Hello Everyone.

I'm trying to figure out a solution that will make my tenants lives a bit easier, and at the same time, I don't want to put my network out in the open.

Here's my "idea"...


I have one outbound internet connection.
I currently have it tied to my router, and about 10 devices are attached to it. (printers, servers, vmware servers, machines)
Since I'm such a nice guy, I am going to be sharing my internet with some of my tenants.
Of course, this will be filtered content, and they are aware that porn and the like is forbidden.

I do NOT want them to be able to connect to my lan infrastructure.
I have another AP, and want to have them connect to it. It's a router/firewall all in one. Plug it in, configure it, allow access, done.

I do not want them to be able to access MY lan at all, and would like a way to be able to throttle their bandwidth usage. The router I have does not allow for bandwidth restrictions.

I'm thinking I might be able to pull this off with some sort of a VMware solution, but I don't know.

I really really really need to be able to throttle the bandwidth coming from that network segment, but I'm not really sure what will do the job. I'm willing to purchase a hardware device, if it will let me throttle the wireless. I don't want to spend a bunch of money tho.

Hopefully this makes some sense....

I guess the easiest way to describe it is I'm building two separate networks, on two different subnets, but they use the same gateway to the internet. I just don't want anyone to be able and look at my side of the network.


Thanks for any ideas in advanced...

That could be done relatively easily with OpenBSD's pf.

http://cvs.openbsd.org/faq/pf/filter.html for restricting access to your lan
http://cvs.openbsd.org/faq/pf/queueing.html for bandwidth throttling

You don't want them to be able to view your network because... they'll find your pr0n?

Ahh, but seriously... This is a very typical network deployment. All you need is a flexible firewall with 3 network interfaces. You plug one interface into your Internet-connected device (cable modem, DSL router, etc), and each of the other two interfaces plugs into a separate switch. You could attach a wireless AP to either switch and configure them with separate SSIDs, separate authentication keys, etc...

The key is that the firewall in the middle allows you to write rules such that no connections from interface B is allowed to go to interface C (assuming B is your guests, and C is your LAN). You can also configure separate QoS rules on each interface.

What allows you to do this? Well there are plenty of pre-built Linux and BSD OSs out there that are dedicated firewalls, or you could build your own solution from scratch by installing your favorite OS and writing the firewall rules by hand. The firewall OS could be installed "on bare metal", or on a VM, but either way you're going to want a box with 3 NICs in it. Most motherboards come with one built-in, so you'd install two more as expansion cards. Typically the built-in card has the lowest performance, so you'd use that for your Internet link since that's limited to the bandwidth of your cable/DSL connection any way. Use the two "good" cards for your LAN connections.

Well, I have business related stuff on my array, and I just don't want some jackass trying to sniff out my lan. I don't possess a single piece of porn on any of my machines. I happen to have a girlfriend. And a child. lol.


Anyway, I figured that would be the way to go about it. I have a stack of dual compaq netellegent lan cards, some old machines laying around too, so it sounds like i'll be pulling one of those out of the box and putting it to work.


Thanks guys!

Have fun.

Did you check out the IPCop project to see if they have all the right toys for you?

http://www.ipcop.org/

They're the first firewalling distro that I'd heard of (back in 2001 I think) - of course it doesn't mean they are the first or even the best, but my buddies all swear by them.