Results 1 to 8 of 8

Thread: Network Division - Secure and Open

  1. #1
    CaptainDon
    Guest

    Network Division - Secure and Open

    Our church has a secure wired & wireless network with seven nodes. When a group rents one of our rooms we want to allow them Internet access but not access to our secure machines and folders. Can someone explain to me the technique to set up this kind of arrangement? Thanks.

  2. #2
    Junior Member
    Join Date
    Nov 2007
    Posts
    23
    are all the machines connected to one central router as a single network?

    I guess it should work to place all the machines that you want secured on their own private subnet within the main network.

  3. #3
    CaptainDon
    Guest
    All the machines are on one network connected via two downstream switches. Is it just a matter of setting up a subnet or should we consider a VLAN for the guests?

  4. #4
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,920
    I'd do it with port based VLANs on a managed switch.
    I take it these guest rooms have a network jack? Or are you looking at wireless..such a second SSID for guests? Or both?
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  5. #5
    CaptainDon
    Guest
    Actually we were thinking of wireless if possible as most of the rooms do not have wall jacks and they would be difficult to put in. If we stick to wireless only what is involved in setting up another SSID? Thanks for your input. :-)

  6. #6
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,920
    Several approaches....some I'd prefer over others, but all depending on a budget.

    First..what is your primary router, and any models of switches..access points...basically, what's a list of all the hardware you have now?
    And budget?
    And what sized area...how far away is this guest room from the area you currently probably have your broadband modem and router.

    I'll be on and off throughout the weekend..but due to holiday weekend and getting some errands 'n shopping and visiting there may be 1/2 a day between posts..so I'm not ignoring you if you don't see quick replies.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  7. #7
    CaptainDon
    Guest
    I know it is Thanksgiving in the USA so probably you are enjoying yourself! :-)

    The main service modem is a SpeedStream 6520 connected to a DSL service ISP. ( http://service.sympatico.ca/index.cf...ontent_id=5379 ) Two computers are directly connected to the router and the other two ports are connected to two D-Link DSS-5+ unmanaged five port switches. The remainder of the computers and network printers are connected to these switches.

    Since this is an old church (1854/1891) it would be difficult to use Cat 5e to jacks with all the stone walls. The maximum distance we would like the wireless service is probably around fifty feet. Our budget would be something under $500 as we are not sure this would increase our rentals yet. Thanks,

  8. #8
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,920
    K so the 6520 is a combo modem/wireless router.

    A few different approaches.

    ***Down and dirty inexpensive method...purchase another wireless router, set its WAN to obtain auto/DHCP client, make sure its LAN IP range is not the same as your primary network. Uplink its WAN interface to a LAN port on your network. With the 6520 at 192.168.2.xxx.....this shouldn't be a problem as most home grade routers are 192.168.1.xxx or 192.168.0.xxx. Or change it to something quite different, like 10.1.1.1. Setup a different SSID for this "guest" wireless with a different security key. And secure the web admin password for the router.

    Clients of this guest network will not be able to browse network places and find your office network. Someone who is network savvy could possibly poke around via IP and find resources on your network..as you can browse by IP address with this method. But it would take quite a bit of hit or miss. And there's a slight chance of a worm hopping over to your network. You can't see guests computers...the one way firewall of this guest router prevents that.

    ***Method 2.....my preferred method. Purchase 2x wireless routers and a managed switch. (easily doable with your budget) Disable the built in wireless of the 5120. Setup one of the wireless routers as an access point on your network, not in router mode, but reconfigured as an access point (pretty easy..we can cross this bridge later if you select this path).

    Set the managed switches web admin IP address to match the IP range of your existing network...say, 192.168.2.2. Change its web admin password.

    Uplink your 6520 to port 1 of this managed switch. So port 1 of this switch is the port leading to the router..so it's the port for internet access.

    Plug your office computers into ports...say...2-12 of the managed switch. Make ports 2 - 12 members of VLAN 1. Add port 1 as a member too. The wireless router that you reconfigured as an access point will have one of its LAN ports uplinked to one of the ports 2-12.

    Now..take the 2nd wireless router...for the guest, reconfigure it as an access point..and plug it into port 13. Make port 13 VLAN2. Add port 1 as a member of this VLAN also. This wireless router has its own unique SSID and security key...different from your office wireless.

    Computers which are members of VLAN 1 cannot see computer which are members of VLAN 2..and visa versa.

    A basic managed switch like the Linksys/Cisco SRW224G4...can be found in the low 200 range..even a hair under 200...just to give you an example of price. Certainly other brands too..the feature to look for that I'm using here is "port based VLANs"...find any brand managed switch that supports this and you're all set.

    For a church network, content filtering would be of importance. OpenDNS is a DNS service which offers free content filtering, as well as helps protect you by blocking known malware sites. Easy to implement into your DHCP service..such as your router.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

Similar Threads

  1. Re: ALERT: WPA-TKIP isn't secure - use WPA2 instead
    By Steve Fenwick in forum alt.internet.wireless
    Replies: 15
    Last Post: 10-12-09, 04:47 PM
  2. Digital Subscriber Line (xDSL) FAQ v20010108
    By jkristof@interaccess.com in forum comp.dcom.xdsl
    Replies: 0
    Last Post: 06-21-09, 11:51 AM
  3. Re: Still not secured?
    By =?Utf-8?B?bWF4dGF1cnVzMQ==?= in forum ms.public.windows.networking.wireless
    Replies: 0
    Last Post: 12-21-08, 02:25 PM
  4. Re: Still not secured?
    By =?Utf-8?B?bWF4dGF1cnVzMQ==?= in forum ms.public.windows.networking.wireless
    Replies: 0
    Last Post: 12-21-08, 02:24 PM
  5. Yummy VISTA Home Premium
    By Lobo in forum Broadband Tweaks Help
    Replies: 2
    Last Post: 02-04-07, 02:57 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •