I've got a LAN/WAN for employees in all three of our offices and a LAN for contractors and visitors in one of our offices -- they don't presently touch.

The employee LAN/WAN routes to our parent company for firewalled access to/from the internet and each other.

The guest LAN (in building 2) has a DSL router for internet access, and I "trust" visitors not to hack/spy on each other.

I want to put in a wireless access point for users in building 1

Visitors and employees could connect to the AP, and I'd sort them out -- bridging employees to the LAN/WAN as if they were wired, and routing visitors to a tunnel interface in building 1 which would carry them to building 2 for routing over the DSL.

My plan is to build a box with two NIC's and a tunnel with bridging and routing running.

My DHCP server for that subnet is set to issue "employee net" IP addresses to known MAC addresses and "visitor net" IP addresses to unknown MAC addresses.

Right now a machine with a MAC address matching my DHCP table will get an "employee" address and bridges fine.

I'm not entirely sure how to go about setting up the tunnel (encryption not required) and routing.

Any advice? or better suggestions?

The bridge/router/tunnel PC is a PIII running Debian/sarge

--Matthew

Here's a different solution (though I have not tried it myself). Rather than go through the complication of setting up a machine to do all that, just buy two wireless access points. Connect one to your employee network, and enable WEP. Connect the other to the visitor network, and either disable WEP or use a different key/channel/ssid.

Using the different WEPs ought to force the wireless NICs to use the appropriate network. It also provides a minimal amount of security. Your visitors won't be able to set up a wireless packet sniffer and monitor your employee wireless traffic. You didn't explicitly state it, but it sounds like you were relying on the Debian box to do encryption for you. In my opinion, that's overlooking the immediate threat of visitor eavesdropping.

Since you are "trusting" the visitors not to spy on each other, then WEP for their network could be disabled. However, one of your employees could turn around and disable WEP on their NIC, and they could packet sniff on your visitors. I'd make sure your visitors understand they should not be transferring sensitive data without encrypting it on their own. WEP for the visitor network would be weak at best (because every visitor and your employees know the key and could packet sniff), but it would provide some minimal protection for your visitors from random, third-party eavesdroppers.

Cycling the WEP keys for your employee network is also a decent security measure. It would prevent visitors from gaining access to the employee network for an extended period of time, although you risk annoying your employees if you change them too often.

Adding a firewall immediately after the employee access point would be a nice complement. It could be programmed to drop packets from unrecognized MACs similar to what you mentioned before, but without the complication of routing. This way, even if a visitor does get the WEP, they can't access the employee network directly. They could still packet sniff, but that's it.