apara0
join:2005-07-03
La Crescenta, CA
| reply to janderso1
Re: Using two routers for securtity without double
Will this setup prevent wireless users from seeing the wired lan thereby creating a firewall between those users accessing the wireless lan and those connected with a wire? I also would like to be able to see the wireless users without them seeing me. Will this work in this fasion?
Thanks.
-AP_ |
|
janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL | With this setup the wireless users can’t see anything on the wired LAN. The wireless users will only be accessible if the route add is done on the wireless PC.
--
Jim Anderson |
|
apara0
join:2005-07-03
La Crescenta, CA
| Jim,
So if on the wireless PC a route add is done, will wired users be able to see the wireless users and vice versa?
Is there a way to make it so that wired uses always see wireless users but wireless users cannot see wired users?
I really want to isolate my wireless users from my wired lan. In case there is a break into the wireless network, I don't want them to be able to break into my wired lan.
Thanks.
-AP_ |
|
janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL
| The route add tells the wireless PC to use the alternate gateway to reply to a request from the wired PC. The wireless PCs are still blocked from initiating a request to the wired segment by the firewall in R2. In my case I forwarded port 515 to the IP address of my print server on the wired segment to allow wireless PCs to print to it.
--
Jim Anderson |
|
apara0
join:2005-07-03
La Crescenta, CA
| With the NAT disabled in R2, 192.168.8.0 addresses reach R1 and then use R1's NAT to go out to the internet?
So there is still a firewall even with NAT disabled? I always thought that NAT was the firewall in most routers. I guess the SPI firewall is separate from NAT and still does not allow arbitrary traffic INTO the router?
Thanks.
-AP_ |
|
janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL
| Yes, R1 must do NAT for both subnets (not all routers will doe this, the ones I mentioned will). On the Zyxel routers you can enable/disable NAT and the SPI firewall separately. You may be able to do this with some of the Linksys routers.
--
Jim Anderson |
|
seezar
Premium
join:2001-07-01
Rochester, NY
 ·ViaTalk
2 edits | You could always get a soekris box (net4801) for about $275, »www.soekris.com/ which has a WAN port and 2 LAN ports and then run M0n0wall on it, »m0n0.ch/wall/ . I have my wired LAN on one LAN interface and my wireless on the other. Then configure each interface for 2 different subnets and a firewall rule on the wired LAN to block all traffic from the wireless LAN. That way the wireless network is behind NAT but cant get to my wired LAN but I can access the wireless network via the wired. |
|
dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI | Its not clear to me how this avoids double NAT. Its seems like both routers are on seperate subnets!? |
|
janderso1
Jim
Premium,MVM
join:2000-04-15
Saint Petersburg, FL
| When you disable NAT on R2 (the Zyxel) it acts as a pure router. When a PC on the R2 LAN accesses the Internet its real 192.168.8.x address is passed to R1 by R2. R1 then replaces the 192.168.8.x with its WAN IP address (which is why R1 must be able to do NAT for more than one subnet).
--
Jim Anderson |
|
