RE: [SOCALWUG] Firewall separating wireless vs internal users

[Frank Keeney]

Yes, option 2 or 3 require one additional (2 total) routable IP address.

 

Frank

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, September 08, 2004 6:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [SOCALWUG] Firewall separating wireless vs internal users

Thanks Frank for the detail ideas.  I'm going to have to study them more.

There are currently 10 PC's in the local office network with one dsl line and wired router.

Of course I didn't mention the obvious simplest:  order another DSL line and put a wireless router on it for use by guests/visitors.

It looks like the alternative 2 or 3 both require more than one IP address, or am I wrong there?

John

At 09:27 PM 9/7/2004, you wrote:

How about:
 
                                 ==>Firewall==>switch==>internal PC's and servers
WAN (Internet)==Switch
                                 ==>Wireless Router~~>Wireless PC's
 
Then just abandon WEP, WPA etc and use the Firewall's VPN Client capability
 
The Firewall and Wireless Router would each have their own routable IP addresses (2 static IP addresses total). This would create complete separation between wired and wireless networks.
 
 
or:
 
 
                                 ==>Firewall==>switch==>internal PC's and servers
WAN (Internet)==Switch
                                 ==>NoCat==>Access Point~~>Wireless PC's
 
As an option, you could swap out NoCat for an IP3, Nomadix or other 'Walled garden" device. Then you could provide guest access for visitors to the office. Continue to use the Firewall VPN Client for encrypted access to the internal network.
 
A 3rd option:
 
                                ==>Firewall==>switch==>internal PC's and servers
WAN (Internet)==Switch
                                 ==>IP3==>vlan switch==>vlan Access Points~~>Wireless PC's
                                                                                                   ~~ Public SSID vlan==>Visitor/Guest wireless users
                                                                                                   ~~ Private SSID vlan==>Employee only wireless users
 
Vlan the wireless network to separate the Visitor/Guest wireless users from the Employee only wireless users. The 2nd and 3rd option is what I have been deploying for "smaller" business that have 2-7 Access Points and 7-20 users. I'm finding many smaller environments that now want features of the larger enterprises. This is a way to handle both security and guest access without breaking the bank. For the firewall, I find the PIX VPN client to be excellent with the UDP tunneling option configured. AP's that support vlans like Strix (http://www.strixsystems.com), Cisco and a few others.
 

Frank Keeney, Tel: 626-676-4761
Pasadena Networks, LLC
http://www.pasadena.net http://www.wlanparts.com

Co-Founder, Southern California Wireless User Group:
http://www.socalwug.org

---