1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Provide public wireless access while blocking wired network?

Discussion in 'Networking Issues' started by thelettere, Apr 28, 2005.

  1. thelettere

    thelettere Network Guru Member

    I would like to provide wireless access to the internet to the public. I also need internet access on my wired network. But I don't want the wireless users to be able to access my shares (or anything else) on the wired network.

    I've read that this is possible with double NATing, but that causes all sorts of other problems. (Not all apps work right, etc.)

    Is there a way to do this without double NAT'ing or requiring a server?

    -e
     
  2. windsurfer

    windsurfer Network Guru Member

    I would like to see someone comment that has actually done this but here is how I would approach it.

    Internet (cable or DSL)
    |
    |
    WRT54G (192.168.1.1)--> Add a route from 192.168.1.X to 192.168.2.X
    |----------------------------> Mac Address Filter for your wireless clients.
    |----------------------------> This lets you allow only those you want.
    |
    WRT54G (192.168.2.1)--> This unit would not have Mac Filtering or any wep.
    ----------------------------> People could log on through wireless but since they
    ----------------------------> will be assigned a 2.X address they cannot see
    ----------------------------> the machines on your LAN which are in the 1.X
    ----------------------------> subdomain.
     
  3. jagboy

    jagboy Network Guru Member

    i think you can do iptables right.
     
  4. thelettere

    thelettere Network Guru Member

    I've thought about that type of solution, but I've read that having a double NAT arrangement like that prevents certain apps from getting through.

    -e
     
  5. Matt1999

    Matt1999 Network Guru Member

    I am trying to do the same thing. My configuration is similar to windsurfers. I have a wired and wireless clients on my Netgear router.

    Internet
    |
    |
    Netgear Router
    Ip's 192.168.1.1 - 192.168.1.100
    subnet: 255.255.255.0
    WEP enabled to filter out unwanted wireless connections. (You can use something else)
    |
    |
    WRT54G running EWRT- nocatsplash on
    IP: 192.168.100.1 - 192.168.100.100
    subnet: 255.255.255.128
    No security such as WEP or Mac address

    Here is what I have found and tested.
    When connected to the netgear router I can connect to the internet. I can share files between workstations. I can do whatever I want inside the network when connected to the netgear router.

    When I connect the the WRT54G I can connect to the internet. I can ping any PC connected to the netgear router. I can connect to the WRT54G and Netgear router's web interface. I can connect to the Web server I have on the netgear network. I can NOT see the shares on the netgear workstations.

    My goal is to block ip's 192.168.1.2-192.168.1.100 from the WRT54G router and only open up ports 80, 443 and a few more I may need. I'm still working on that one.

    Any suggestions welcome.

    Matt
     
  6. Matt1999

    Matt1999 Network Guru Member

    Here is an update if anyone is interested.

    I ended up using ICS on a Windows XP machine along with Sygate firewall. I plugged the WRT54G into my network card on my pc. I now block all ports but port 80 and DNS from the WRT54G that is open to the public. I allow all ports from my other network card that is connected to my private network. I guess this is the Windows solution. The great thing about this is that I can still use the PC that has ICS on it as the firewall and use it as a normal workstation on my private network at the same time. It is not dedicated as just a firewall. I can monitor all the traffic and websites that are accessed by the Public WRT54G router.

    So in the end I have my private network that is open for ME to access. I have a public access point with a splash screen and an accept button. I have full control over incoming and outgoing ports. My private network is protected from the public access point (as far as I can tell).

    This is good for now until I can find a more simple solution. I would also like to route the public access point through an annonymous proxy but I haven't figured that one out yet.


    Here's a summary:

    Internet
    |
    |
    Netgear router/firewall (Private network)
    WEP enabled.
    |
    |
    Windows XP workstation
    Running ICS
    Running Sygate firewall for ICS
    2 network cards.
    Network card 1 - Connected to Netgear router with all incoming and outgoing ports open.
    |
    Network card 2
    All incoming and outgoing ports blocked but 80 outgoing and DNS
    |
    WRT54G with EWRT and catsplash (Public/Open)
     

Share This Page