What's new

Add Wireless AP to my LAN, but prevent Wireless Clients from Accessing any LAN resources?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DTS

Regular Contributor
I have a wired LAN. Currently there is no wireless access to it. If I add a wireless access device to let mobile devices have access to the Internet. how can I ensure that any device connected to the wireless access device cannot access any resources on my LAN? They should be routed straight to the Internet only.

I assume the wireless access device will be a router. If so, I assume it will be an Asus device running Merlin firmware because I want to work with something I am familiar with and that I like.

I know I could connect the wireless router's WAN port directly to my ISP -- i.e., put the wireless router outside of my LAN. (That's actually what I presently do.) However, I have RJ45 jacks everywhere and someone with physical access to my property could move this device and connect it inside my LAN -- maybe innocently. So my question is really starting from the point of assuming this has happened. I further assume they will not factory reset and/or reconfigure the device. I just want to address the situation where the device is innocently moved to connect it inside the LAN. I want to be confident that if this happens, clients connected via that device will not have any access to my LAN resources.

What are my best options for accomplishing this?
 
Put the wireless router in front of your main (LAN) router. In other words, put your LAN router in a double NAT setup.
 
nothing to stop someone from bringing in their own AP and plugging it in ?
don't know Merlin or Asus well, but can you use the wired router's firewall to block or drop all packets from the mac addresses of the wireless router on the lan side ?
Another alternative might be to whitelist all of your wired devices and drop packets from any other device not on the mac address whitelist ? Doesn't stop spoofing, but then you would be dealing with someone with intent, not a casual user.
Maybe you need a level 3 managed switch at the head in termination of all of the lan cables running VLANs to keep guest wireless packets blocked from your wired clients ? The router and APs would need to support VLANs. That puts you in the SMB class equipment. There are several options previously discussed in the forums.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top