• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Multiple isolated networks

B

Bob.

Member
As time goes on, I seem to be taking in more and more friends/neighbors/friends of friends computers for repair/system cleanup. It's amazing how many people have no concept of "safe computing".

Given that most of these systems are virus and malware ridden, I generally don't connect them to my network until I've straightened them out. This can be inconvenient.

I guess what I'd like to do is to have an isolated "guest network" that I can connect these machines to that would give these machines wired and wireless internet access without risking my own machines.

I would also like to be able to connect one of my machines to this 'guest network' with utilities and such on it to diagnose, cleanup and 'repair' the outside machines.

What is the best way to accomplish these goals securely for both my network and the outside machines?

I'm not quite sure where to start. I know some routers have guest networks, but I'm not sure if this would meet my purposes?

I have only one IP address and am a residential account at the moment. If things get too big, I will likely look into a commercial account.

Thanks for your suggestions.

Bob
 
If you want a more permanent solution, get a switch that supports VLANs. Then you can specify which ports can communicate with each other (ie you could designate a port that is on its own VLAN, give it internet access, but prevent it communicating with anything else.

edit: Like a Cisco RV220w for instance...it also allows up to 4 different SSIDs on its wireless network, so you can accomplish the same with wireless clients.
 
Thanks Jack and crielly. I think both are great solutions and can be used together to heighten the level of security. Exactly what I was hoping for. Thanks again, Bob
 
JackMDS said:
Maybe this can Help.

http://www.ezlan.net/shield.html
Click to expand...

Since I have an additional WRT54G router, I've decided to use this method, but have a question or two.

My existing network incorporates a WRT54GL v 1.1, a Netgear GS108 8 port Gigabit switch and a WAP54G v 3.1 wireless access point. Wireless is shut off on the WRT54GL and the WAP54G is plugged into one of the normal ports. The netgear switch is plugged into a normal port as well and accommodates my wired systems.

My other router is a WRT54GS v7.

What I really need is to isolate my existing wired and wireless network from a guest wired and wirelss network.

I'm assuming that I can leave the wireless enabled on the front (guest) router and still maintain that isolation from my existing network (both for my existing wired and wireless)?

Is there any configuration necessary beyond what your guide states (other than leaving the wireless on and the necessary wireless settings (i.e., mode, SSD, channel, enabling the wireless security, etc)?

Could there be any issues with this?

Would it be advisable to disconnect my existing WAP when connecting outside systems to the front wireless network?

I hope this isn't too convoluted. 🙂

Thanks,
Bob
 
Last edited:
As long as you configure the two Wireless with different WPA2 encryption password (and keep the second one for yourself, it would maintain the isolation.



😎
 
Thanks for your solutions, Gus & John. I've made note and will look into these. For now, I'm using this method. Seems secure and requires no real investment of cash or time.
 
A suggestion on connecting one of your computers to the "guest" network for utilities and diagnostics. Get a flash drive with a read/write lock switch like the FlashBlu. http://kanguru.com/storage-accessories/flash-blu2.shtml

This way you just load up the flash drive with utilities you need and lock the switch into read only mode. That way nothing can jump onto the flash drive and you don't have to have a computer on the "guest" network.
 
stlcardinals said:
A suggestion on connecting one of your computers to the "guest" network for utilities and diagnostics. Get a flash drive with a read/write lock switch like the FlashBlu. http://kanguru.com/storage-accessories/flash-blu2.shtml

This way you just load up the flash drive with utilities you need and lock the switch into read only mode. That way nothing can jump onto the flash drive and you don't have to have a computer on the "guest" network.
Click to expand...

This, or run it as a virtual machine that only has access to that LAN.

I've used this configuration to isolate a system from others. It does require having a second NIC on the host machine and requires configuring it so the Virtual box only sees the "guest" LAN and the host box only sees the private one, but it works great and using "snapshots" with Virtual Machines can be really useful for rolling back weird infections and configs.
 
Thanks for the additional info, stlcardinals and SecurityTheatre. I'll definitely keep those and any other suggestions in mind!
 
Jack, In your guide, you state:

"Configure the WAN port of the second Router to a static IP that is of the IP range of the first Router. I.e. 192.168.1.x".

On the WRT54G, where would I enter this? On the Setup/Basic Setup page, I changed the Automaic Configuration - DHCP to Static IP, but am unsure of which field to change. I tried Internet IP address and I tried Gateway, but I wound up resetting it to default because I could no longer access the router after that.
 
Last edited:
You choose Static IP for the WAN port and enter an IP that is of the subnet of the first Router and out of the first Router DHCP range.

In the gateway and DNS you enter the core IP of the first Router
( core IP is the IP that you put into the browser to connect to its menus).

If The First Router has IP reservation you can use Dynamic IP (Automatic DHCP) on the WAN port of the second Router, and reserve the IP that it fetches on the first Router) so it always get the same IP.


😎
 
I never could get this working, mainly I think, because there was a problem with the WRT54GS router to work properly. Whenever I would select static IP for the wan port, it would revert back to auto in just a few seconds. Although the GS would work alone, I never did try to use it as the front router in this setup simply because if one setting was problematic, how many others? And there is no firmware upgrade for that version (7).

So I wound up flashing DD-WRT to the 54GL and used the vlan capability (thanks for that suggestion, John!).

Realistically, this is probably a better setup for me anyway, and it eliminates one router from the mix. Also, it presents so many more options.

Thanks to all for your advice, and for hanging in there with my questions, Jack 🙂.

Consider this one resolved!
 
Just wanted to update. There was an issue with the wrt54gs router (now trash-canned).
I picked up another wrt54GL. Combining the dd-wrt vlan capability and additional routers works great.

The vlan IP is 192.168.5.1. I assigned the 2nd router to 192.168.7.1 and left DHCP enabled. Works like a charm and gives me a 2nd wireless network in a small space (the 2 wireless nw's are on different channels).


Thanks to all for the help 🙂.
 
vlans are the best way, with a trunk port going to the firewall/router. You can then open up certain ports in the firewall if you want certain things to be accessible (ex: a local web server with utility downloads). You can also make the firewall do dhcp for each vlan if you want. (I use pfsense, it's pretty nice)
 
Bob. said:
Just wanted to update. There was an issue with the wrt54gs router (now trash-canned).
I picked up another wrt54GL. Combining the dd-wrt vlan capability and additional routers works great.

The vlan IP is 192.168.5.1. I assigned the 2nd router to 192.168.7.1 and left DHCP enabled. Works like a charm and gives me a 2nd wireless network in a small space (the 2 wireless nw's are on different channels).


Thanks to all for the help 🙂.
Click to expand...

Make sure they are on non-overlapping channels as well. For 2.4 its 1,6,11
 
Red Squirrel said:
vlans are the best way, with a trunk port going to the firewall/router. You can then open up certain ports in the firewall if you want certain things to be accessible (ex: a local web server with utility downloads). You can also make the firewall do dhcp for each vlan if you want. (I use pfsense, it's pretty nice)
Click to expand...

That's a little above my head at the time, but definitely something to research 🙂. I'll be googling those terms. Thanks for your remarks.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top