You Gotta Keep 'em Separated
May 19, 2011 1:55 PM Subscribe
How do I create a public wifi network that is separate from our corporate network while using the same internet connection?
I would like to provide wireless internet access for our public visitors in the near future but I'm having a bit of trouble figuring out how to separate the public wifi from the corporate network. My problem: I would like to run both networks through the same internet connection.
My current network setup is a cable internet connection going into a router running Endian UTM (a linux based firewall/anti-virus/spam filter distribution). Workstations and our wireless routers (linksys WRT54Gs running DD-WRT) connecting to our main router through unmanaged switches.
If I separate the traffic at the wireless router then I still have a security risk by allowing public wifi traffic to flow over the corporate network. If I try to separate the traffic physically then I'll need to do a whole bunch more wiring and add a second router and switch to my network.
From what I understand the best way forward on this front is to have separate wireless routers for the public and private wireless networks and then segregate these devices via VLANs on the Endian device. If I go this route then I believe I would need to purchase managed switches for the network rather than use the unmanaged ones I have right now. Is that correct?
Is there any better way to do this?
I would like to provide wireless internet access for our public visitors in the near future but I'm having a bit of trouble figuring out how to separate the public wifi from the corporate network. My problem: I would like to run both networks through the same internet connection.
My current network setup is a cable internet connection going into a router running Endian UTM (a linux based firewall/anti-virus/spam filter distribution). Workstations and our wireless routers (linksys WRT54Gs running DD-WRT) connecting to our main router through unmanaged switches.
If I separate the traffic at the wireless router then I still have a security risk by allowing public wifi traffic to flow over the corporate network. If I try to separate the traffic physically then I'll need to do a whole bunch more wiring and add a second router and switch to my network.
From what I understand the best way forward on this front is to have separate wireless routers for the public and private wireless networks and then segregate these devices via VLANs on the Endian device. If I go this route then I believe I would need to purchase managed switches for the network rather than use the unmanaged ones I have right now. Is that correct?
Is there any better way to do this?
Best answer: If you connect the public wireless *outside* your internal NAT circle, like directly into the cablemodem, you won't have any box that's able to route the 192.168.*.* traffic back into the private network.
So, if the Endian router is handling NAT for your internal network, if the 'public wireless' is on the internal side of the Endian router, the 192.168.*.* addresses will talk to each other, because the Endian router has one of those addresses, too, and knows how to route them.
On the "internet" end of the Endian router, all it knows is the internet IP address - it can't route 192.168.*.* addresses, so those addresses don't get routed to the internal network. Which is why NAT is part of the security there, and since the public wireless is outside your firewall at that point, it also avoids malicious attacks from your public network to the internal network.
You could also add to the security by making the public wireless assign 10.10.*.* addresses, which further prevents errant traffic from being routed internally.
posted by AzraelBrown at 2:05 PM on May 19, 2011 [1 favorite]
So, if the Endian router is handling NAT for your internal network, if the 'public wireless' is on the internal side of the Endian router, the 192.168.*.* addresses will talk to each other, because the Endian router has one of those addresses, too, and knows how to route them.
On the "internet" end of the Endian router, all it knows is the internet IP address - it can't route 192.168.*.* addresses, so those addresses don't get routed to the internal network. Which is why NAT is part of the security there, and since the public wireless is outside your firewall at that point, it also avoids malicious attacks from your public network to the internal network.
You could also add to the security by making the public wireless assign 10.10.*.* addresses, which further prevents errant traffic from being routed internally.
posted by AzraelBrown at 2:05 PM on May 19, 2011 [1 favorite]
I'm doing this exact thing right now for a major retail company that shall remain nameless.
If you understand the concept of vlans well enough, and understand how to create virtual router interfaces that can do Dot 1Q encapsulation, you could buy a managed switch (D-Link actually makes a really darn good one) to get you started down your road to completion.
Without a managed switch I don't see how you could easily do it.
That being said, here is the basis of how to solve the problem:
Wireless AP:
SSID: Guest_Wireless is setup on VLAN 2
SSID: Corp_Wireless is setup on VLAN 3
Trunk your wireless AP to your managed switch. I'll be using Cisco terms, but the D-Link or other switch would probably call that "tagged" So you have a port that has vlans 2 and 3 tagged on the same port. That will allow the switch to pass packets destined for both vlans.
Switch:
Your switch will most like use "tagged" and "untagged" ports. untagged ports are access ports for PC's, Tagged ports are for network devices and other equipment that provides a "tagged" packet to the switch.
You will want to create "tagged" ports for your AP and Router uplinks. Make sure you tag all the VLAN's you will use. I imagine you would have vlan's 1,2 and 3. Vlan 1 would be your PC vlan. VLAN 2 is guest wireless and vlan 3 is corp_wireless.
Router:
You will need to create virtual VLAN interfaces that sit on your internal interface. On Cisco gear these are called Sub-Interfaces, and you have to tell them them which "dot1q" tag they will look out out for. On each Sub Interface, or whatever it will be called on your router you will need to carve out your subnet on that interface.
You will need to create ACL's (Access Control Lists) on your router that disallows the Guest Wireless network from connecting to your corporate network.
There are a million more details, but this is the most basic gist of how you do it. I wish I could tell you exactly how to do it with your router, but I'm a Cisco guy and the terms are not exactly interchangeable between platforms.
MeMail me if you have any questions.
posted by roboton666 at 4:12 PM on May 19, 2011 [2 favorites]
If you understand the concept of vlans well enough, and understand how to create virtual router interfaces that can do Dot 1Q encapsulation, you could buy a managed switch (D-Link actually makes a really darn good one) to get you started down your road to completion.
Without a managed switch I don't see how you could easily do it.
That being said, here is the basis of how to solve the problem:
Wireless AP:
SSID: Guest_Wireless is setup on VLAN 2
SSID: Corp_Wireless is setup on VLAN 3
Trunk your wireless AP to your managed switch. I'll be using Cisco terms, but the D-Link or other switch would probably call that "tagged" So you have a port that has vlans 2 and 3 tagged on the same port. That will allow the switch to pass packets destined for both vlans.
Switch:
Your switch will most like use "tagged" and "untagged" ports. untagged ports are access ports for PC's, Tagged ports are for network devices and other equipment that provides a "tagged" packet to the switch.
You will want to create "tagged" ports for your AP and Router uplinks. Make sure you tag all the VLAN's you will use. I imagine you would have vlan's 1,2 and 3. Vlan 1 would be your PC vlan. VLAN 2 is guest wireless and vlan 3 is corp_wireless.
Router:
You will need to create virtual VLAN interfaces that sit on your internal interface. On Cisco gear these are called Sub-Interfaces, and you have to tell them them which "dot1q" tag they will look out out for. On each Sub Interface, or whatever it will be called on your router you will need to carve out your subnet on that interface.
You will need to create ACL's (Access Control Lists) on your router that disallows the Guest Wireless network from connecting to your corporate network.
There are a million more details, but this is the most basic gist of how you do it. I wish I could tell you exactly how to do it with your router, but I'm a Cisco guy and the terms are not exactly interchangeable between platforms.
MeMail me if you have any questions.
posted by roboton666 at 4:12 PM on May 19, 2011 [2 favorites]
This thread is closed to new comments.
posted by rmd1023 at 2:04 PM on May 19, 2011