If you still think wireless security is useless because you have nothing to hide ...

[Ira]

pete_c...not sure I completely understand.

Are you saying I can stick with a single static IP address for the WAN, leave the wired router connected to the DSL modem like it is today, then connect the wireless router to the wired router (also like I have it today)? So all devices connected to the wired router will have 192.168.1.nnn private IP addresses. All wireless devices will have 192.168.2.nnn private IP addresses. Then I set up rules to allow the wireless LAN devices to get to the internet thru the wired router, and to the printer on the wired router? If so, are the rules set up in the wireless router or the wired router? I haven't done much with routing rules in the past.

If the above is what you are suggesting...what does that configuration buy me over one using the switch between the DSL modem and two routers (one wired, one wireless), and the routers using different static WAN IP addresses and different private IP addresses behind them?

My wired router's private IP address is 192.168.1.1. The wireless router is 192.168.1.2. Do I change the wireless router to 192.168.2.1?

On a positive note, I did get WPA2 set up and working on the wireless side.

I do plan on using SSL VPN for my personal wireless devices to get into my wired network. For the companys' VPN access, I don't have any choice but Cisco's VPN client. It's interesting how many companies still use it. For a long time, Cisco said they would not ever provide support for Windows 64-bit machines for their VPN client and that 64-bit users had to use their AnyConnect VPN client. I guess a lot of their major customers complained because now they have support for Windows 64-bit in the old client.

Thanks,
Ira

 

[pete_c]

Are you saying I can stick with a single static IP address for the WAN,

yes

leave the wired router connected to the DSL modem like it is today,

yes

then connect the wireless router to the wired router (also like I have it today)?

on a different network; ideally physically isolated network.

So all devices connected to the wired router will have 192.168.1.nnn private IP addresses. All wireless devices will have 192.168.2.nnn private IP addresses.

yes

Then I set up rules to allow the wireless LAN devices to get to the internet thru the wired router, and to the printer on the wired router?

yes

If so, are the rules set up in the wireless router or the wired router? I haven't done much with routing rules in the past.

The rules are set up on the wired router/firewall. You can utilize the firewall on your wireless router if you chose to too.

Here a simple drawing.

 

[pete_c]

I do plan on using SSL VPN for my personal wireless devices to get into my wired network. For the companys' VPN access, I don't have any choice but Cisco's VPN client. It's interesting how many companies still use it. For a long time, Cisco said they would not ever provide support for Windows 64-bit machines for their VPN client and that 64-bit users had to use their AnyConnect VPN client. I guess a lot of their major customers complained because now they have support for Windows 64-bit in the old client.

You don't need to utilize SSL VPN on the wireless network if the wireless network is in its own DMZ. (or autonomous network behind a separate rule set firewall)

So if you can get by by using the firewall that's built into the AP but it would be a PITA. Its easier if you set up the rules on one box with a separate NIC for the wireless AP.

The "stuff" with Nortel / Cisco VPN was mostly a cost cutting effort (my auditing) and monthly spends into the millions for over 100K clients. Just the Cisco HW (routers and switches) maintainance contract was over 1 million a year.

Here are some more basic drawings.

 

[Ira]

More questions (sorry)...

I'm familiar with Smoothwall in name only, so I did a little research. In your diagrams, is it correct to say that each of the lines going into and coming out of the Smoothwall device is a separate NIC?

I would rather go with COTS appliances for all of this, rather than building a Smoothwall box. Are there any COTS appliances that can do the same thing as Smoothwall (and don't cost thousands of $$$), or at least as much as what I'm trying to do? Or, is the COTS solution a switch between the DSL modem and several routers to provide the isolated networks?

Thanks,
Ira

 

[drozwood90]

You sir are now my idol! ray:

Thanks BSR! Means a LOT coming from you!!

--Dan

 

[pete_c]

that each of the lines going into and coming out of the Smoothwall device is a separate NIC?

yes. Smoothwall is free. I used a small footprint case, Epia 1G, three NICs booting off a CF card on the current SW box.

 

[pete_c]

You might be able to get by using an older Cisco SOHO / Cisco Pix firewall setup. Personally with the SOHO series I found it easier to utilize the command line to set it up versus the kind of cryptic picture/gui interface years ago. Today it's probably better.

The older Westell combo provided the ability to bridge / have multiple WAN IP's. I am not sure how it works though when a commercial appliance doesn't have a sub anymore; and whether you have to re-subscribe it at a cost (like for instance a "Barracuda" firewall.

 

[Ira]

I have ATT DSL with 5 static ip addresses as well. I am doing exactly this. The modem is strictly being a modem, then a switch behind it attaches 3 secured wired routers and a fourth public (unsecured) wifi router each with its own static WAN. It has run this way for maybe 8 years and we have had no incidents. I doubt that I have ever been a "target".

Lou,

I got my new wireless router in today so I decided to play around with the type of setup you have (I think). My Speedstream 5360 is just a DSL modem (no router functions), so it is always in bridge mode.

I connected an unmanaged switch to the DSL modem's WAN output. I then connected my wired router to the switch. All of that worked fine. The router got the same WAN IP address as before, and everything on the private network behind the router worked fine. The WAN address ends in "22", and the LAN address is 192.168.1.1. Also, the wired router is set up to get its WAN IP address/gateway/etc. dynamically from the ISP, but it always gets the "22" IP address.

