On Aug 15, 9:32 pm, Joe Mickelson <i...@not-here.com> wrote:
> Is it ok to put an access point behind a firewall as opposed to before
> it (on the outside)?
>
> If my users want to connect to the network, they have to authenticate
> and get authorization which I'm guessing a router would route the Auth
> & Auth requests to a Radius server on a dmz, but then it seems like
> they wouldn't have all the normal protection of entering through the
> firewall as a normal user would.
>
> So where should the wifi normally be on a small LAN, inside, or
> outside, DMZ of a LAN? Pros/cons?
Largely, it's a question of what you want to protect. A firewall
protects
your users' pcs from attacks from the outside, if properly configured,
notwithstanding attacks from compromised hosts inside. (Personal
firewalls are a Good Thing.)
Your local "normal" users should, in fact, be _behind_ the firewall,
to
provide max protection and control "bots" connectivity with outside.
An AP behind the firewall can be an entry path for intruders, unless
you secure it as you mention with WPA and in your case a Radius
server.
A major issue is what you wish wirelessly-connected users to be
able to access internally. E.g. having clients access windows
network shares via NAT router is a no-go in my experience with
two different NAT routers, wired and wireless. Unless maybe you
have them share the _same_ virtual lan. ("Wireless routers" are
typically AP, bridge, and router.)
What I mean by that is to not have the AP serve as a router for them
but as a connection to its bridged network ports. The AP would have
an IP in the same range as the servers, and issue IPs in that same
range via DHCP. The router's WAN port would be unused. Care
would be required in configuring AP's range of IPs to issue,
obviously among other IP parms.
Re: where to place AP on network 
Linear Mode
