programmed to allow that PC to only access certain IP addresses and
certain ports.

I use a Linux-based system as my main router, handling my two internet
connections, LAN, and DMZ, so it was simple to add this mini-LAN to the
programming. If you're using some kind of router/firewall applicance,
you may not be able to do this with it, in which case the two IP
addresses per NIC in the showroom is the cheapest way to handle it.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].