Creating separate networks with current router

Hi, is it possible to create distinct networks (2..3) using a single
router and IP connection?

We currenty have a wireless LAN working and plan on renting some rooms
to students who want to hook up to the web. Because the foreseeable
stay will be short, we do not want to add an additional ADSL line.

To preserve security, I thought of adding dedicated LAN networks and
assign them to each student. Would that work? Is there a simple
work-around?

TIA for any suggestions, Mark

msch-prv@bluewin.ch hath wroth:

>Hi, is it possible to create distinct networks (2..3) using a single
>router and IP connection?

Yes, but don't bother. You have bigger problems.

>We currenty have a wireless LAN working and plan on renting some rooms
>to students who want to hook up to the web. Because the foreseeable
>stay will be short, we do not want to add an additional ADSL line.
>
>To preserve security, I thought of adding dedicated LAN networks and
>assign them to each student. Would that work? Is there a simple
>work-around?
>
>TIA for any suggestions, Mark

This is a very common problem that has been solved many time by
everything from coffee shop wireless networks to schools. The basic
problem is that 802.11 wireless is bridging, not routeing. Therefore,
the wireless really knows nothing about IP addresses and dividing a
network by subnets. It can divide a network using VLAN's, but that
becomes an administrative problem.

The basic requirement is to isolate each connection. It's sometimes
called "AP isolation" or more correctly "client isolation". This
prevents any packets from going between clients. Everything goes to
or from the internet.

The way the local college does it may be a bit of overkill.
http://resnet.ucsc.edu
Users are assigned an IP address via a DHCP server. The MAC address
of their router or PC/Mac is stored in a RADIUS authentication
database. Individual users must also authenticate with the RADIUS
server to get past the router. Most residents have cheap routers,
with the MAC address of the router setup as registered hardware. They
can do whatever they want behind their own router.

I'm not sure what you mean by a "short stay". If that's only a few
days, then I would look into a commercial (or home made) wireless
hotspot system.
http://wireless.wikia.com/wiki/Wi-Fi...etup_a_hotspot
If it's more like several months of the skool year, then something
more like the previously mentioned university system would be more
appropriate.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

> Hi, is it possible to create distinct networks (2..3) using a single
> router and IP connection?
>
> We currenty have a wireless LAN working and plan on renting some rooms
> to students who want to hook up to the web. Because the foreseeable
> stay will be short, we do not want to add an additional ADSL line.
>
> To preserve security, I thought of adding dedicated LAN networks and
> assign them to each student. Would that work? Is there a simple
> work-around?

If you're going to ask questions about a router, at least say what MODEL
router!

Some routers like a Linksys WRT54GS can load a 3rd party firmware. Those
firmware often include the ability to setup virtual LAN (vlan)
configurations, along with iptable routing restrictions. Then you'd also
have to setup the necessary DHCP or other static address info. But bear in
mind this is targeted toward the WIRED ports on the switch, not wireless.
It might be possible to perform more fine-grained control over multiple
client machines over the single wireless link but it'd be a bit complicated
to manage. You could also put separate wifi access points on the wired
ports. This would be "better" but would also present some wifi
configuration issues like overlapping channels and coverage. But putting
them on their own WPA-secured access point, separate from your other one,
and then setting up a VLAN controlling that access point's connection would
probably handle it. Not for the unexperienced but not impossible either,
provided you've got the right equipment.

Thanks for your answers.

We have a small XP-home based LAN. I was looking for something simpler
along the lines of changing the firewall or perhaps adding an
additional router to segregate one network from the other. Would that
make sense?

TIA, Mark

On Sun, 3 Sep 2006 12:51:41 -0400, "Bill Kearney" <wkearney99@hotmail.com>
wrote:
:
: > Hi, is it possible to create distinct networks (2..3) using a single
: > router and IP connection?
: >
: > We currenty have a wireless LAN working and plan on renting some rooms
: > to students who want to hook up to the web. Because the foreseeable
: > stay will be short, we do not want to add an additional ADSL line.
: >
: > To preserve security, I thought of adding dedicated LAN networks and
: > assign them to each student. Would that work? Is there a simple
: > work-around?
:
: If you're going to ask questions about a router, at least say what MODEL
: router!
:
: Some routers like a Linksys WRT54GS can load a 3rd party firmware. Those
: firmware often include the ability to setup virtual LAN (vlan)
: configurations, along with iptable routing restrictions. Then you'd also
: have to setup the necessary DHCP or other static address info. But bear in
: mind this is targeted toward the WIRED ports on the switch, not wireless.
: It might be possible to perform more fine-grained control over multiple
: client machines over the single wireless link but it'd be a bit complicated
: to manage. You could also put separate wifi access points on the wired
: ports. This would be "better" but would also present some wifi
: configuration issues like overlapping channels and coverage. But putting
: them on their own WPA-secured access point, separate from your other one,
: and then setting up a VLAN controlling that access point's connection would
: probably handle it. Not for the unexperienced but not impossible either,
: provided you've got the right equipment.

The (relatively) new Linksys WRT54GP handles up to eight wireless VLANs. You
can, for example, assign a separate WPA passphrase to each SSID. I've deployed
four of these routers so far and found them to work well. The only tricky part
is setting up the trunk for the wireless VLANs. I guess you'll need a managed
switch, and that could run into some money. (Sorry to be vague, but our
network engineer handled the trunk setup for me.)

You can read about the WRT54GP on the Linksys Web site. Oddly (IMO), what they
emphasize is the router's native POE capability, not the VLANs.

Sorry, the router is Prestige 660HW-61 ZyXel (I live in Switzerland, so
I don't know if there is something similar in the US)

Robert Coe <bob@1776.COM> wrote:

> You can read about the WRT54GP on the Linksys Web site.

Do you have a URL? The web site's search engine doesn't know about it.

On Sun, 03 Sep 2006 22:22:09 GMT, neillmassello@earthlink.net (Neill Massello)
wrote:
: Robert Coe <bob@1776.COM> wrote:
:
: > You can read about the WRT54GP on the Linksys Web site.
:
: Do you have a URL? The web site's search engine doesn't know about it.

I'm sorry; I misspoke. It's an access point, not a router. So I guess the
model number is WAP54GP. That shouldn't make it any less usable for the
purpose under discussion.