New user on Wired/Wireless setup

Hello group,

I essentially have a wired business network with about 8 PCs on it, spread
over 2 workgroups.

We use a fairly basic router that also has a wireless function on it. We
don't use this function but it's there as a sort of "Plan B" in case we have
a problem with our cables.

Another occupier in our building, has asked if they can access the internet
via our network. I don't mind in principle but this user is unlikely to be
here very long and we don't want to go to the trouble and expense of running
new cables etc. I thought therefore it might be possible to allow access
using the wireless connection. I obviously don't want this user to be able
to access any of our business data.

What I need to know is whether there is a way to set up the other user's
connection so that they can access the internet, but without allowing them
to see any of the other machines on our network or access any of our data.
Is this possible, or once connected will they have access to everything?

As things stand every PC can see the data on every other PC, since that
suits our way of working, would we have to change this on all the PCs and
set specific permissions, excluding the new user, or is there a way for the
new user to access the internet without becoming part of our network at all?

Regards,

Tanel.

Tanel Kagan wrote:
> What I need to know is whether there is a way to set up the other user's
> connection so that they can access the internet, but without allowing them
> to see any of the other machines on our network or access any of our data.
> Is this possible, or once connected will they have access to everything?

The way you have it configured, yes they'll have access to everything.
but you can trivially test - just bring your own wireless laptop in and
connect to your network. What do you see?

> As things stand every PC can see the data on every other PC,

All the data? You mean the entire contents of c:\ or do you have some
specific area eg c:\data which is shared out? If the former, you have a
massively insecure config which is ripe for hacking.

By the way - is your wireless currently disabled or merely unused? If
its active then someone could sit in a nearby building and hack you.
What wireless security are you using?

> since that
> suits our way of working, would we have to change this on all the PCs and
> set specific permissions,

You'd need to configure all your PCs differently. You need to configure
all the shares with user-level security and set up usernames on all the
PCs which are then permissioned to read these shares. Note:

>excluding the new user, or is there a way for the
> new user to access the internet without becoming part of our network at all?

The alternative is to use something called double-nat, You don't want to
go there, its complicated.

On Wed, 29 Oct 2008 19:27:11 +0000, Mark McIntyre
<markmcintyre@TROUSERSspamcop.net> wrote:

[...]
>
>The alternative is to use something called double-nat, You don't want to
>go there, its complicated.

I have not yet run into a situation where double NAT was complicated.
Granted, it's a relatively uncommon configuration in SOHO and
residential situations, but only because it's not generally necessary,
not because it's complicated. If the circumstances call for it, by all
means use it.

On Wed, 29 Oct 2008 17:43:49 -0000, "Tanel Kagan"
<tanelkagan@(nospamatall).hotmail.com> wrote:

>We use a fairly basic router that also has a wireless function on it.

Maker and model or your router please?
DSL, cable, satellite, fiber, T1, or two tin cans and a string?

>What I need to know is whether there is a way to set up the other user's
>connection so that they can access the internet, but without allowing them
>to see any of the other machines on our network or access any of our data.

This is the classic coffee shop problem. The idea is to give coffee
shop visitors access to the internet, without also giving them access
to the cash register, office computah, etc.

If you just hang another wireless access point on your existing
network, the neighbors will have access to everything.

The easy way to do this is to use two IP addresses from your ISP. Many
ISP's will sell you a 2nd IP address for a reasonable price. Your
modem can possibly bridge multiple IP's. That would go to a cheap 4
port ethernet switch. From there, two seperate routers. One would be
your existing unspecified "fairly basic" router, while the other would
go to a 2nd router, which would go to the neighbors. I've been doing
that in my palatial office complex, with 5 businesses sharing a single
DSL account using 5ea static IP's:
<http://www.LearnByDestroying.com/crud/5IP.txt>

Many not-so-basic wireless routers have provisions for multiple
SSID's, each with their own configuration. They generally include a
method of isolating the wired LAN from at least one wireless network.
In effect, it's two or more wireless AP's in one box. The default and
only route for the "guest" wireless zone points to the ISP's gateway
IP and on to the internet. For example, Sonicwall has their "wireless
guest service" and Security Zones:
<http://www.sonicwall.com/downloads/Security_Zones_in_SonicOS_2.0_Enhanced.pdf>

