Go Back   Forums @ The Digital Fix > Gadgets and Gizmos > Computing Forum

Reply
 
Thread Tools Display Modes
Old 17-01-2006, 02:31   #1
Guest 22808
Trusted User
 
Join Date: Sep 2002
Posts: 1,647
Thanks: 1
Thanked 1 Time in 1 Post
Windows Server query (limiting network access)

Is this scenario possible?

Currently have a company network with a Windows 2003 server acting as domain controller. Users all have log-in names/passwords, and internet only access is available by just plugging eg a laptop into a spare network port with no configuration or log-on required (Would have to join domain to get network shares).

Have added a wireless access point to extend network to a group of PCs located outside the network cabled area (although this group only needs web access).

Would like to share our wireless connection/internet with our neighbours (being friendly sorts), however obvious security concern.

I understand WAP would need to run without WEP/WPA encryption or MAC-filtering to allow public access. However, surely that will mean someone could log-on to our network if they guessed the domain name and a valid username+password.

Is there a way around this, i.e. allow standard web connections but block 'computer network' access?
(Having a completely separate ADSL connection just for the public wouldn't be feasible)

I think the solution may lie with authentication, am I right there?

Any assistance/thoughts from you brainy bunch?

Last edited by adam.mt; 17-01-2006 at 13:23.
Guest 22808 is offline   Reply With Quote
Old 17-01-2006, 03:04   #2
Kryten
Administrator
 
Kryten's Avatar
 
Join Date: Jun 2001
Location: In my own little world
Posts: 29,833
Thanks: 68
Thanked 216 Times in 189 Posts
Sounds like you need a firewall in the middle there! Can the WAP block anything but HTTP/HTTPS ports or is it purely a WAP and not a firewall? You could put a cheap hardware firewall in place. I think some routers also allow service filtering by MAC but not sure how well that works as have never tried it.
__________________
Forum Moderator: Mail Me
The Digital Fix | Tweals
Kryten is offline   Reply With Quote
Old 17-01-2006, 13:22   #3
Guest 22808
Trusted User
 
Join Date: Sep 2002
Posts: 1,647
Thanks: 1
Thanked 1 Time in 1 Post
Standard WAP (NetGear WG602 I think), doesn't seem to be any firewall like settings on there, though does have MAC filtering (that wouldn't allow public access though!).

Any Windows Server experts? Is it not possible to block network access through it's settings to any PC unless on a 'whitelist' or similar.
Guest 22808 is offline   Reply With Quote
Old 17-01-2006, 13:41   #4
Anthony.S
XBL - AnthonyS UK
 
Join Date: Jul 2000
Location: Alton, Hants
Posts: 3,476
Thanks: 9
Thanked 184 Times in 176 Posts
Why not put the AP on a seperate segment with a route to the gateway only. Most APs have a bridging mode these days.
Anthony.S is offline   Reply With Quote
Old 17-01-2006, 23:23   #5
Guest 22808
Trusted User
 
Join Date: Sep 2002
Posts: 1,647
Thanks: 1
Thanked 1 Time in 1 Post
Thanks Anthony, could you explain in idiot terms please! (I'm on a learn-it-myself process here for Win Server and networking beyond the basics).
Guest 22808 is offline   Reply With Quote
Old 18-01-2006, 08:48   #6
Guest 27098
tered User
 
Join Date: Dec 2002
Location: London
Posts: 1,205
Thanks: 0
Thanked 0 Times in 0 Posts
Quote:
Originally Posted by adam.mt
Thanks Anthony, could you explain in idiot terms please! (I'm on a learn-it-myself process here for Win Server and networking beyond the basics).
If you have something like ISA server then you can add another nic adapter and put your access point on there.

I'm not sure I would want to share the access point with a (untrusted) 3rd party and not being particularly familiar with the latest access-point developments unsure as to if you can do this securely.

Best bet is another nic on your firewall and they plug-in their own access point.

Last edited by FunkyD; 18-01-2006 at 08:48.
Guest 27098 is offline   Reply With Quote
Old 18-01-2006, 09:20   #7
Anthony.S
XBL - AnthonyS UK
 
Join Date: Jul 2000
Location: Alton, Hants
Posts: 3,476
Thanks: 9
Thanked 184 Times in 176 Posts
OK. Lets say you have a pc on 192.168.1.1 with a netmask of 255.255.255.0. The first three octets of the netmask determine the network address and so your PC on 192.168.1.1 will only be able to communicate directly with other PCs with the same network address ie. 192.168.1.2 etc. If you want to communicate with other networks your PC needs to know how to get to them. This is known as a route and can be added either manually on the PC or by using a router (either software or hardware).
So if all your current clients are on 192.168.1.x create a seperate wireless LAN on 192.168.2.x using the AP and create a route on your router from WLAN <-> WAN but not WLAN <-> LAN. Hoefully this makes some sense and your hardware is capable of this.
Anthony.S is offline   Reply With Quote
Old 18-01-2006, 10:00   #8
Guest 20598
gotta be innit to winnnit
 
Join Date: Aug 2002
Location: Landan
Posts: 352
Thanks: 0
Thanked 0 Times in 0 Posts
Loco

its best to give them internet access via another network from your router/firewall level. in a nutshell they use your internet conection but are not on your company network.
a SonicWALL TZ170W would be ideal as the wireless lan is on a separate network to the wired.

