Network Gurus - help please!

[JamesMio]

Very quick background, I 'used' to know a bit about this stuff but it's been what feels like a hundred years since I had to use it and am now frustratingly rusty. Bear with me, presume I don't know and I'll hopefully pick it up again as I go along!

So, I'm doing a bit of tidying up of a hotel network and spotted a fairly big potential flaw in that their public WiFi is on the same network/subnet as their internal PC's / printers etc.

It's a small place, so there's no server or domain, all just individual PC's sharing a printer and an internet connection.

Current set up is:

ADSL modem / router
-into a 16 port switch
--all wired PC's connect via this, along with 3 x WiFi access points dotted around the place.

We've just taken delivery of a new ADSL modem/router as the old one is OLD and a bit flakey.

My question is - is there a way of setting this up (as is, without shelling out on new equipment) to keep the public & internal stuff seperate?

I was thinking along the lines of putting all the WiFi points through the old router, different subnet perhaps and seeing if I could route that out to the internet via the new router, but I couldn't remember if it was possible, or even how I'd actually go about it if it was.

Any pointers dudes and dudettes? Much appreciated as always.

Cheers
JM

[jambo]

OK, Your router is going to be the key to this. You need at least 3 zones.
"Internet"
"Internal"
"DMZ"
I've done something similar in the past using a linux distribution "ipcop" on an old PC with a few network cards in it, but this was a few years back. You may be able to use the new router as follows:

LAN connections -> Switch -> Router LAN interface
Wifi points -> Router DMZ ports
Internet/ADSL connection -> Router Internet interface

if the router doesn't have enough interfaces, or isn't able to configure interfaces like this then you can get a 2nd cheap switch to give you:

LAN connections -> Switch1 -> Router LAN interface
Wifi points -> Switch2 -> Router DMZ port
Internet/ADSL connection -> Router Internet interface

Then you only need 2 LAN ports and the ADSL link.

The main change in doing this is that wifi connections wouldn't be able to access LAN equipment, that's good, but make sure they're not relying on this functionality (ipads opening LAN spreadsheets or similar).

Jambo

[flymo]

thinking outside the box a little, is there any reason why those hotel devices need to be separated? Are there shared resources that guests shouldn't have access to (servers, printers etc) Are the hotel client devices secured with client firewalls etc?

The reason I ask is that we are currently equipping a number of our large business offices (circa 2000 users at a site) with what we call Agile network, essentially an industrial scale broadband connection with no firewall between us and the internet, just like in a hotel. We are doing this on the basis that our internal network should not be considered any safer than a public network and that clients should therefor be configured as self defending. After all they roam in and out of our corporate network anyway.

One other consideration might be in limiting the ability of guest computers to consume network/internet bandwidth degrading the experience to the business users.

[JamesMio]

Few good pointers here, thanks chaps.

The router is this:

http://www.netgear.co.uk/home/produc...g/dgn1000.aspx

As far as splitting goes, there is currently zero security between shared files on internal PC's and the public WiFi network. Anything really private or important isn't kept in shared folders, but still - it still makes me a little twitchy.

Given the above is our router, and we do have a couple of basic switches here that I can use, is it likely I could go down this route?

Quote:

if the router doesn't have enough interfaces, or isn't able to configure interfaces like this then you can get a 2nd cheap switch to give you:

LAN connections -> Switch1 -> Router LAN interface
Wifi points -> Switch2 -> Router DMZ port
Internet/ADSL connection -> Router Internet interface

Then you only need 2 LAN ports and the ADSL link.

Cheers again guys, much appreciated

[Nobbylad]

We're doing the exact same thing.

[jambo]

From the quick start type guide on that I'm not sure it knows how to zone the ports as anything other than all green, so you may need something else to deal with the security zoning if you want to split the LAN into multiple zones.

Perhaps a PC with 3 network interfaces and a distro such as smoothwall or IPcop. As others have stated you may be better just making sure the PCs are secure if there are not many of them.

Jambo

[Bibio]

2 x wifi routers 1xcable and 1xADSL.

use ADSL for gateway to internet and guests on one IP address scheme then the cable one for internal on another IP address scheme but point the gatway to the ADSL for internet access. then secure the cable one.

set ADSL router to broadcast and the cable not to broadcast then set client machines on private network with network login details.

make sure that remote access is set to off on both routers and don't use DMZ.

[JamesMio]

Thanks Bibs - Just to make sure I've got this right in my head... See by IP address scheme, are you meaning subnets..?

e.g.

Set Router 1 (say the main ADSL one) to something like:

192.168.1.X and give all the WiFi Access Points an address in the same range (192.168.1.y / 192.168.1.z etc).?

Then, set up Router 2 with an IP address of say, 192.168.2.x and assign the wired PC's / printers with IP's in that range (192.168.2.y etc).

Then point Router 2's gateway setting at Router 1's IP address...?

That's actually very similar to how I'd pictured it might have been possible, but wasn't sure how to actually do it. That's a big help - cheers!

[Bibio]

yes

to my knowledge the access points have to have different ip addresses unles they are relay so if not relay then 192.168.2.***, 192.168.3.*** etc.etc this is for the ip addressing server so you don't get collision. if they are set to relay then you have to configure them to get addressing from the ADSL router. but i could be wrong as it's a while since i have done networking.

if the private network is wired only then don't bother giving login for the nodes.

BTW using another ADSL router for the private network is a PINA so you need either a switch or a Cable router. this would then plug into wifi router 1's port 1 which will act as though its a cable head end for the cable router.

[Bibio]

ooohhh and James network addresses and a subnet are different a subnet is there to dictate how many nodes you can get on that network. so a subnet is not a network