I'm no Cisco-Certified Network guy. So, take it with a grain of salt.
> Is running on different subnets sufficient to keep my main network > secure? Is the WiFi network going to be open to the public? If so, keep the router firmware up to date in order to make it difficult to hack into the router from the LAN side. > Both networks will be operating on the same set of network wires. With the SOHO router/NAT devices, you are not doing VLAN trunking, so you are not carrying two networks in the wires at the same time. For certain portions, you are carrying traffic from both networks in the some wires. That part of the network should be isolated from the WiFi network. > 2) The existing router (Netgear FVS114) does not have a DMZ port. > It does let me specify a DMZ computer by IP address, but that wil > be on the same subnet as the rest of the LAN. My understanding of the DMZ is that the NAT (router) will patch through all ports from WAN side to this one host in the DMZ. I don't think that will help you with this network. > 3) I don't want to replace the existing router because it handles > the VPN and I don't want to redo all that work. I'm thinking I > should add a second router between the existing router and the > WAN. Then connect my APs and the old router to the new router's > insecure LAN? Anyone see any problems with this? > > New subnet/24 Old subnet/24 192.168.1.xxx > WAN->Router->(10.10.10.xxx)-+-Router->(192.168.1.xxx)--+->LAN > | | > | | > | | 10.10.10.xxx > +--------------------------+->WiFi AP#1 > | > +->WiFi AP#2 > | > +->WiFi AP#3 > | > etc. (BTW, the above is an ASCII picture; use a fixed-width font to see it properly. Gmail web interface shows me nonsense.) If a bad guy were to get on the WiFi network, he can flood the MAC address table for the switch in the "New Router" and make the switch part (LAN side) behave like a dumb hub. At that point it will send all packets to all ports, including the one connected to the WiFi network. Now, your internal traffic is on the WiFi as well. So, to prevent that, I think, you should plug the WAN port of the "New Router" to a switch port on the 192.168.1/24 subnet. Using the NAT on that router, make a 10.10.10/24 subnet for the WiFi. A bad guy on the WiFi side can't flood "New Router" and gain access to all traffic from the WAN side of that router. What is the connection (drawn above) from the 192.168.1.xxx LAN to the 10.10.10.xxx WiFi AP#1 (verticle line) for? That makes no sense to me. > Does it make sense to plug both the in and out ports of the old router > into ports on the same switch? "in and out ports" ? Do you mean the WAN port and the LAN port into the same switch? That won't work. ************************************************************************* ** List info, subscription management, list rules, archives, privacy ** ** policy, calmness, a member map, and more at http://www.cguys.org/ ** *************************************************************************
