New user on Wired/Wireless setup - Connectivity

This is a discussion on New user on Wired/Wireless setup - Connectivity ; Hello group, I essentially have a wired business network with about 8 PCs on it, spread over 2 workgroups. We use a fairly basic router that also has a wireless function on it. We don't use this function but it's ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: New user on Wired/Wireless setup

  1. New user on Wired/Wireless setup

    Hello group,

    I essentially have a wired business network with about 8 PCs on it, spread
    over 2 workgroups.

    We use a fairly basic router that also has a wireless function on it. We
    don't use this function but it's there as a sort of "Plan B" in case we have
    a problem with our cables.

    Another occupier in our building, has asked if they can access the internet
    via our network. I don't mind in principle but this user is unlikely to be
    here very long and we don't want to go to the trouble and expense of running
    new cables etc. I thought therefore it might be possible to allow access
    using the wireless connection. I obviously don't want this user to be able
    to access any of our business data.

    What I need to know is whether there is a way to set up the other user's
    connection so that they can access the internet, but without allowing them
    to see any of the other machines on our network or access any of our data.
    Is this possible, or once connected will they have access to everything?

    As things stand every PC can see the data on every other PC, since that
    suits our way of working, would we have to change this on all the PCs and
    set specific permissions, excluding the new user, or is there a way for the
    new user to access the internet without becoming part of our network at all?

    Regards,

    Tanel.





  2. Re: New user on Wired/Wireless setup

    Tanel Kagan wrote:
    > What I need to know is whether there is a way to set up the other user's
    > connection so that they can access the internet, but without allowing them
    > to see any of the other machines on our network or access any of our data.
    > Is this possible, or once connected will they have access to everything?


    The way you have it configured, yes they'll have access to everything.
    but you can trivially test - just bring your own wireless laptop in and
    connect to your network. What do you see?

    > As things stand every PC can see the data on every other PC,


    All the data? You mean the entire contents of c:\ or do you have some
    specific area eg c:\data which is shared out? If the former, you have a
    massively insecure config which is ripe for hacking.

    By the way - is your wireless currently disabled or merely unused? If
    its active then someone could sit in a nearby building and hack you.
    What wireless security are you using?

    > since that
    > suits our way of working, would we have to change this on all the PCs and
    > set specific permissions,


    You'd need to configure all your PCs differently. You need to configure
    all the shares with user-level security and set up usernames on all the
    PCs which are then permissioned to read these shares. Note:

    >excluding the new user, or is there a way for the
    > new user to access the internet without becoming part of our network at all?


    The alternative is to use something called double-nat, You don't want to
    go there, its complicated.

  3. Re: New user on Wired/Wireless setup

    On Wed, 29 Oct 2008 19:27:11 +0000, Mark McIntyre
    wrote:

    [...]
    >
    >The alternative is to use something called double-nat, You don't want to
    >go there, its complicated.


    I have not yet run into a situation where double NAT was complicated.
    Granted, it's a relatively uncommon configuration in SOHO and
    residential situations, but only because it's not generally necessary,
    not because it's complicated. If the circumstances call for it, by all
    means use it.


  4. Re: New user on Wired/Wireless setup

    On Wed, 29 Oct 2008 17:43:49 -0000, "Tanel Kagan"
    wrote:

    >We use a fairly basic router that also has a wireless function on it.


    Maker and model or your router please?
    DSL, cable, satellite, fiber, T1, or two tin cans and a string?

    >What I need to know is whether there is a way to set up the other user's
    >connection so that they can access the internet, but without allowing them
    >to see any of the other machines on our network or access any of our data.


    This is the classic coffee shop problem. The idea is to give coffee
    shop visitors access to the internet, without also giving them access
    to the cash register, office computah, etc.

    If you just hang another wireless access point on your existing
    network, the neighbors will have access to everything.

    The easy way to do this is to use two IP addresses from your ISP. Many
    ISP's will sell you a 2nd IP address for a reasonable price. Your
    modem can possibly bridge multiple IP's. That would go to a cheap 4
    port ethernet switch. From there, two seperate routers. One would be
    your existing unspecified "fairly basic" router, while the other would
    go to a 2nd router, which would go to the neighbors. I've been doing
    that in my palatial office complex, with 5 businesses sharing a single
    DSL account using 5ea static IP's:


    Many not-so-basic wireless routers have provisions for multiple
    SSID's, each with their own configuration. They generally include a
    method of isolating the wired LAN from at least one wireless network.
    In effect, it's two or more wireless AP's in one box. The default and
    only route for the "guest" wireless zone points to the ISP's gateway
    IP and on to the internet. For example, Sonicwall has their "wireless
    guest service" and Security Zones:


    Another way is to use a router with 3 or more ports. One for the WAN
    interface, and one LAN port each for you and your neighbor. Each has
    their own subnet with IP tables setup so that no packets go between
    the two LAN ports. It's fairly easy with a PC based router, where
    multiple ethernet cards can easily be added. One of these ethernet
    cards can be an internal PCI wireless card, so the amount of added
    hardware is minimal. I used to do this using Freesco, which can
    handle 10 ethernet cards on a floppy or CF card boot:





    There are also ways to do this using double NAT and VPN tunnels.
    Double NAT can get messy if you have to do port forwarding (for VoIP
    for example). VPN tunnels are probably more complicated than you want
    to deal with.


