TechSoup.org The place for nonprofits, charities, and libraries

Setting Up a Separate Wireless Network

Setting Up a Separate Wireless Network

  • I'm running SBS 2003 Premium. We have 4 other buildings in our small complex, 3 of which are used as sleeping/living quarters for researchers. I'd like to let them use our internet access to surf the internet, do email, etc. in their off-time, but am worried about security, etc. I presently have the wireless extension as part of the network, and all are users in some form of the LAN. What's a better way to do this? A separate wireless network with a router?

    ====================================== Michael J. Webb Administrative Assistant/IT Administrator Platte River Whooping Crane Maintenance Trust, Inc. 6611 W. Whooping Crane Dr. Wood River, NE 68883 Office (308) 384-4633 x104 FAX (308) 384-7209 email Mike_Webb -at- WhoopingCrane.org www.whoopingcrane.org ======================================

  • Most of the wireless routers that I have seen have the option to segregate wireless devices from the LAN -- effectively what is called a "DMZ" (or a "screened subnet" in other circles):

    Internet
    |
    |
    [router]
    / \
    / \
    / \
    Work Wireless
    LAN Network


    Thus, the router can then control which of the 3 prongs can access any of the others. Normally, you would make it so that the work LAN cannot see or be seen by the wireless network, but both can access the Internet. (And, naturally, the Internet can not access either the LAN or wireless unless necessary.)
  • Great idea, but I use DHCP from my server vice the router to handle IP's. How would I split this so that the DHCP is only for the "public" side from the router, while letting the server handle DHCP?

    ====================================== Michael J. Webb Administrative Assistant/IT Administrator Platte River Whooping Crane Maintenance Trust, Inc. 6611 W. Whooping Crane Dr. Wood River, NE 68883 Office (308) 384-4633 x104 FAX (308) 384-7209 email Mike_Webb -at- WhoopingCrane.org www.whoopingcrane.org ======================================

  • Sorry, I'm not quite sure what you mean. Do you want DHCP to be only on the LAN, only for wireless, or for both?
  • http://www.ipcop.org/

    if you have an old pc laying around maybe IPCop would work for you. I've tested it, it works great. But I don't need it for my current setups so I don't use it. Good luck.

    -Mark
  • Does your business use the wireless as well as your desire to give it off to the residents?

    I think what you're looking at is two routers. Get a new one with range extension for your residents. Set this to channel 11, give it its own WPA/PSK security and SSID. Put this in the network "before" your current router. So:

    Internet --> Resident Router --> Current Router (move to channel 1, new SSID)

    Then, your residents can't get to your office network, but can still use your Internet for off-hours browsing from their rooms. Make sense? As long as they are on different subnets and use different SSIDs, you should be OK with DHCP giving the right addresses for the right network.

    You could set up the new resident router to have a "DMZ" and put in the IP of the current router. If you do this, you'd need to give the current router a static IP address on the resident router's subnet. Doing this will preserve and port forwarding you have set up on your current router.

    Why channel 11 and 1? You are dealing with residents, sounds like they might have wireless phones (no, not cellular, wireless). Might even have 2.4 GHz wireless phones. Take a look at this article I wrote about why wireless routers might be "broken" and you'll see why its important to use the extreme ranges of channels in this setup.

    Chris Shipley
    Nutmeg Consulting

  • [to MirrorShades]
    I'd like to have both; my DHCP server to handle the LAN and DHCP from the router for the dormitory residents ONLY.
    I don't know how to do this.

    ====================================== Michael J. Webb Administrative Assistant/IT Administrator Platte River Whooping Crane Maintenance Trust, Inc. 6611 W. Whooping Crane Dr. Wood River, NE 68883 Office (308) 384-4633 x104 FAX (308) 384-7209 email Mike_Webb -at- WhoopingCrane.org www.whoopingcrane.org ======================================

  • [to mwasi]
    Good idea. I don't have the extra PC, but I'll tuck this away for future reference.

    ====================================== Michael J. Webb Administrative Assistant/IT Administrator Platte River Whooping Crane Maintenance Trust, Inc. 6611 W. Whooping Crane Dr. Wood River, NE 68883 Office (308) 384-4633 x104 FAX (308) 384-7209 email Mike_Webb -at- WhoopingCrane.org www.whoopingcrane.org ======================================

  • [to shipley.c]
    Thanks for the great input. I will look into this. I've also sent in an email to the router's tech support to ask for their help on setting up a DMZ, with the setting I've described in previous posts in this thread.
    Didn't know that about wireless phones and wireless AP's.

    ====================================== Michael J. Webb Administrative Assistant/IT Administrator Platte River Whooping Crane Maintenance Trust, Inc. 6611 W. Whooping Crane Dr. Wood River, NE 68883 Office (308) 384-4633 x104 FAX (308) 384-7209 email Mike_Webb -at- WhoopingCrane.org www.whoopingcrane.org ======================================

  • In my opinion, you should buy a switch that support wireless Virtual LAN (VLAN) to separate your company network. From there, you can create difference LAN. This is a way that most of company and universities using for security purpose. That's mean users only surf the Internet without accessing to company network resources.
  • Good idea. I'll check it out.

    ====================================== Michael J. Webb Administrative Assistant/IT Administrator Platte River Whooping Crane Maintenance Trust, Inc. 6611 W. Whooping Crane Dr. Wood River, NE 68883 Office (308) 384-4633 x104 FAX (308) 384-7209 email Mike_Webb -at- WhoopingCrane.org www.whoopingcrane.org ======================================

  • I'd like to have both; my DHCP server to handle the LAN and DHCP from the router for the dormitory residents ONLY.
    I don't know how to do this.

    This is going to be dependent on your hardware. DHCP by the server on the LAN should be straightforward; just make sure that your router isn't passing the DHCP requests into your wireless zone (you can control this either via filters or by an option along the lines of "DHCP pass-through" -- again, it will depend on your router).

    Some routers may be able to do DHCP in a DMZ. In particular, I can speak with experience that IPCop functioning as a router/firewall can do this. (I know you said you didn't have an extra PC for it, though.)

    Check the manual for your router -- there is usually some way to control the wireless network separately from the LAN.
  • Thanks.

    ====================================== Michael J. Webb Administrative Assistant/IT Administrator Platte River Whooping Crane Maintenance Trust, Inc. 6611 W. Whooping Crane Dr. Wood River, NE 68883 Office (308) 384-4633 x104 FAX (308) 384-7209 email Mike_Webb -at- WhoopingCrane.org www.whoopingcrane.org ======================================

  • What's wrong with just letting the WRouter handle the DHCP?
  • I agree that the router could be the DHCP server for the wireless net if the wireless router was given a separate segment of IP addresses from the business LAN and the DHCP scope is within this new segment. Just make sure that DHCP requests are not forwarded between the nets.