0

On our current network, we have a wireless router and a gigabit 16-port switch. If a machine connects to the wireless network, they have access to all of the local machines in the network. This can be a security risk as it is a PC repair shop and we leave machines still connected to the network.

What I would like to do is, using a separate wireless router (in this case the Netgear WGT624), setup an internet only wireless network and then possibly disable the wireless network on the main wireless router.

I have setup a Windows Server 2008 R2 machine which runs DNS and DHCP along with AD, Sharepoint Services, MDT and WDS. Active Directory is only really used for MDT.

How would I go about, or how would you recommend I set it up in this way?

3 Answers3

2

You can just place the NAT routers in series, one behind the other. The first NAT closest to the Internet connection can be the wireless with access to only the Internet. The second NAT can contain the wired network and its wireless capabilities can be disabled as well.

This configuration will protect the wired network from the wireless network. Just ensure that both NAT networks are not on conflicting IP plans.

user48838
  • 7,431
  • 2
  • 18
  • 14
1

You have a few possibilities.

One, you can get a wireless access point that can be configured to specifically block out wireless clients from seeing each other. Expensive, you have options from houses like Cisco that are as flexible as putty and complicated as space shuttles to do this. But once you get them set up you should be good to go. This gets you a setup like you see at Starbucks/B&N/etc.

Two, set up a firewall system that your protected systems sit behind. On the other side is a switch with your public wireless AP, and have a block of your IP reserved such that your firewall blocks all incoming traffic from that IP block. Cheap, not all that elegant, and requires documentation for maintainers. But you implied you're running a small business so it's possible you could get away with this arrangement.

Three, shop around for a SOHO router that specifically blocks out wireless from wired. This has the disadvantages of A) blocking your own wireless from seeing the wired side and B) any SOHO router, in my experience, tends to go flaky after a year or two, so it can get to be a pain in the arse to keep buying a similar unit as backup for the first unit's failure and you need the specific feature set (I eventually bought a separate wireless AP and a switch that was just a switch so I could reduce problems on my home network.)

For a small shop, I'd probably go with the firewall solution. It gives flexibility and if you're a small shop that likes having the techs learn things from good projects, it gives experience in configuring such a machine and learn a little about routing and blocking rules as well as information on how your network works. It also takes a little planning in how you want to carve your network block and arrange to have things handed out (since if you're blocking traffic in and possibly out of your protected network to the block of unsafe systems you'll need a way to hand out IP's to the unsafe systems that is separate from your internal DHCP server, essentially creating two networks that coexist in your overall allocation block.)

Bart Silverstrim
  • 31,172
  • 9
  • 67
  • 87
0

I would do this by putting in a real firewall, something like a relatively cheap SonicWALL. If you don't want to buy one new, you can get a TZ190 on eBay for around $125. Then you can create a DMZ, and put a wireless access point on that DMZ.

KCotreau
  • 3,381
  • 3
  • 20
  • 24
  • Would something like a software version like monowall do this? Also, could it run in a virtual machine on the Windows Server? –  Jun 04 '11 at 13:04