-1

I work in a company where we have a network ethernet and wi-fi, we would like to create a network where our customers could access our network but don't have access to our computer network.

This access would be internet only, nothing more. The customers will not see our computers and the files that we share in our network.

I have two routers, how can I do this ?

A Cisco Linksys Wireless-N Broadband Router WRT160N V3 and a Netgear Wireless G Router WGR614 v9 and about firewalls there´s only windows firewalls in each computer by default.

Valter Silva
  • 190
  • 10
  • 2
    There are lots of ways to accomplish what you are asking. You need to be specific on what router models, firewall models, etc. you have. That will determine how easy it will be to setup policies, acls, authentication, etc. – TheCleaner Jun 12 '12 at 15:37
  • Do your routers support VLANs? (http://en.wikipedia.org/wiki/IEEE_802.1Q) – Hennes Jun 12 '12 at 15:40
  • @Hennes unfortunately my routers don't support VLAN's. – Valter Silva Jun 13 '12 at 15:10
  • So far I see no evidence that you have even looked for the manuals for the equipment you have, so -1. – dunxd Jun 14 '12 at 12:30

2 Answers2

4

You can separate the networks yourself on the Cisco/Linksys router. I did this myself on almost the exact same model for a friend's office. You should consult the documentation for exact details on how (I don't remember offhand, most of it was just through the WebGUI), but here's the general idea:

  1. Create 2 VLANs on the Cisco router. One is going to be for your internal network, and the other is for the customer network.
  2. Create 2 SSIDs, again one for internal computers and one for customer access. Assign these to the VLANs you created above
  3. Configure an access list to deny access between the customer network and the internal network.
  4. (Optional) Configure ports on the router to be for the internal or client VLAN as needed
  5. (Optional) Enable client isolation for the customer wi-fi network. This makes it so that they cannot communicate with each other, only access the Internet.

At the end, you should have two networks, say 192.168.100.0 for internal computers and 192.168.200.0 for visiting customers. The customers will be able to get on and see Facebook, but NOT ping or otherwise access the 192.168.100.0 network. Your internal network should continue to function normally.

Hyppy
  • 15,608
  • 1
  • 38
  • 59
  • Why not putting the client Vlan in a DMZ? This way you're sure they won't access the rest of the network. BTW your method is simple but still great ;) – Anarko_Bizounours Jun 12 '12 at 15:57
  • Good method, but I don't think possible with the equipment specified. – dunxd Jun 12 '12 at 16:03
  • 1
    @Anarko_Bizounours - the customer network is effectively a DMZ in this setup. A DMZ is just a network which is configured to be separate from the secure network. Routers with DMZ functionality have just made achieving that common requirement easier - there are lots of ways to reach the same ends. – dunxd Jun 12 '12 at 16:06
  • corollary: If you use port-based VLANs on switches to split switches into two physical switches with separate uplinks, you need switches that manage their CAM table per-VLAN and are well configurable when it comes to STP. – rackandboneman Jun 12 '12 at 18:19
  • Unfortunately as you guys said my routers don't have a VLAN functionality, how could I do this with these routers ? How to separate two networks with these routers ? – Valter Silva Jun 13 '12 at 15:08
  • @Anarko_Bizounours my router support only DMZ functionality, how can I separated them from the other network ? – Valter Silva Jun 14 '12 at 11:31
  • 1
    Have you read the documentation of the router you say supports DMZ? Start there. – dunxd Jun 14 '12 at 12:29
  • yeah it does, I will read it. – Valter Silva Jun 14 '12 at 15:47
1

Out of the box, I don't believe you can do this with either of your routers - both of these are consumer grade and don't have any support for DMZ or VLANs. You might be able to flash one of the routers to use different firmware with this functionality, but I would not risk this in a commercial environment - get it wrong and you risk your customers credit card details being leaked and going out of business from the shame.

Invest in a router that supports VLANs or has a DMZ port. My experience is with Cisco ASA 5505 which will do this, and give you a pretty robust firewall and a VPN allowing your staff remote access all in the same box. They cost about £250 - $400. There may be simpler and cheaper options out there - the ASA isn't that hard though - @Hyppy describes what you need to do.

dunxd
  • 9,632
  • 22
  • 81
  • 118