Separating wired and wireless clients on the same network?
Hello all...
I would like to set up a network with both wired and wireless clients.
That much I can do with ease. However, I'd like to keep anything on
the wireless network from communicating with anything on the wired
network. Both networks should be able to see the Internet (WAN) and
use it.
I have some Buffalo routers running DD-WRT v23 SP2 that I'd like to
use for this. I thought that "AP isolation" might do this, but from
what I've read it isn't what I am looking for.
Re: Separating wired and wireless clients on the same network?
On Apr 19, 12:30 pm, wm_wa...@hotmail.com wrote:
> Hello all...
>
> I would like to set up a network with both wired and wireless clients.
> That much I can do with ease. However, I'd like to keep anything on
> the wireless network from communicating with anything on the wired
> network. Both networks should be able to see the Internet (WAN) and
> use it.
>
> I have some Buffalo routers running DD-WRT v23 SP2 that I'd like to
> use for this. I thought that "AP isolation" might do this, but from
> what I've read it isn't what I am looking for.
>
> How can I go about doing this?
>
> William
Maybe, if such a router supports "vlan"s at its switch. Linksys' wired
h/w router supports up to 4 vlan-s at its 4 switch ports.
You could then hook WAP to one of the ports, and cable from ethernet
switch to another. Router would disable communication between the
two groups of hosts; seems being on same IP subnet no problem?
It'd be interesting to see if this exists with WAP router- affordable
one.
Re: Separating wired and wireless clients on the same network?
<wm_walsh@hotmail.com> wrote in message
news:1177000229.403143.272460@n76g2000hsh.googlegr oups.com...
> Hello all...
>
> I would like to set up a network with both wired and wireless clients.
> That much I can do with ease. However, I'd like to keep anything on
> the wireless network from communicating with anything on the wired
> network. Both networks should be able to see the Internet (WAN) and
> use it.
your need 2 networks / LANs isolated from each other - whether 1 of them is
wireless is just a detail...
get a wireless router and plug it into your Internet feed.
get a cable router (one with an Ethernet WAN port) - plug that into the LAN
on the wireless router.
wired devices go thru 2 routers and 2 sets of address translation, but can
still get to the internet.
wireless devices cannot get thru the WAN port of the cable router.
done.
>
> I have some Buffalo routers running DD-WRT v23 SP2 that I'd like to
> use for this. I thought that "AP isolation" might do this, but from
> what I've read it isn't what I am looking for.
>
> How can I go about doing this?
>
> William
>
--
Regards
Re: Separating wired and wireless clients on the same network?
On Fri, 20 Apr 2007 23:01:01 GMT, "stephen" <stephen_hope@xyzworld.com>
wrote in <NCbWh.5865$J64.700@newsfe3-gui.ntli.net>:
><wm_walsh@hotmail.com> wrote in message
>news:1177000229.403143.272460@n76g2000hsh.googleg roups.com...
>>
>> I would like to set up a network with both wired and wireless clients.
>> That much I can do with ease. However, I'd like to keep anything on
>> the wireless network from communicating with anything on the wired
>> network. Both networks should be able to see the Internet (WAN) and
>> use it.
>
>your need 2 networks / LANs isolated from each other - whether 1 of them is
>wireless is just a detail...
<quibble> Two isolated subnets. </quibble>
>get a wireless router and plug it into your Internet feed.
>
>get a cable router (one with an Ethernet WAN port) - plug that into the LAN
>on the wireless router.
>
>wired devices go thru 2 routers and 2 sets of address translation, but can
>still get to the internet.
True, but that's "double NAT", which generally works, but can cause
problems with some (older) network apps, so better to avoid that if
possible.
>wireless devices cannot get thru the WAN port of the cable router.
>
>done.
Only if you make assumptions that aren't necessarily true; i.e., that
the wired router won't open an inbound hole if a client on the wired LAN
makes an outbound connection to a client on the wireless LAN. To ensure
that kind of thing can't happen you need more sophistication than is
present in most low-end wired routers.
Better to setup wireless-to-wired isolation in a single wireless router,
as featured in some wireless routers (e.g., SonicWALL), and also doable
with DD-WRT firmware, which the OP already has, by means of VLAN.
Google "dd-wrt vlan isolation".
>> I have some Buffalo routers running DD-WRT v23 SP2 that I'd like to
>> use for this. I thought that "AP isolation" might do this, but from
>> what I've read it isn't what I am looking for.
>>
>> How can I go about doing this?
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
Re: Separating wired and wireless clients on the same network?
"John Navas" <spamfilter1@navasgroup.com> wrote in message
news:mjki23h75sasa5lorbq0vm6ghkr5url58t@4ax.com...
