1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Best way to Provide Guest Access?

Discussion in 'Networking Issues' started by teststrips, Oct 18, 2006.

  1. teststrips

    teststrips LI Guru Member

    I have a lot of guests to my home with laptops + don't want them on the same vlan as my personal PC's. I want guests to have access to the internet, but not be able to cause any harm to my PCs. How do I do this? What I see as possiblilites:

    1 - have wired + wireless as seperate vlans --- this results in a problem b/c one of my PC's which I want on my wired network is wireless... could I somehow VPN from my wireless to my Wired? How (what firmware, what software)

    2 - Have multiple SSID's each on a different vlan (VWLANs) - I don't know of any easy to use firmware that does this - I really don't want to set this up via command line. I've seen DD-wrt has this in v24 - but that is only in alpha stage - don't trust running that... do any other firmwares support this?

    Other Suggestions on how to do this?
    EDIT: I guess I should have mentioned that my router is a WRT-54g (not positive of version, but it is not a v5)
     
  2. Esquire

    Esquire Mesquire Staff Member Member

    If you are using Windows 2000 or XP and NTFS file system on your hard drives, you can also restrict access privilege of shared folders to certain users.
     
  3. teststrips

    teststrips LI Guru Member

    I do keep my systems patched and user restricted - but with the many vulnaberities that microsoft has, I'd prefer to have guests on a totally separate network. This will also keep data sniffers from having the capabiliy of seeing files which are being x-fered over the network.
     
  4. ifican

    ifican Network Guru Member

    The multiple SSID's would be the easiest however i dont know all of the devices that do that, the wrv200 does as i own one but i do not own any other linksys wireless that does. Another thought and one that others dont like but i have no issue with is: i put a wireless router, behind another wireless. The one in front i allow open access too and i keep the rest of my network behind the second thereby segregated from anyone with "guest" access.
     
  5. teststrips

    teststrips LI Guru Member

    I considered this, but I prefer to keep to one device if possible - makes port forwarding, etc a lot less difficult, esp on games, IP phones, file sharing, etc.
     
  6. Esquire

    Esquire Mesquire Staff Member Member

    Not if you have encrypted your wireless network using WPA or WPA2. WEP will also work but it's flawed.
     
  7. teststrips

    teststrips LI Guru Member

    Just to get this straight - if I am using WPA - 3 computers on a wireless network - If computer 1 talks to a wired PC - compuers 2 and 3 don't "hear" that broadcast - are all 3 having separate encryption keys?
     
  8. HennieM

    HennieM Network Guru Member

    A sort-of VLAN may provide SOME protection, assuming you can run some custom firmware - better explained by example:

    Let's say WRT's internal IP is 192.168.1.1 mask 255.255.255.0.
    Assign static IPs to your devices in the range 192.168.1.2 to .127 mask 255.255.255.0.
    Set up DHCP to assign IPs 192.168.1.129 to 254, netmask 255.255.255.0, which is what the guests will get.

    Now iptables on the router to allow 192.168.1.128/255.255.255.128 to only be routed to the router's external IP, or at least not to 192.168.1.0/255.255.255.0. So guests can't connect to your stuff nor to each other, just to the internet. A clever one which assigns a non-DHCP address in the .2 to .127 range will get to you though.

    I think I missed something somewhere, but I hope you get the idea.

    Easiest maybe, get a second wireless device with a different passkey, and on a different subnet with firewalling and NAT, and connect your stuff to this device.
     
  9. sufrano63

    sufrano63 Network Guru Member

  10. WirelessInn

    WirelessInn LI Guru Member

    sufrano63,
    Excellent reference you provided on how to build separate networks in the configuration needed by teststrips.
    I have been contemplating some similar concern with a pending project of mine, which HennieM greatly helped me already with.
    Your solution seems to address capabilities offered by the DLink DSA 3200 (hotspot rated) router, which also offers separate networks ("private" - "public") but costs >500$. I just watched a business collegue start installing a DSA 3200 environment. Seems that you are on your own with this type of advanced equipment (DLink cannot help much!). DD-WRT works on all models of WRT54G I believe?
     
  11. teststrips

    teststrips LI Guru Member

    thanks! That includes most of what I needed to know - the rest I should be able to figure out.
     
  12. Esquire

    Esquire Mesquire Staff Member Member

    Just because all computers share the same key it doesn't mean all computers *hear* transmissions between other computers. The router will manage the traffic to each computer accordingly. If you are able to *sniff* at traffic to and from other computers on the same network, then there is a serious flaw with WPA and WPA2 encryptions.
     
  13. teststrips

    teststrips LI Guru Member

    Thanks!
     
  14. mervincm

    mervincm Network Guru Member

    Have you considered ipcop firewall? it is free, very secure, super easy to setup and will run on any old piece of junk you have kicking around.

    you have a seperate NIC for
    internal (green)
    internet (red)
    wireless (blue)


    by default the blue network(wireless) gives access to the red network (internet) but not your green (internal) network. You would put a device acting as an access point with security information you would share with them

    if you wanted wireless access on the green network for your own use, pop on another AP with security that you keep to yourself.
     

Share This Page