| reply to LiquidEyes
Re: securely mixing WEP and WPA - two routers required? Let me explain myself a different way:
What I am trying to achieve is full isolation of one group of PCs (some of which just happen to be talking via WPA ... some of which just happen to be connected by blue ethernet cables ... some of which just happen to be connected via yellow ethernet cables ... you get the idea!) from another group of PCs (which, for whatever reason, has a much higher probability of being infiltrated by somebody who shouldn't be on my network!)
But I only have one ADSL connection, so fundamentally the two have to be connected at some point.
I (perhaps naively) thought the conventional way to isolate groups of PCs was to have them on separate subnets, just as you would when creating a DMZ / web server / private network setup. In this case there is a single point (the firewall) where the two networks cross (public and private), and the firewall routes traffic accordingly via NAT. Explicit allow/disallow rules prevent any packets from the public network from being routed to the private network.
So when I read about double-NAT, the idea of using a second router seemed to make sense because (as I understand) routers are responsible for bridging two completely separate networks, and even the most inexpensive routers now have sophisticated firewall facilities.
I figured that, just as my ADSL router prevents a hacker on the internet from seeing my PC as though he were on the same LAN -- because stuff only crosses over with the router's explicit say-so -- so could a second router prevent people on 'one side of the router' from seeing people on 'the other side of the router'.
If my logic is faulty, please can somebody explain which part(s) I have misunderstood? |
|
 AnavSarcastic Llama? Naw, Just AcerbicPremium
join:2001-07-16
Dartmouth, NS
kudos:3
1 edit | Assuming from your description, your Netgear has its own wifi setup. This should only be accessible by you and protected by WPA or WPA2.
The Access Point I noted ZyXEL NWA-3163 can host up to 8 virtual ESSIDS. Each having its own security settings etc.
These settings include:
a. type of security (WPA, none etc)
b. ability to block users within the same ESSID from seeing each other.
c. ability to block users from all LAN resources and just access the internet
With these three under your belt, there should be no problem to assign groups of users to the virtual ESSIDS without fear of LAN hacking.
(1) Those users on a WEP network solely for access to gaming purposes would be "LOCKED" into internet/gateway access only.
(2) Those users, that need WAN access, but do not need to see each other, and do not need LAN access can be a separate group using better WPA security.
(3) Those users that need access to your LAN (very much trusted) can be in a third group, again using WPA but obviusly a different key.
ETC.......
If unauthorized users accessed the wep portion, the only thing they would have access to is the internet.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
|
|
 PetePumaHow many lumps do you wantPremium,MVM
join:2002-06-13
Arlington, VA | reply to LiquidEyes
Your mistake is that you're hanging the 2nd router off the first router's LAN port. They are not separate networks, one is "inside" the second.
To do what you want to do, you need either 3 routers or a router that provides for two independent subnets on the LAN side. |
|
1 edit | assuming you don't try to double-NAT (ill-advised), and assuming you have a Internet Service provider that gives you the normal one IP address (public side), you can have ONE router. O-N-E.
You can have as many access points as you'd like. Each can run WEP or WPA or nothing, independently. And each can have whatever SSID you like.
You can use a wireless router to emulate an access point, if it is configured correctly; that's discussed in the FAQs. In this case, it is an access point, NOT a router. The WAN port goes unused. |
|
PetePumaHow many lumps do you wantPremium,MVM
join:2002-06-13
Arlington, VA | said by stevech0:assuming you don't try to double-NAT (ill-advised) I think this is overblown. Double NAT isn't a problem 99% of the time, especially if you control all routers in the chain.
If I was the OP, I'd also be considering running something like M0n0wall with multiple NICs and setting up a true DMZ for the WEP wireless access. |
|
