Advanced Network Possible?

Discussion in 'Networking Issues' started by poobaa, Aug 25, 2004.

  1. poobaa

    poobaa Network Guru Member

    I thought I would ask around here if the following was possible. I have done most of the steps separaility, but never tried to combine them before into a usable network. So looking at the picture the network should have the following features:

    - Linux firewall/router
    - ClarkConnect/Smoothwall
    - 2 or more WRT54G's connected with WDS
    - Clients that are wired into the 54G's, and selected wireless clients are considered part of a private network
    - Wireless clients that are not selected, or random, can connect, but are restricted, and segmented to a public network.


    Has anyone done this before, or care to comment on the correct direction to take?

  2. jdepew

    jdepew Administrator Staff Member Member


    Now, to figure out how. ;-) We'll figure this one out for you.

    But a quick response would be you'd be looking at using Sveasoft's Alchemy and implementing WDS (as stated) and VLANs.
  3. BitNix

    BitNix Network Guru Member

    Have you considered the security of the installation ?

    In my opinion your planned installation is an example of how NOT to do it !

    If you considered security, you would place the AP (WRT54G) on the WAN side.

    The installation should have been like this:

    | | WLAN-1....................................WLAN-2
    | |----[WRT54G 1] ........WDS....... [WRT54G 2]
    | (LAN - hardwired)

    So - now your client's is placed OUTSIDE your lan, when they are connected by wireless. Your WLAN is your UN-SECURE network.
    But...but... I need them at the LAN side you would argue

    True - but if your WLAN client's want to get to the LAN side, they need to run a VPN tunnel throu the firewall. That is - the WLAN client establish a VPN tunnel to the firewall/server, the firewall/server validate login/password and thats it. The most common VPN's used is IPSec and PPTP. PPTP is less secure than IPSec, but is a good alternatice for client's moving a lot and in situations with random dropouts.

    Consider this:
    1. Your WLAN is hacked - so what - the worst case is SPAM or illegal downloads. Your LAN is not compromised.
    2. WLAN can be monitored and decoded if you get an intruder.
    3. Your VPN connection is encrypted and cannot be decoded - if you use a resonable key.
    4. You may consider running RADIUS for user validation.

    All trusted (LAN) acces from ANY wireless (or WDS connected) must be done throu a VPN tunnel from the client to the firewall/linux/server.
  4. Toril

    Toril Network Guru Member

    A few questions...

    - what's the distance in the WDS link?
    - what's to separate the Public/Private networks(LANS) on the same WLAN segment?
    - why is the Linux firewall/router on the WAN side? Why not use the WRT54G? Is it running other services? (radius, squid, sendmail, etc?)
    - why is your Internet cloud so dark and gloomy? (hehehe j/k)

    I like BitNix's reccomendations... you would have to stop the individual interfaces on a WRT54G to stop bridging and separate them... or use the linux box to do so. The first router could almost have a directional antenna if the distance is far enough, and it doesn't seem like you need wireless close to where the WAN comes in...
  5. poobaa

    poobaa Network Guru Member

    I like your idea BitNix; it seems like the best way to do it. The Linux firewall/router (ClarkConnect or Smoothwall) have a DMZ option with a third NIC, so the 54g’s could hang off of that interface. The VPN could also hang out on the Linux box.

    Toril, the distance would be small, one end of the house to the other. The problem I have in the house is lots of walls between the two locations, and I can’t run cable. The 54g’s should give me better signal between the two points, and I might as well let free loaders on the network, if they find it. Your second question was one of the main reasons I asked here, I wasn’t sure if it was possible, but as BitNix suggested, a VPN would separate public/private. The Linux firewall would run most of the services, not mail, but maybe, take a look at ClarkConnect, or SmoothWall to get an idea of what they can do.

    Thanks everyone for the suggestions, I think I have a good direction to move in now.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice