atcomsystems.ca/forum Forums VOIP Phones & IP PBX Networking Unsecured wireless

I have a customer who has a boardroom which they rent out. Thy would like to provide wireless internet access in the boardroom while keeping rentors off the office network.

They are using using a Linksys 4 port wireless router. I saw nothing in the setup of the router to seperate the wired ports from the wireless.

Any suggestions.

You could lock out the wired ports.

Siemon LockIT
Panduit BlockOut

I'm not sure what you mean Clinton. They are using the wired ports. I didn't see anyway of "disconnecting" the wired from the wireless.

I just read this, Would this work?
Get a 2nd wired router with DHCP enabled but in a different subnet and move all of the wired computers to it.

Keep the modem connected to the wireless.

Connect a LAN port from the wireless to the WAN port of the new wired. This would give the WAN port of the wired router an IP off the wireless.

The wireless and wired would now have different LAN subnets.

Question, would I get internet access on the across to the wired side?

Marv, could you post the model name?
Generally Linksys routers are low end, and they bridge the wireless and wired LAN segments by default.
I don't think there's a way to unlink them easily. What you propose will not work. The DHCP server (the wireless router) has to be on the same LAN segment as the host device. The one somewhat complicated way is to add a static route between the two routers from say net 192.168.1.x to net 192.168.2.x. Then pass only the WAN traffic to the 2nd router.

Marv, that second router solution will work. You will basically have two routers each with its own DHCP server. The second router's WAN port would plug into a switch port on the first router. You dont have to add any static routes but you do have to make sure the routers are on different subnets. Leave the second router's WAN type as DHCP.

tito, I still don't see how the 2nd router (the wired one) would NOT have access to the wireless segment with the dhcp setup. Aren't they supposed to be entirely separate? I'm sure the renters wouldn't want the machines behind the wired router to be able to browse their network?

Sorry Marv, I misunderstood.

Just to clarify, and correct me if I'm wrong: The router has PCs wired which are on their network, and they want separate wireless access for renters in the boardroom.

If that's the case, I don't see a problem with your 2 router solution. You can chain two routers together using different LAN subnets, they will both have internet access, and hosts on Router A cannot access hosts on router B. This is the essentially the same as the dentist office post.

SPH, the customer's concern is securing their own network and not the public side; had the customer requested two independent networks, then another solution would have been offered. I based my opinion off the initial post which said the customer needed to secure their own network. Whenever someone is using a public network, the responsibility is on them to secure their computers and typically not that of the network owner’s.

That is exactly correct.
I want to secure the wired side from the wireless in the boardroom. I don't care if the wired side will or will not be able to se the renters wireless. It's up to the renter to software firewall their laptop when connected in the boardroom.

Thanks everyone I will propose the two router scenerio.

Clinton, it is an off the shelf Linksys wireless router with 4 wired ports.

Well, I think this is the wrong setup. In a "public" network you (as the renter) don't expect a foreign router (the wired one in this case) to be a part of your LAN. The renter has a reasonable expectation that the provider of public access will not contaminate the renter's internal side, as opposed to safeguarding the external (WAN) side which is the renter's responsibility. As a business decision, it sucks. Certainly, if I was a renter this would be a deal-breaker.
Then there's the legal aspect: what happens if a virus or intrusion attacks the renter's machines from the wired router's LAN? You can scream all you want about how the renter should have also protected their LAN side, which is not really their responsibility anyway. The fact remains, you can be legitimately held responsible for any damages.
Technically, the setup proposed is a de facto static route, only not stated explicitly. Furthermore, there's no need to give the wired router a dhcp address. Give it a static address from the wireless router LAN range. At least that way you can easily administer the wired router from its WAN port. But this is still wrong, because the wired router is still able to route to the wireless segment. As I said previously, I would only allow traffic to/from the wireless router's WAN port to pass through to the wired one.