you can also have your own guys use the wireless if they wanted to and then use VPN to connect back to your office network.

i hope that helps.

btw sonicwalls are not your average netgear router price.
Guest 20598 is offline   Reply With Quote
Old 18-01-2006, 11:09   #9
Guest 22808
Trusted User
 
Join Date: Sep 2002
Posts: 1,647
Thanks: 1
Thanked 1 Time in 1 Post
minstap - thanks for that, the SonicWALL you indicate would seem to be fine and I guess I could use existing NetGear home APs to just extend wireless range? Would you just plug the SonicWALL into any point on the wired LAN (like existing AP) and then it provides wireless access but with the controls which budget (home) APs lack, i.e. allow internet access but deny company network access?

Anthony's solution would seem to be less expensive (and easier) though.

Anthony - understand the separate segment bit fine, not sure on the router. Right, I'd need to plug the AP into a router (or replace with a wireless router). Then enable DHCP on this router with a different segment address, so wireless bit is kept separate. Now how do I physically connect this router to our internet connection? Just connect from company LAN to WAN port on router, yes?

Thanks again for all the help.

Last edited by adam.mt; 18-01-2006 at 11:24.
Guest 22808 is offline   Reply With Quote
Old 18-01-2006, 11:35   #10
Anthony.S
XBL - AnthonyS UK
 
Join Date: Jul 2000
Location: Alton, Hants
Posts: 3,476
Thanks: 9
Thanked 184 Times in 176 Posts
How is you internet access setup?
Anthony.S is offline   Reply With Quote
Old 18-01-2006, 11:49   #11
Guest 22808
Trusted User
 
Join Date: Sep 2002
Posts: 1,647
Thanks: 1
Thanked 1 Time in 1 Post
Draytek ADSL router into a racked 48-port switch to which each networked PC is connected. Think, but not sure, server is just connected into this as 'another PC'. Although, I do know server connects with a gigabit connection whereas rest of switch's ports are 100mb.
Guest 22808 is offline   Reply With Quote
Old 18-01-2006, 12:19   #12
Anthony.S
XBL - AnthonyS UK
 
Join Date: Jul 2000
Location: Alton, Hants
Posts: 3,476
Thanks: 9
Thanked 184 Times in 176 Posts
Ooh a Draytek, they have some nice features. You may be able to use one of the ports on the router itself to connect the AP to and then conigure that port as a VLAN. I have a 2600G and can see options for 2nd LAN IP and DHCP. Not used it like this myself but draytek tech support are pretty good.
Anthony.S is offline   Reply With Quote
Old 18-01-2006, 13:58   #13
Guest 22808
Trusted User
 
Join Date: Sep 2002
Posts: 1,647
Thanks: 1
Thanked 1 Time in 1 Post
Thanks, looking at the Draytek site it could be a 2600G (or similar older model) which would mean could configure VLAN (http://www.draytek.co.uk/support/kb_vigor_vlan.html shows how).

Great solution, thanks bud. Will take a look when I'm back in work tomorrow and post back here.

(Just wondering, was I right on the setup of a wireless router plugged into the network; or is this not what you meant?)

Last edited by adam.mt; 18-01-2006 at 14:01.
Guest 22808 is offline   Reply With Quote
Old 19-01-2006, 09:54   #14
Anthony.S
XBL - AnthonyS UK
 
Join Date: Jul 2000
Location: Alton, Hants
Posts: 3,476
Thanks: 9
Thanked 184 Times in 176 Posts
That solution looks exactly what you were after
Glad you had the forsight to spend the extra on a Draytek.

On your suggestion regarding the wireless router, I think a cable wifi router would have done the trick as the WAN port is usually an RJ45 connector on these as opposed to a RJ11 on dsl equipment.
Anthony.S is offline   Reply With Quote
Old 20-01-2006, 18:47   #15
Guest 22808
Trusted User
 
Join Date: Sep 2002
Posts: 1,647
Thanks: 1
Thanked 1 Time in 1 Post
Draytek is a "2600Plus" so should have VLAN support.

Wireless router - yeah I know it would need to be a cable router, just checking how you would connect it.

Full story: Actually need to add wireless to two buildings.

main building - have found wireless AP fitted on one floor doesn't reach the other, so will place open connection on ground floor wired into VLAN on Draytek thereby giving internet access for all; and WAP (not thru VLAN) with encrption enabled on upper floor giving full internet and server/network access to core employees (who will have encryption key).

neighbouring building - got a feeling only one network port is wired through from the main building's server network. This building houses a group of 4 Macs that need internet access through wireless (which can be shared with neighbouring public), and 3 PCs connected via a switch (internet access only) and 1 PC requiring server/network access.
Still need to check no. of ports wired through, hopefully is 2 so one port to network PC, and 1 port (via VLAN) with switch and WAP to other PCs and Macs. However, if it is just the one port then will have to look at replacing WAP with wireless router in the manner you originally suggested Anthony.

Thanks for the assistance.
Guest 22808 is offline   Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

All times are GMT. The time now is 02:23.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Copyright ©2000 - 2018 Poisonous Monkey Ltd. Part of The Digital Fix Network