Separating Wired and Wireless Networks

On Thursday 01 August 2013 09:10 thescullster wrote in uk.d-i-y:

I did have mine on separate routed networks with a firewall in between. But it was more trouble than it was worth - particularly if I plugged my laptop in and the IP changed and locked up all my ssh sesssions.

In the end I merged them (WIFI in bridged mode).

In theory you can still stick a bridging firewall between then or make use of whatever firewalling is in the WIFI AP - but having a flat IP space seems to be less hassle - at least with my usage patterns.

IIRC, the DG834G is an ADSL router, so it has 4 LAN ports and the WAN side is via the ADSL modem, therefore unless you can obtain different firmware that will allow you to change one of the LAN ports to a WAN port, you cant do what you are thinking with this router...

To separate into two completely separate network you either need a "Cable" wireless router, that has a WAN Ethernet port, you would then configure the WAN Ethernet port with an IP address in the range of your current wired LAN and connect it to that, then configure the LAN of the wireless router to a new range. While this will work most of the time, it causes a double NAT, which can cause issues, especially with things like VPN connections.

To do it properly, you either need an enterprise level firewall that can manage all this in one box, like a SonicWall, or you need three "home" routers, and multiple public IP addresses from your ISP.

The three routers way is where you have the primary router connecting to your broadband, and then the two other routers connect to this, each getting a different public IP address from the primary router, the networks are then as separate as yours and mine are now.

Personally I wouldn't bother with NATs/firewalls internally. I have my LAN and WLANs (two of them) on different subnets, and each wireless router has it's own DHCP server (it is authoritative for its own subnet), but I have it all routed rather than NATted to make it easy, and don't bother with firewalls internally. But then I'm in the sticks at low risk of drive by hacking.

As an example, of why I want it set up this way - I have a print server set up on one of my wireless networks - to be able to access it from the other requires either routed network (or bridged) or some manual NAT configuration (which just isn't worth the hassle).

Personally I favour the Linksys WRT54g series of APs - they're simple and they just work. I also have some new fangled 802.11n TP-Link AP and it's total crap - just can't hold a connection - I recently replaced it with another wrt54g off ebay.

Which ever route you go;!, make sure to use WPA rather then WEP encryption WEP is very easy to crack WPA much less so...

WPA2 if it offers you the option...

No need. The DG834 supports a "wireless isolation" option if you want. Turn that on, and wireless clients won't be able to communicate with each other, or with devices on the wired section of the LAN.

This may do what you want, but may also prove a bit restrictive.

Yup, however if you want more flexibility, then having a more sophisticated router helps. Something like a Vigor 2830 will let you configure up to 4 SSIDs on the same WAP, and each can have different levels of access - and can be allocated to separate VLANs as well. So you can have things like guest wifi that can see the internet - perhaps with upload and download rate limits in place, and no access to LAN machines, and then a more priviledged wifi that can see other machines and has no limit etc.

(note that MAC address filtering does not really offer security as such

- since someone wanting access can simply sniff the MAC addresses that are talking then clone one later. Hiding the SSID is also a fairly feeble security measure in this day and age)

Yes, but I have a "dumb" access point plugged into a dedicated interface on my Smoothwall. The wireless network is on a separate IP address range from the wired network. The Smoothwall provides DHCP services and routing from the wireless network to the wired and the Internet.

If you want your wired and wireless devices to share the same internet connection, they all really need to be in the same subnet. You could use separate ranges within that if you were to allocate fixed addresses to all the wired devices, and use DHCP to allocate a restricted non-overlapping range of addresses for the wireless devices. If you then used a software firewall (e.g. Zone Alarm) on each wired device, you could define your 'home network' as just being the address range used by the wired devices. They could then see each other, but the wireless devices wouldn't be able to see them.

On Thursday 01 August 2013 12:28 Roger Mills wrote in uk.d-i-y:

Why?

Not.

Set one up a long while back, but not recently. So I am well out of date :- )

Back in the day you needed three things to create the setup you seem to want - the classic De Militarised Zone or DMZ.

(1) Internet facing (firewall) router - any old NAT router will do. The connects to the outside world and to the internal DMZ.