Another way is to use a router with 3 or more ports. One for the WAN
interface, and one LAN port each for you and your neighbor. Each has
their own subnet with IP tables setup so that no packets go between
the two LAN ports. It's fairly easy with a PC based router, where
multiple ethernet cards can easily be added. One of these ethernet
cards can be an internal PCI wireless card, so the amount of added
hardware is minimal. I used to do this using Freesco, which can
handle 10 ethernet cards on a floppy or CF card boot:
<http://www.freesco.org>
<http://freescofaq.hopto.org/faq/index.html>
<http://freesco.sourceforge.net>
<http://bakskuru.se/fredrik/freesco/afib/afib_01.html#Network>

There are also ways to do this using double NAT and VPN tunnels.
Double NAT can get messy if you have to do port forwarding (for VoIP
for example). VPN tunnels are probably more complicated than you want
to deal with.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

> is there a way for the new user to access the internet without becoming
> part of our network at all?

With a basic router? No. With one that supports access control lists, yes
but with a fair amount of technical knowledge (aka configuring it).

> Maker and model or your router please?
> DSL, cable, satellite, fiber, T1, or two tin cans and a string?

It's a 3com "OfficeConnect ADSL wireless firewall router". I think the
model number is 3CRWDR100A-72. I'm not actually sure how "basic" it is, but
it didn't cost much and it looks fairly simple in terms of connections etc.
As you may have guessed, I'm not an IT expert!

>>What I need to know is whether there is a way to set up the other user's
>>connection so that they can access the internet, but without allowing them
>>to see any of the other machines on our network or access any of our data.
>
> This is the classic coffee shop problem. The idea is to give coffee
> shop visitors access to the internet, without also giving them access
> to the cash register, office computah, etc.

Yes. A very good way of putting it!

> If you just hang another wireless access point on your existing
> network, the neighbors will have access to everything.
>
> The easy way to do this is to use two IP addresses from your ISP. Many
> ISP's will sell you a 2nd IP address for a reasonable price. Your
> modem can possibly bridge multiple IP's. That would go to a cheap 4
> port ethernet switch. From there, two seperate routers. One would be
> your existing unspecified "fairly basic" router, while the other would
> go to a 2nd router, which would go to the neighbors. I've been doing
> that in my palatial office complex, with 5 businesses sharing a single
> DSL account using 5ea static IP's:
> <http://www.LearnByDestroying.com/crud/5IP.txt>
>
> Many not-so-basic wireless routers have provisions for multiple
> SSID's, each with their own configuration. They generally include a
> method of isolating the wired LAN from at least one wireless network.
> In effect, it's two or more wireless AP's in one box. The default and
> only route for the "guest" wireless zone points to the ISP's gateway
> IP and on to the internet. For example, Sonicwall has their "wireless
> guest service" and Security Zones:
> <http://www.sonicwall.com/downloads/Security_Zones_in_SonicOS_2.0_Enhanced.pdf>
>
> Another way is to use a router with 3 or more ports. One for the WAN
> interface, and one LAN port each for you and your neighbor. Each has
> their own subnet with IP tables setup so that no packets go between
> the two LAN ports. It's fairly easy with a PC based router, where
> multiple ethernet cards can easily be added. One of these ethernet
> cards can be an internal PCI wireless card, so the amount of added
> hardware is minimal. I used to do this using Freesco, which can
> handle 10 ethernet cards on a floppy or CF card boot:
> <http://www.freesco.org>
> <http://freescofaq.hopto.org/faq/index.html>
> <http://freesco.sourceforge.net>
> <http://bakskuru.se/fredrik/freesco/afib/afib_01.html#Network>
>
> There are also ways to do this using double NAT and VPN tunnels.
> Double NAT can get messy if you have to do port forwarding (for VoIP
> for example). VPN tunnels are probably more complicated than you want
> to deal with.

