 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Mac Forum / General / Networking / August 2006How do I create/configure a secure wireless network for my office AND allow customers to connect wirelessly?
I am setting up a small business. I have a DSL PPOE account and purchased a wireless router. I have one laptop that is wireless, 2 computers and 1 LAN printer that have NICs for wired lines. This network presently is working well for me; all my PC's can share files from each other, etc.. Now the fun part (this is where I need your help): I want to allow my customers to bring their laptops into my store and wirelessly surf the web while service is being performed on their cars. What can/should I do in order to maintain a secure LAN network for my computers (which includes one wirelss laptop) yet enable public wireless access for my customers? I'm not sure what to do. Thanks! Mark > I am setting up a small business. I have a DSL PPOE account and > purchased a wireless router. I have one laptop that is wireless, 2 [quoted text clipped - 13 lines] > Thanks! > Mark I run a MicroISP via both Wired and WiFi Access, and you problem is not new. there are a few things that can be done to deal with the Access Issues. For wireless: 1. Buy Wireless Routers that have MAC Address Access Capability and then when each customer comes in, enter his WiFi MAC Address into the Routers Access List. This still allows you to use DCHP for AutoSetup Negotiations, but restricts access to just those customers that you have entered. The drawback is that you have to get each laptops MAC Address, and load it into the router, the first time they use your network. 2. Use Static IP Adressing for each customers Laptop, and have your wireless subnet, on a non-default IP Subnet. For wired: 1. Some routers allow you to set a range of IP Addresses to have Access to the WAN Port, and then use DCHP to only allow that range access thru the router. 2. Use Static IP Adressing for each customers Laptop, and have your wired subnet, on a non-default IP Subnet. In my Network World, I have to deasl with multiple Mutually Exclusive Subnets, that exist on a common Copper Wireplant. None of these subnets are allowed to interact with each other, and since only one DCHP Server is allowed per Routed Copper WirePlant Segment only one of the Mutually Exclusive Subnets can use DCHP for AutoSetup via DCHP Leases. The rest are Static IP Addressed. I have multiple Mutually Exclusive WAN Gateways to the Internet, thru which each Subnet access's the Internet. All my Wireless AP's (10+) a Router Types and each of their WAN Ports are Static IP Addressed on one of the Static IP Addressed Mtutally Exclusive Subnets. This allows me to use the DCHP Servers built into the WiFi Routers to admin leases on the WiFi and Wired Ports of each, thru the MAC Addressing Access list for each WiFi AP, and by assigning the DCHP Server in each AP a different subnet, I can see who is connecting thru which AP, and using which Gateway. I also have a DNS Casheing Server/Web Server on that subnet that supports the WiFi Network due to long latencies on my SAT Internet WAN Connection. It is a bit convoluted but it works and I have positive control over access on all ports, wired, and wireless, except on the Mutually Exclusive subnet that uses DCHP, and I am not responcible for maintainance of that network, and the guy that is doesn't seem to care. I don't use any WiFi Encryption as this Network is out in bush Alaska, and we don't get many snoops this fasr out, since the nearest road is 250 miles away. This makes connections very fast and easy to deal with if problems arise on the WiFi side of things. Brucee in alaska  Signatureadd a <2> before @ > > What can/should I do in order to maintain a secure LAN network for my > > computers (which includes one wirelss laptop) yet enable public [quoted text clipped - 18 lines] > 2. Use Static IP Adressing for each customers Laptop, and have your > wireless subnet, on a non-default IP Subnet. That prevents randoms from accessing the wireless network, but it doesn't do anything to protect his LAN from access by the customers. What I think is needed are two wireless routers, connected in sequence: DSL -- Customer-router -- Office-router Customers would be allowed to join the Customer-router's wireless LAN; you can give them the SSID and passphrase, and maybe use Bruce's suggestions to further restrict access. Your company PC's would be connected, either wired or wirelessly, to Office-router. The NAT and firewall on the Office-router would protect your office LAN from access by the customers. For even better protection you could go with a true firewall -- many of them now have wireless options. I wonder if there are any wireless routers or access points that provide the wireless equivalent of VLANs, i.e. the router/AP supports multiple SSIDs, each with its own encryption settings. SignatureBarry Margolin, barmar@alum.mit.edu Arlington, MA *** PLEASE post questions in newsgroups, not directly to me *** *** PLEASE don't copy me on replies, I'll read them in the group *** > I am setting up a small business. I have a DSL PPOE account and > purchased a wireless router. I have one laptop that is wireless, 2 [quoted text clipped - 10 lines] > computers (which includes one wirelss laptop) yet enable public > wireless access for my customers? I'm not sure what to do In your wireless DSL modem, you need to enable password protection for connecting to your LAN. BTW, if you *haven't* done that already, you *do not* have a secure LAN. Anyone can join it. Once you've got the password protection up and running, you just tell your customers the password. The manual will have instructions for how to do this. Choose the most secure option available I would put a router between your PCs and the rest of the LAN with NAT enabled, to hide them from the rest of the LAN, also. And I would not leave the laptop wirelessly connected. And I would password protect access to each computer and install/turn on the internal firewalls. You don't say what operating systems or wireless router you are using, so we can;t be more specific in terms of step-by-step instructions. But do see: http://www.theworld.com/~reinhold/airport.html > I am setting up a small business. I have a DSL PPOE account and > purchased a wireless router. I have one laptop that is wireless, 2 [quoted text clipped - 10 lines] > computers (which includes one wirelss laptop) yet enable public > wireless access for my customers? I'm not sure what to do. The secure way to do this, often referred to as a coffee shop setup, is to use two wireless base stations: one with encryption enabled for your office LAN and the other without encryption for your customers. You'll want to use the two routers' NAT functions to make the machines on your office LAN effectively unreachable by anybody connected to the public network. That means plugging the office router into one of the public router's Ethernet LAN ports and then connecting the public router's WAN port to the DSL modem. Your office machines will be on a different subnet and the second (office) router will block unsolicited traffic to them from the other (public) subnet. This is described at <http://www.tomsnetworking.com/2006/06/30/wireless_faq_security/page2.ht ml#68>. (Ignore the advice about enabling MAC address association and disabling ESSID broadcast.) |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.