Hi to all the members

I'm loosing myself in a glass of water :-)

So thank you for any support.

I have got one ADSL router with WIFI capability.

At the moment, I can only take advantage of the password protection (there are windows PCs in the wired network) on the workstations.

In my mind it comes that the solution should be something like: WIFI guests should get one DHCP address that is on one IP range different than the wired one.
To achieve this, if needed, I can set fixed IPs on the wired workstations (they are not so many).

But next I'm wondering about, which could be the smartest setup? because I suppose, the router IP must be in the wired IP range.

Could the router IP be something like 192.168.1.1 and its DHCP server, being 192.168.0.100 to .0.200 ?
But next? How it would be achieved to allow WiFi guests to browse the internet? Setting something up in the router's NAT or ROUTING?
Or is it needed to (maybe) setup one linux VM on the server (there is one VirtualBox running) and use it for this need?

Thank you for any hint, I'm not so strong with these setups and this confuses me a bit.

Cor.

Depends on your router.

I can configure the DCHP wirless addresses to be greater than .200 and the hardwired to be .100 and below (or the other way round)as part of my router settings, so I also reserve some for static IPs on printers and NAS between .100 and .199 this overlapping of ranges would allow you to have separate and shared access on submets

I think you need to understand subnets and masks a bit better, I suggest

www.bradreese.com/how-to-subnet-a-network.pdf

as a good introduction and see if you can set up such a scheme on your router and then use masks on your devices to provide access. It's a bit difficult to help more with more info (type of router, number of wireless and wired devices etc)

Your router may have a couple features that will help. 1) wireless connections are isolated. 2) Have two APs. One for the LAN, another for guests.

@ Uaebuntu and jschiwal

thank you for your kind replies

unfortunately, I can find only the Italian version of this router' user guide.

There are the available settings.

The best I can figure out, should be to setup the DHCP to serve let's say, the addresses from .100 to .150 and next, to setup the routing or the NAT (sorry, here I'm not so strong), to allow those 50 IPs, the internet access only.

What is your opinion?

As said above the issue is that WiFi clients are /will be ONLY considered foreign guests, so they should be able to browse the internet only, while they should be DENIED to browse the LANs (intranet) resources.

Thank you


EDITED: sorry, seen right now on the F.M. (R.T.F.M :-) ). This router (see the user guide, PDF page 50, chapter 4.4.5) allows to setup VLANs: could this feature being the solution?

Yes.

cool... but how?

I see on the manual (sorry at the moment that router is up and running installed in another location, so I will be able to do some tests only the next week) that I can assign the 4 RJ45 ports to VLAN 1 and i.e. the WiFi "NIC" to VLAN 2.

But next?

Do you suppose that the router will manage to allow the internet access to WiFi clients without allowing "them" to browse the RJ45 resources? Or is it supposed to have a second element, i.e. one soho firewall box to place between the adsl router and that office hub/switch?

Thank you for any suggestion and for your kind replies

Cor

Reading may help understanding what it is and how it works: Network virtualization -> Virtual LAN -> Tagging.


After reading (and maybe search for "Linux VLAN HOWTO" to get a feel for how you would do things manually) you should conclude your router takes care of all things VLAN for you w/o the need for any extra hardware.

*BTW have a look at this vulnerability that recently surfaced. While this shouldn't scare you (yours isn't the TP-Link TL-WR841N after all) it should serve as a warning that you should secure the device as much as possible (no management access from outside the LAN, no default passwords, strongest wireless encryption possible, guard against connecting unauthorized devices or isolate them in a different VLAN) and remain vigilant. For example if the device comes with remote syslog capabilities then you could send them to your server and parse logs there for anomalies.

1 members found this post helpful.

Dear unSpawn, thank you so much for your answers and hints.

It will be interesting to test this and how it works; this issue also allowed me to dive a bit in the VLANs argument, though and so thank you for your links too.

To make the things a bit tricky I would ask you the last curiosity:
let's say that one day in the future would araise the need to allow some LAN/Office users/employees to connect their notebooks to the LAN in WiFi mode. If it will happen, at that point, I suppose some extra device/s will be needed, isn't it? Basically for the fact that two different WiFi accesses were needed, or not?

Thank you

Cor

Depends. Modern Wireless routers often allow for several, separate wireless networks. Search for "Multiple SSIDs Settings".

Hi unSpawn! Unfortunately, according with the manual, this model has got only one SSID.

Anyway, I'd like to better understand what you mean, as example, what about VLANs? Do you mean that certain routers, providing multiple SSIDs are also providing VLANs for SSIDs? Or what?

Thank you for your hints

Cor

OK, so be it.


Did you search the 'net for like "Linux VLAN HOWTO" or "Linux 802.1q tagging"?


A Wireless router will provide one SSID. It may allow you to configure multiple SSIDs, a wired-only "port-based" VLAN or wired-only, separate wired and wireless or hybrid "virtual port" VLANs. It depends on the routers feature set (or if it runs Linux: if you're able to configure it anyway). And if a router doesn't provide all the features you want then additional hardware may help. For example you could have your access point just forward traffic to another machine which takes care of authentication, DHCP and routing.

I've read that some routers allow to load an "open" linux firmware.

Do you have some links?

Thank you so much for all the infos.

It's time you start searching the 'net: http://www.dd-wrt.com/wiki/index.php...evices#TP-Link and http://www.techinfodepot.info/index....TD-W8961ND_2.0 Note the latter concerns a V2 but it gives you firmware names to search for.