Have To Reintroduce Wireless - How ?

[drsox]

I quit wireless some years ago and went to Gigabit wired ethernet, but now with a purchase of an iPhone I have to let Wireless back in.
How can I allow the iPhone to connect out but not allow it (or any other wireless client) to access the Gigabit LAN ?

I read somewhere about connecting 2 routers together to provide nested security. Would this work here ?

My WAN connection is through a Wireless capable (but disabled) Router/ADSLModem (Router 1).
If I make this an Access Point again and put another Router (Router 2) between the LAN and Router 1, how would I connect and configure them ?

At the moment everthing is on a 192.168.X.X network. DHCP and WINS is provided by a RAID NAS (Infrant Ready NAS+) with Router 1 providing DNS and Gateway.

Thanks

 

[YeOldeStonecat]

You could take a second wireless router...make sure the LAN IP is something other than whatever your current network is..such as 192.168.1.xxx
So..for example..make the second wireless router 192.168.2.xxx is your primary router is 192.168.1.xxx.

Connect the WAN port of your second wireless router to a LAN port of your primary router, WAN interface set to obtain auto. Plug a PC into a LAN port of your second wireless router and configure your security and wireless settings from there. So that way, the iPhone and wireless clients will be double NAT'd, won't really easily see your primary network unless they go hunting for it via IP address.

Or...better...does your gigabit switch support port based VLANs? That would be ideal.

 

[drsox]

Second Router

Thanks.

That's the sort of config I remember reading about, but I couldn't remember the details.

My switches are just dumb switches (Linksys EG005W and EG008W) so a second router is the way to go. I have another router but it is a Router/ADSL modem so no WAN port.

What level of security spec should I look for ? As it's been a few years I used to use a US Robotics 8054 and 5465 with this bunch of stuff (copy from the USR website)

Quote """

# Wi-Fi Protected Access (WPA) and WPA2/802.11i
# 802.1x Authentication
# 64/128-bit WEP encryption
# Stateful Packet Inspection (SPI) firewall to prevent network intrusions
# Support for VPN pass through (PPTP, IPSec and L2TP)
# MAC address authentication and SSID disable

""" Unquote

If I use WPA2 in your config and a good password, I guess that's good enough. I live in a quiet, low crime area but no guarantee against gung-ho teens I guess.

 

[drsox]

Second Router

I also have an old Laptop that has to run WinXp (all my other PCs run Ubuntu), so I can treat that as another item to connect to Router 2.
Seems to be clicking into place OK.

 

[YeOldeStonecat]

What level of security spec should I look for ? As it's been a few years I used to use a US Robotics 8054 and 5465 with this bunch of stuff (copy from the USR website)in a quiet, low crime area but no guarantee against gung-ho teens I guess.

Security for home? WPA or WPA2, change default admin password on router, create a unique SSID....sit back and enjoy.

 

[drsox]

Security

Security for home? WPA or WPA2, change default admin password on router, create a unique SSID....sit back and enjoy.

Yep, that's what I used to do PLUS hide the SSID and do MAC id limiting.

 

[YeOldeStonecat]

I don't bother with those for home use. If a neighboring kid wants to explore cracking nearby wireless..there are passive sniffers out there which can snag the MAC address in seconds..and he can spoof that. And many wireless utilities that can see wireless networks even with the SSID broadcast turned off. Those are two of the easiest parts of early wireless security to blow past. Cracking WEP actually takes a bit of work...cracking WPA and higher..significant work.

 

[thiggins]

I read somewhere about connecting 2 routers together to provide nested security.

How To: One Internet connection - Two Private LANs

Also, the D-Link DAP-1522 has WLAN partitioning, both STA to STA and STA to wired LAN.
Screenshot.

 

[scotty]

I don't bother with those for home use. If a neighboring kid wants to explore cracking nearby wireless..there are passive sniffers out there which can snag the MAC address in seconds..and he can spoof that. And many wireless utilities that can see wireless networks even with the SSID broadcast turned off. Those are two of the easiest parts of early wireless security to blow past. Cracking WEP actually takes a bit of work...cracking WPA and higher..significant work.

I haven't been reading my Crackers Monthly lately - assuming a strong pre-shared key, can WPA/WPA2 actually be cracked any reasonable methods? Most of what I've read out there says you have to go to pretty extreme lengths just to try to crack WPA with a weak password.

 

[drsox]

That's the reference I was looking for

How To: One Internet connection - Two Private LANs

Also, the D-Link DAP-1522 has WLAN partitioning, both STA to STA and STA to wired LAN.
Screenshot.

That's the reference I was looking for. I knew I had seen it somewhere. Thanks. I'll post again when I have all the bits to try it out.

Regards

 

[YeOldeStonecat]

I haven't been reading my Crackers Monthly lately - assuming a strong pre-shared key, can WPA/WPA2 actually be cracked any reasonable methods? Most of what I've read out there says you have to go to pretty extreme lengths just to try to crack WPA with a weak password.

Tims main site had an article on it a few months ago...
http://www.smallnetbuilder.com/content/view/30278/98/

I'm not up on cracking methods for WEP either....if you dig back a while on his main site I think he had an article on cracking WEP also.....which you'll often read it can be done in a matter of minutes now....but I do think there's a bit of effort involved.

Many articles writtin on cracking wireless, or cracking PPTP VPN connections, or even one about cracking a Remote Desktop Connection session...but you'll find those are often done with a bit of effort in a lab environment.

I think, unless you're setting up a business environment which requires rock solid security...for the home environment..there's a balance between wearing a tin hat...putting in practical security..and just sitting back and enjoying your setup.