I should also add, if this is a business setup people should get the appropriate hardware. Risking your reputation and potential customers because you have $$$$$$$ worth of business info pass through a $60 router just doesn't make sense.

Oooops.

SPH, I don’t see how you figure that the renter can be held responsible? By renting internet access the customer is acting as an ISP of sorts. So you think that it is the ISPs responsibility to protect the renter's network from attack? This logic would make Cox, ATT, Verizon, and every other ISP in the world responsible for keeping viruses and other malicious sorts out of the customer's computers. With most public internet access there is some sort of disclaimer making the user aware that this is an unsecure public network and the owner is not responsible for any damages. Technically, the routers are using dynamic routes and not static routes. If he were to add a route entry in the route tables then that would be a static route. Lastly you criticize this setup for security reasons but then you add that he should open the wired router up for administration from the WAN side? This is definitely a bad idea here. Because this is a business they require an expensive router? Im not following the logic here. Not every business needs a full featured expensive router to conduct their business. There a tons of different ways to configure this and tons of money that can be spent doing it. The two router solution is quick, simple, and easy. The customer would have a standard Terms of Usage disclaimer and away we go.

sph, your logic is unsound.

When I walk into a WiFi zone like Starbucks, I have no idea who else is on the subnet. It is up to me to secure my connection not the other way around. A disclaimer posted on the wall would suffice since the WiFi in the board room is not restricted to the room and could be accessed by anyone near enough to the tranceiver. I doubt your logic would not hold water in a court of law. It would be like saying if I accessed my neighbor's wireless connection because he was too stupid to secure it, I could sue him if downloaded a virus.

Also the need for an expensive sophisticated router for a 4 person office is bull-hockey. Many businesses run on "consumer grade" routers and switches without any issue of reliability. The weakest link I have ever seen is the public connection.

The el-cheapo router couldn't do what you wanted it to do. Wonder why?

By the way, a used Cisco is hardly expensive, but it is sophisticated. Worse yet, it has no web interface.

A dual-router is a kludge, by the way. It works, but it's a kludge, and every CG that sees it will know that a TG set it up.

I just think that the hardware should suit the task.
Low end home routers were not designed to provide public access, period. It's not the right tool for the job.
Secondly, the size of the business is secondary. The quality of the hardware should be proportional to the value you attach to the information handled by the device. Are you accepting/making payments to customers electronically? Do you do online banking for your business? Do you send/receive sensitive or important emails? Is public access a sales tool for your product? Imo, in these and other cases a "home" setup won't do. Just because you have law enforcement in your town doesn't mean it's wise to leave the front door unlocked.
We're not talking of spending $1000+ on a Cisco router. For $200-$300 you CAN get a router that can do these 2 things:

1. Keep the wired and wireless segments separate. Usually by having a pre-configured firewall between the two. Wireless devices with the proper credentials can bypass the firewall through a VPN connection to the wired segment.
2. Disallow station-to-station access. That is, different wireless devices on the same WLAN cannot talk to each other unless you expressly allow it.

In all public access setups I was involved with, the above 2 rules are no-brainers. I would be very surprized if ANY public access scheme (including your favorite Starbucks) does things differently. In addition, you have the usual disclaimers that warn about the inherent increased relative insecurity of any wireless access.
But it is important to know what can stand up to these disclaimers and what the customer expects.

This is the proposed setup:

1. Wireless router is connected to the outside world. It gets an WAN (external) IP from the ISP. This connection is by definition insecure, and the usual disclaimers apply.

2. Wireless router has a LAN (internal) IP of say, 192.168.1.1. With DHCP on, it hands out 192.168.1.x addresses to all connected devices. This connection is considered secure relative to the WAN. For this reason communications inside the LAN are not scrutinized the way WAN (especially INCOMING WAN) communications are - nor are they normally expected to. For the wireless part, the usual disclaimers relating to the inherent general shortcomings of WIRELESS COMMUNICATIONS apply. Keep this in mind.