    --
    Jeff Liebermann jeffl@cruzio.com
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 http://802.11junk.com
    Skype: JeffLiebermann AE6KS 831-336-2558

  5. Re: New user on Wired/Wireless setup

    > is there a way for the new user to access the internet without becoming
    > part of our network at all?


    With a basic router? No. With one that supports access control lists, yes
    but with a fair amount of technical knowledge (aka configuring it).



  6. Re: New user on Wired/Wireless setup

    > Maker and model or your router please?
    > DSL, cable, satellite, fiber, T1, or two tin cans and a string?


    It's a 3com "OfficeConnect ADSL wireless firewall router". I think the
    model number is 3CRWDR100A-72. I'm not actually sure how "basic" it is, but
    it didn't cost much and it looks fairly simple in terms of connections etc.
    As you may have guessed, I'm not an IT expert!

    >>What I need to know is whether there is a way to set up the other user's
    >>connection so that they can access the internet, but without allowing them
    >>to see any of the other machines on our network or access any of our data.

    >
    > This is the classic coffee shop problem. The idea is to give coffee
    > shop visitors access to the internet, without also giving them access
    > to the cash register, office computah, etc.


    Yes. A very good way of putting it!

    > If you just hang another wireless access point on your existing
    > network, the neighbors will have access to everything.
    >
    > The easy way to do this is to use two IP addresses from your ISP. Many
    > ISP's will sell you a 2nd IP address for a reasonable price. Your
    > modem can possibly bridge multiple IP's. That would go to a cheap 4
    > port ethernet switch. From there, two seperate routers. One would be
    > your existing unspecified "fairly basic" router, while the other would
    > go to a 2nd router, which would go to the neighbors. I've been doing
    > that in my palatial office complex, with 5 businesses sharing a single
    > DSL account using 5ea static IP's:
    >
    >
    > Many not-so-basic wireless routers have provisions for multiple
    > SSID's, each with their own configuration. They generally include a
    > method of isolating the wired LAN from at least one wireless network.
    > In effect, it's two or more wireless AP's in one box. The default and
    > only route for the "guest" wireless zone points to the ISP's gateway
    > IP and on to the internet. For example, Sonicwall has their "wireless
    > guest service" and Security Zones:
    >
    >
    > Another way is to use a router with 3 or more ports. One for the WAN
    > interface, and one LAN port each for you and your neighbor. Each has
    > their own subnet with IP tables setup so that no packets go between
    > the two LAN ports. It's fairly easy with a PC based router, where
    > multiple ethernet cards can easily be added. One of these ethernet
    > cards can be an internal PCI wireless card, so the amount of added
    > hardware is minimal. I used to do this using Freesco, which can
    > handle 10 ethernet cards on a floppy or CF card boot:
    >
    >
    >
    >
    >
    > There are also ways to do this using double NAT and VPN tunnels.
    > Double NAT can get messy if you have to do port forwarding (for VoIP
    > for example). VPN tunnels are probably more complicated than you want
    > to deal with.


    A wealth of information there Jeff. Much of it beyond my immediate
    knowledge, but it certainly gives me a starting point, from which I can do a
    bit more research and see which option is best.

    Many thanks for your time.

    Tanel.

    > --
    > Jeff Liebermann jeffl@cruzio.com
    > 150 Felker St #D http://www.LearnByDestroying.com
    > Santa Cruz CA 95060 http://802.11junk.com
    > Skype: JeffLiebermann AE6KS 831-336-2558




  7. Re: New user on Wired/Wireless setup

    >> is there a way for the new user to access the internet without becoming
    >> part of our network at all?

    >
    > With a basic router? No. With one that supports access control lists,
    > yes but with a fair amount of technical knowledge (aka configuring it).


    Thanks Bill.

    Tanel.



  8. Re: New user on Wired/Wireless setup

    On Thu, 6 Nov 2008 17:00:18 -0000, "Tanel Kagan"
    wrote:

    >> Maker and model or your router please?
    >> DSL, cable, satellite, fiber, T1, or two tin cans and a string?

    >
    >It's a 3com "OfficeConnect ADSL wireless firewall router". I think the
    >model number is 3CRWDR100A-72.




    Hint: If you ask such questions, try to include:
    1. What problem are you trying to solve?
    2. What do you have to work with? (hardware, software, makers,
    models, versions, location, environment, user count, etc)
    3. What have you done so far, and what happened? (only for
    troubleshooting type questions).

    >I'm not actually sure how "basic" it is, but
    >it didn't cost much and it looks fairly simple in terms of connections etc.


    It looks fairly basic. I'm not a big fan of all-in-one
    DSL/router/wireless boxes. I like to have the DSL modem seperate. One
    reason is that you cannot use the trick of having the ISP deliver
    multiple IP addresses, through the DSL modem, and then connect two or
    more routers to the single DSL modem as in:

    You have to have access to the connection between the DSL modem and
    the router for this to work.

    I sometimes like to have the wireless access point section seperate
    from the router. That's because the wireless wants to live up high in
    the room, for best wireless coverage, while the router wants to live
    low on the floor, behind someone's desk, amid the tangle of CAT5
    cables, wall warts, power strips, etc. It's difficult to reconcile
    the requirements for neatness and wireless coverage unless you use
    seperate boxes.

    >As you may have guessed, I'm not an IT expert!


    IT experts are easy to recognize. They never guess.

    --
    Jeff Liebermann jeffl@cruzio.com
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 http://802.11junk.com
    Skype: JeffLiebermann AE6KS 831-336-2558

+ Reply to Thread