Eric Foy wrote: > Gentlemen: > > I have three LANs at three physical locations, which I have bridged > together using Lynksys WAP11s. This configuration gives me high > speed internet access through a single uplink at one of the > locations. I have the APs running in bridge mode with 128-bit WEP > enabled. I now have the following question: How can I structure my > network to have several "virtual LANs" which would allow all users > access to the internet portal, but denying users of one "virtual LAN" > any knowledge of the existance of nodes (computers) in another > "virtual LAN". Is this possible? The only thing I can think of is > setting up different workgroups (this is all Winbloze stuff) or NT > domains, but I don't know any of the security issues about those > features. Something about subnet masks also comes to mind, but those > things are still somewhat of a mystery to me. Any advice here would > be GREATLY appreciated.
Make the WAP11 bridges their own backbone network (eg. 192.168.10.0/24) and run a crossover cable from each WAP11's ethernet to an ethernet port of a PC with two LAN cards. The other LAN card in the PC is connected to the hub/switch of the local vlan at this location and the PC is setup to route or 'ip forward'... We'll call those PC's 'routers' from now on... You set up the vlan side of each router as a unique network inside your domain (eg. 192.168.20.0/24, 192.168.30.0/24, etc...) The vlan side IP address of each router is setup as the default gateway for the machines on it's vlan and the backbone side IP address of the router with the internet connection on it's vlan is the default gateway for all the other routers... This will isolate these networks from most 'normal' users... If you need a higher level of security just add port level controls of the ip forwarding done by each of the 'routers' to prevent unauthorized probing of the other networks (eg. only allowing ip forwarding on ports 21, 80 and 443 lets most small-scale sites work fine and dramatically reduces any intra-office hanky panky, though the ftp part will likely cause you grief one way or another)... -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