A wealth of information there Jeff. Much of it beyond my immediate
knowledge, but it certainly gives me a starting point, from which I can do a
bit more research and see which option is best.

Many thanks for your time.

Tanel.

> --
> Jeff Liebermann jeffl@cruzio.com
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558

>> is there a way for the new user to access the internet without becoming
>> part of our network at all?
>
> With a basic router? No. With one that supports access control lists,
> yes but with a fair amount of technical knowledge (aka configuring it).

Thanks Bill.

Tanel.

On Thu, 6 Nov 2008 17:00:18 -0000, "Tanel Kagan"
<tanelkagan@(nospamatall).hotmail.com> wrote:

>> Maker and model or your router please?
>> DSL, cable, satellite, fiber, T1, or two tin cans and a string?
>
>It's a 3com "OfficeConnect ADSL wireless firewall router". I think the
>model number is 3CRWDR100A-72.

<http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=3CRW DR100A-72>

Hint: If you ask such questions, try to include:
1. What problem are you trying to solve?
2. What do you have to work with? (hardware, software, makers,
models, versions, location, environment, user count, etc)
3. What have you done so far, and what happened? (only for
troubleshooting type questions).

>I'm not actually sure how "basic" it is, but
>it didn't cost much and it looks fairly simple in terms of connections etc.

It looks fairly basic. I'm not a big fan of all-in-one
DSL/router/wireless boxes. I like to have the DSL modem seperate. One
reason is that you cannot use the trick of having the ISP deliver
multiple IP addresses, through the DSL modem, and then connect two or
more routers to the single DSL modem as in:
<http://www.LearnByDestroying.com/crud/5IP.txt>
You have to have access to the connection between the DSL modem and
the router for this to work.

I sometimes like to have the wireless access point section seperate
from the router. That's because the wireless wants to live up high in
the room, for best wireless coverage, while the router wants to live
low on the floor, behind someone's desk, amid the tangle of CAT5
cables, wall warts, power strips, etc. It's difficult to reconcile
the requirements for neatness and wireless coverage unless you use
seperate boxes.

>As you may have guessed, I'm not an IT expert!

IT experts are easy to recognize. They never guess.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Perhaps you can have your guest user provide his own wireless router
and then put it on a different subnet.

I'm not sure how that goes, just throwing this out there as an idea
that the other folks might be able to comment on.

Basic idea is run two subnets off the same internet connection. Keeps
them isolated, I believe.

Steve

On Tue, 11 Nov 2008 08:41:51 -0800 (PST), seaweedsl
<seaweedsteve@gmail.com> wrote:

>Perhaps you can have your guest user provide his own wireless router
>and then put it on a different subnet.
>Basic idea is run two subnets off the same internet connection. Keeps
>them isolated, I believe.

Nope. With two routers in the system, they would need to share the
same WAN IP address. That won't work. That's why one of my
suggestions involved having the ISP supply two or more routeable IP
addresses, so that two or more routers can be used.

It also won't work if you try to do it with one router. In this case,
both sub-nets will be connected to the same ethernet switch. Everyone
will see each others broadcasts. A proper subnet mask will limit a
users visibility but all they have to do is tweak the subnet, and
everything is exposed.

It is possible to do this using VLAN's on a single router/switch. I
haven't tried this yet, but it looks very plausible:
<http://www.dd-wrt.com/wiki/index.php/VLan_Configuration>
<http://www.geek-pages.com/articles/latest/dd-wrt_-_setting_up_a_separate/isolated_vlan_on_port_4_with_dhcp.html>
(Yeah, I know. Why didn't I think of this before...)



--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

On Nov 11, 4:02*pm, Jeff Liebermann <je...@cruzio.com> wrote:
>
> It also won't work if you try to do it with one router. *In this case,
> both sub-nets will be connected to the same ethernet switch. *Everyone
> will see each others broadcasts. *A proper subnet mask will limit a
> users visibility but all they have to do is tweak the subnet, and
> everything is exposed. *
>


OK. Now i know. Thanks Jeff