(2) House router with all your current cabled devices - this connects on one side to the DMZ and on the other side to the house LAN.

(3) Wireless router - connects to the DMZ on one side and wireless devices on the other.

The idea is that all your routers will not take incoming calls from the WAN side, only call out from the LAN side.

So any wireless devices can call into the DMZ then out through the firewall router to the Internet, but cannot call into the DMZ and then into the house LAN router.

Same applies to calling from the house LAN to a wireless device.

Each router can run its own subnet and be a DHCP server for that subnet. The nice thing about NAT is that it takes a single IP address on the WAN side and maps all the different LAN IP addresses to and from that.

So in theory you can have a row of NAT routers all onto the same LAN each with only one IP address, or you can cascade the NAT routers in a tree structure.

Each router runs its own environment and shouldn't be dependant on any other device apart from the one providing its WAN IP address.

Cheers

Dave R

Because they need to be able to see the same gateway (usually the router's LAN address).

I suppose there might be some scope for mucking about with subnet masks so that not all devices see the same subnet 'width'.

+1 it aint worth the hassle

• another 1

I tried it for a while with a spare router, but in the end it was more trouble than it was worth. Complexity can be the enemy of security, and IMO it's better (in an ordinary domestic environment) to keep things simple. So, one flat network, and save your energy for securing the wireless network.

As others have suggested, I'm not sure that you have fully grasped how subnets and IP address ranges work.

Or conversely, you are expressing yourself in a way that is not clear.

I assume you know that a physical LAN (set of wires) can support several logical LANs (IP subnets).

So for example one physical Ethernet network could support 192.168.0.0,

192.168.1.0, 192.168.2.0.

As long as the router can support multiple logical LANs then there is no requirement for all your local devices to share the same subnet.

Alternatively you can put some of them behind a NAT router on a different subnet.

In the OP's case it is highly desirable that they do not share the same subnet, and if possible they use different NAT routers.

However many modern wireless routers can support multiple subnets - this just doesn't give physical separation which is always a good idea.

Old style routers (business routers) would support a number of logical LANs on a single physical LAN and route between them or block as required.

Cheers

Dave R

I'm not aware that ordinary domestic routers *can* support multiple logical LANs, hence my reference to mucking about with subnet masks.

In the example you give, if you use the 'default' subnet mask of

255.255.255.0, all devices on the 168.0 subnet can see each other but can't see anything on the 168.1 or 168.2 subnets.

However, if you were to change the mask to 255.255.252.0 the 3 subnets would merge into one, and everything would be able to see everything. But in that case, you'd no longer achieve the desired isolation!

On Thursday 01 August 2013 22:34 Roger Mills wrote in uk.d-i-y:

A half decent one can - eg some of the Drayteks.

In article , Tim Watts scribeth thus

Yes they do .. as long as you can work out how to configure them;)..

Good units otherwise, bit pricey 'tho...

[snip].

OK, we'll I have to confess that I loathe Netgear WiFi. It always seems flakey and unreliable. The last Netgear WIFi router that I owned went back for a refund because it dropped the link to any device after a few minutes of use.

What you want to do can be done, but not AFAIK using that Netgear router which is an all in one design with DNS and DHCP shared between LAN and WiFi.

With a separate wireless access point you have two main options, to use The WAP as a router or as a bridge. I think the Netgear that you have only supports bridge mode and all WIFI clients must be in the same address range as the LAN.

With a separate WAP you can configure it as a router with its own DHCP and DNS. All your WiFi clients can then be on a separate subnet and you route to your existing LAN using NTP. This protects your WiFi clients from your LAN to an extent but does not protect your LAN from the WiFI clients.

Having tried lots of these things I strongly recommend Apple's Airport Express They cost about the same as the competition, are really well made and provide two setup modes. A basic chimp mode that jets any idiot get it working and an advanced user admin interface that is vastly superior to the Netgear tat.

It will also support network printing and you can use it as a media streaming box for your hifi. It has an optical and analogue output.

I would stay with or revert to your non-wifi router and run to Apple or PC World or browse eBay to buy an airport express. Then set up the airport express in router mode.