3. There is also a wired router that gets its WAN (external) IP address from the wireless router. Let's say it ends up with WAN IP 192.168.1.100. The wired router may or may not consider the connection insecure depending on the setup. For low end devices the usual default is: consider all INCOMING WAN communications insecure, but place no retrictions to all OUTGOING WAN communications. This router is NOT part of the wireless segment, but it IS part of the overall internal LAN of the wireless router (192.168.1.x, which includes the wireless segment). Disclaimers relating to internet access or wireless communications DO NOT APPLY to this device. Or maybe you want to go to court and find out the hard way.

4. The wired router has a LAN (internal) IP of say, 192.168.2.1. The devices connected to it, have addresses in that range. Don't forget there's no restrictions to outgoing communications originating from this LAN. For these devices the internet IS the wired router's WAN IP address: 192.168.1.100. That's where the world starts for them, smack in the middle of the wireless router's LAN. What a nice back door to that LAN, which normally does not expect attacks from the inside.

tito, I think you mix up dynamic ADDRESSES with dynamic ROUTES. The route between these 2 routers is not dynamic. There's no discovery, no changes in the MAC address table, and the wireless just hands out a known (to it) IP address to the port. Actually, being a port-to-port route with zero hops it is as static as a static route can get.

this should work
https://www.guestgate.com/us/en/

add a access point off of this in meeting area
can be configed to allow those connected to see each others computers but not the host net
or by default dhcp give each computer its own separate ip
also page of terms of use & password access

for about 250.00

Cisco 871W should do what is needed here. Not terribly expensive either--about $350.

Netgear DIR655 has exactly what you are looking for; a wireless guest zone which is completely segmented from the host zone, both wired and wireless.

About time we got them back!!

A simpler (and safer) option would be to get another public ip address, put a switch between the router and modem and then feed the wireless access point off the switch.

Most cable companies allow 3 dynamic ip's per account or you can get a block of 5 if you use statics.

I think it's best if people stick with doing what they know how to do, instead of doing a shoddy job. Someone who expected to be able to separate the wired and wireless ports on a Linksys router is someone who does not have the experience to be doing what they are trying to do.

As to your suggestion about a 2nd IP address, that will most likely have a monthly recurring cost associated with it which will, over time, exceed that of using a better router. (I don't know of any ISP that gives you a 2nd IP for free).

Why would you think this is cable? Probably isn't, most commercial districts are not yet wired for cable.

My first comment was a joke....sorry you mistook it for a serious comment.

I have no idea whether cable is available....and in my area the entire commercial district is covered by the local cable company...who gives 3 dynamic addresses with the purchase of internet
access.

Not sure who your customers deal with for ISP's but i rarely see any extra charge for additional static addresses in my area...you just need to explain why you need them.

I wasn't telling him to do it...just suggesting a possibility that would properly address the issues associated with sharing one internet connection.

The local cable company here has been doing a better job of getting their services extended to commercial areas as of the last few years, but there are still many commercial areas that they haven't wired. They focused their efforts on residential areas first.


Comcast is the major cable ISP in the area. They charge for extra IPs.

Verizon does not even offer additional IPs on their DSL service, from what I've been told. They do on their FIOS business service, but that has even poorer availability in commercial areas than Comcast does.

It would, if that option is available.

Check that ...DLink not Netgear

For the past 2 years I've been using this at home:

home router

I wouldn't recommend it for public access, but for a small network that wants to provide occasional guest wireless access, it's ok. The drawbacks: it has a 5 concurrent-user licence only (fine for me @ home as there's almost never more than 3 of us simultaneously online) - you can upgrade to 15 max.
You need an annual subscription (less than half the purchase price) for updates to the gateway firewall, intrusion detection, antivirus, antispam and reporting (all services are monitored by CheckPoint). Also, access slows noticeably when you set the built-in antivirus to check ftp transfers.
And it's kind of dated compared to the newest home routers.
But there's no home router that beats it in security.