public wireless with Internet access only

[Pants]

I'm trying to get my virtual wireless network (SSID is "public") so that it ONLY has access to the Internet, and not the router, for security. Is this possible? It's just an experiment...btw

I've got a Linksys e3000 with Tomato 1.28 installed. The e3000 is sitting in the 2Wire DMZplus zone...So the e3000 is getting the Internet Public address assigned to it.

VLAN 1 on the e3000 is 192.168.2.1/24

VLAN 2 on the e3000 is 192.168.3.1/24

Modem is at 192.168.1.254/24

Primary (private) wifi is bridged to 192.168.2.1 interface

public virtual wifi is bridged to 192.168.3.1 interface, currently

 

[Pants]

Well I thought of one way of doing this. I could just disable wireless access to the router GUI altogether, or add an "access restriction".

 

[altrenda]

Not a big Tomato user, but for most routers you would go to the administration settings and under Web Access you disable the wifi access.

Not sure if thats what you did.

 

[Pants]

In Tomato there's a "disallow all connections EXCEPT..." option. So I can add a computer based on mac address as an exception.

 

[Pants]

I helped out my church yesterday with a problem they had and one guy there mentioned that the person who set up the network made it so the "public" wifi only has access to the Internet and nothing else, and added that the primary router is on a "different network" than the public wifi, so I can't access it from the public wifi.

I'm just trying to imagine how they did this.

I'm not sure what he meant when he said the router is on a "different" network than the public wifi. I can't ask him to clarify because I don't think he really knows what he's saying.

So far all I can come up with is that the public and private wifi are on separate vlans, which is easy enough to understand, but maybe for access restriction they just blocked all wireless access and made it so only wired clients can get into the router configuration GUI.

 

[gatestechsol]

It sounds like maybe the first person activated the Guest Wireless option on the route which would allow the public to access the Internet but not the local network.

 

[Pants]

I think your right. I only saw the primary router in the closet which is a Linksys WRT54G router, and it had a Netgear non-managed switch plugged into it. The router probably has an upgraded firmware on it like OPENwrt or something because there are a total of four wireless access points in the building and each of them has virtual wireless options and each a WAN port and built in four port switch, according to the network diagram I have. The firmware used on the router probably supports the "guest" wireless option. My tomato firmware does not.. I'll try to find out what router firmware is being used.

 

[Pants]

There's also (from what I read a little while ago), a "captive portal" option for accomplishing the "guest" set up. The Tomato firmware does support this feature.

 

[YeOldeStonecat]

Regarding your PMs...looks like you got it sorted.

For disallowing administration from wireless, on the left menu...look for Administration. Once on that page, notice a checkbox for "Allow WIreless Access" to the web admin page. Check on or off as desired.

To keep "guests" on the wireless network from being able to find stuff on the main network, what you'd do is setup a second SSID for the guests. And in the wireless settings for this SSID, enable "AP Isolation" which is what other brands more commonly call "Client Isolation". Each wireless client is put in their own VLAN, they cannot access anything else on the network...wireless or wired.

 

[Pants]

in the wireless settings for this SSID, enable "AP Isolation" which is what other brands more commonly call "Client Isolation". Each wireless client is put in their own VLAN, they cannot access anything else on the network...wireless or wired.

Ah!! Thanks

I can't find where is allows enabling of ap isolation for only the "guest" SSID. It looks like it only allows me to set ap isolation for the entire 2.4 band or 5 band. But if the "guest" SSID is bridged to a VLAN different than the private network, shouldn't that be sufficient, for keeping guests out of the private network? I guess if you want your guests to be able to access each other then you would leave ap isolation off?

If isolation is enabled, does the "guest" ap have to be bridged to a regular network, so that the dhcp server on that network can give them IP addresses? How do the clients get IP addresses if each client is on a separate vlan?

 

[Pants]

Well regarding my question above about how wireless clients in ap-isolated networks get IP addresses, It looks like even though the clients are on their own "vlan", they still rely on IP addressing from the network that the SSID is bridged to. So the isolated clients are part of a normal vlan, but they each have another separate vlan...So, a vlan within the vlan?

In experimenting with ap isolation, I found that wireless clients can't even ping eachother, let alone access the workgroup at a higher level in the OSI model... Pretty neat I AM able to access the SBS 2008 server on the workgroup which is connected through WIRED network, however, even though ap isolation is enabled.