> On Fri, 20 Apr 2007 23:01:01 GMT, "stephen" <stephen_hope@xyzworld.com>
> wrote in <NCbWh.5865$J64.700@newsfe3-gui.ntli.net>:
>
> ><wm_walsh@hotmail.com> wrote in message
> >news:1177000229.403143.272460@n76g2000hsh.googleg roups.com...
> >>
> >> I would like to set up a network with both wired and wireless clients.
> >> That much I can do with ease. However, I'd like to keep anything on
> >> the wireless network from communicating with anything on the wired
> >> network. Both networks should be able to see the Internet (WAN) and
> >> use it.
> >
> >your need 2 networks / LANs isolated from each other - whether 1 of them
is
> >wireless is just a detail...
>
> <quibble> Two isolated subnets. </quibble>
>
> >get a wireless router and plug it into your Internet feed.
> >
> >get a cable router (one with an Ethernet WAN port) - plug that into the
LAN
> >on the wireless router.
> >
> >wired devices go thru 2 routers and 2 sets of address translation, but
can
> >still get to the internet.
>
> True, but that's "double NAT", which generally works, but can cause
> problems with some (older) network apps, so better to avoid that if
> possible.
i ran double NAT for a long time, and i didnt manage to find any apps that
worked with 1 NAT but not 2.
The 1st router provided a URL checkers, and the 2nd acted as wireless LAN
box.
more to the point, "double NAT" exists in many places anyway, since a big
chunk of Internet servers live behind a firewalls / load balancers using
NAT....
>
> >wireless devices cannot get thru the WAN port of the cable router.
> >
> >done.
>
> Only if you make assumptions that aren't necessarily true; i.e., that
> the wired router won't open an inbound hole if a client on the wired LAN
> makes an outbound connection to a client on the wireless LAN. To ensure
> that kind of thing can't happen you need more sophistication than is
> present in most low-end wired routers.
thats pretty much always true.... if you break the security model it doesnt
do you much good.
but this is as good as a single router for insulation from the internet.
the insulation between the 2 wired and wireless groups isnt as good, since
wired devices can kick off connections to wireless devices.
>
> Better to setup wireless-to-wired isolation in a single wireless router,
> as featured in some wireless routers (e.g., SonicWALL), and also doable
> with DD-WRT firmware, which the OP already has, by means of VLAN.
> Google "dd-wrt vlan isolation".
i dont know my way around that firmware....
FWIW vlan separation has its security shortcomings - but probably not an
issue unless you trunk it on to another switch and an attacker knows how to
jump between tags, or join the 2 vlans together in some way.
>
> >> I have some Buffalo routers running DD-WRT v23 SP2 that I'd like to
> >> use for this. I thought that "AP isolation" might do this, but from
> >> what I've read it isn't what I am looking for.
> >>
> >> How can I go about doing this?
>
> --
> Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
> John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
--
Regards
Re: Separating wired and wireless clients on the same network?
On Sat, 21 Apr 2007 13:24:08 GMT, "stephen" <stephen_hope@xyzworld.com>
wrote in <YfoWh.1747$C75.1269@newsfe2-gui.ntli.net>:
>"John Navas" <spamfilter1@navasgroup.com> wrote in message
>news:mjki23h75sasa5lorbq0vm6ghkr5url58t@4ax.com.. .
>> True, but that's "double NAT", which generally works, but can cause
>> problems with some (older) network apps, so better to avoid that if
>> possible.
>more to the point, "double NAT" exists in many places anyway, since a big
>chunk of Internet servers live behind a firewalls / load balancers using
>NAT....
In general, firewalls and load balancers don't use NAT. Double NAT is
actually relatively rare.
>> Only if you make assumptions that aren't necessarily true; i.e., that
>> the wired router won't open an inbound hole if a client on the wired LAN
>> makes an outbound connection to a client on the wireless LAN. To ensure
>> that kind of thing can't happen you need more sophistication than is
>> present in most low-end wired routers.
>
>thats pretty much always true.... if you break the security model it doesnt
>do you much good.
This method isn't a security model.
>but this is as good as a single router for insulation from the internet.
>
>the insulation between the 2 wired and wireless groups isnt as good, since
>wired devices can kick off connections to wireless devices.
And that's the point.
>> Better to setup wireless-to-wired isolation in a single wireless router,
>> as featured in some wireless routers (e.g., SonicWALL), and also doable
>> with DD-WRT firmware, which the OP already has, by means of VLAN.
>> Google "dd-wrt vlan isolation".
>
>i dont know my way around that firmware....
>
>FWIW vlan separation has its security shortcomings - but probably not an
>issue unless you trunk it on to another switch and an attacker knows how to
>jump between tags, or join the 2 vlans together in some way.
True, which is why I originally recommended a wireless router with a
real wireless-to-wired isolation feature.
--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
Separating wired and wireless clients on the same network? 
Linear Mode