My next step was to connect the new wireless router to a port on the switch. I set the LAN side of the wireless router to 192.168.2.1. The wireless router was also set to get its WAN IP address/gateway/etc. dynamically from the ISP. For some reason, I couldn't get it to connect to the WAN. No good messages in the log. Just that it was starting, then it failed, repeated every minute or so.

Trying different things, I disconnected the wired router, which resulted in the wireless router establishing a connection and getting the IP address that was used for the wired router, which makes sense. Next I tried the option to specify the wireless router's WAN IP address. I used the same info for the IP address/gateway/subnet mask as what was previously obtained dynamically. I rebooted it and it connected with the specified IP address. So I know that the router is set up correctly as long as it is the only router being used and it is set up to use IP address "22".

Next, I tried changing the last octet in the static IP address to 21, and tried again. This time, the router log said something like "the peer rejected the IP address". I did a "whois" on my static IP addresses -- nnn.nnn.nnn.22 down to nnn.nnn.nnn.18 -- and they are all assigned to me.

Any idea why the ISP (AT&T) won't dynamically assign another IP address to the wireless router when the wired router is already connected? I may be using the wrong subnet mask when trying to use a specified IP address other than "22". When I'm connected, the router's WAN status screen shows a subnet of 255.255.255.255, so that's what I was using when I specified on of the other static IP addresses in my block.

How are your routers' WAN connections set up? Dynamic from the ISP or static? If static, what is your subnet mask, and what IP addresses are you using from your block?

Another question, in case I ever get this to work...I assume you have things set up so a machine on Router A can talk to a machine on Router B. When this happens, what route does the data take? Does it go router A -> switch -> Router B, or Router A -> switch -> DSL modem -> ISP -> DSL modem -> switch -> Router B? If it has to go all the way back to the ISP, that's gonna be bad for accessing a NAS box on the wired network from a laptop on the wireless network.

Thanks,
Ira

 

[drozwood90]

Sounds like you only get one.

In this case, replace the switch with another router (not-wireless). Then run each router into that router. Then you will be able to do what I think you are trying to do.

--Dan

 

[wuench]

Sounds like you only get one.

In this case, replace the switch with another router (not-wireless). Then run each router into that router. Then you will be able to do what I think you are trying to do.

--Dan

Yep, they'll assign you another one if you pay for it. He said he has 5 statically assigned IP's, you have 1 IP. So you need to NAT that to put more than one device on that connection, that's what your router does (or the Smoothwall in the drawings above). So you need a router (that does NAT) or firewall attached to your modem, not a switch.

 

[pete_c]

I think you mentioned that you were paying for statically assigned public IP's.

You have to look for your records or call your ISP to get your IP's.

You also have to see if the Firmware on your modem passes multiple statically assigned public IP's. 10 years ago or so the firmware was different on the DSL modems.

Attach a switch to the ethernet port on the modem. From the switch plug in one or more routers/firewalls and configure the WAN side of each with a statically assigned public IP.

Easiest way is to configure the WAN side of your router/firewall with the statically (not DHCP) assigned IP to see if it works still. Then add another router/firewall and give it the second statically assigned IP that you paid for.

If all you have is one dynamically assigned public IP then you have to NAT to the internal private IPs and split it up with more than one router/FW.

ISP==One (1) Dynamic DHCP IP==> Modem ==>

Modem ==> 1 WAN IP router==>NATed==> multiple private IP's off autonmous networks.


ISP (with multiple public static IP's) ==>modem==>
Switch==>
Router/FW #1 with static public IP #1 NAT'd to an autonomous network
Router/FW #2 with static public IP #2 NAT'd to an autonomous network
router/FW #3 with static public IP #3 NAT'd to an autonomous network

 

[drozwood90]

I think you mentioned that you were paying for statically assigned public IP's.

Good catch pete. I was not thinking about that (most people don't have all those addresses). I thought he also said he wanted to reduce his bill. If that's the case, he could NAT specific ports to specific routers in the 2 router setup (1 external IP).

--Dan

 

[apostolakisl]

Ira,

I have ATT DSL business service with 5 static IP addresses. They provided a Netopia Caymen Series 3000 broadband Gateway. This unit has a built in 4 port switch. I have it in bridge mode. I haven't logged into the unit in years but I think it can serve as a router if you want. If it were serving as a router everyon would have to share the same WAN address which is doable but much more complicated keeping the networks independent. With 5 static addresses it lets the three of us sharing the network be able to completely ignore the others when setting up our networks (provided no one tries to use the wrong IP address which my partners annoying tech support lady kept doing despite me telling her multiple times which was her ip address). Behind that I have 4 routers plugged in. Two are hardware based VPN routers running my office network and the other is my partner's network. A third is going to a non-vpn but secured network and the fourth is going to an unsecured wifi network that is open to the public. All 4 routers are setup with one of the 5 addresses ATT provided me (one is unused)

This setup only works when you have static IP addresses. I am pretty sure that ATT will not give you multiple addresses if you are on a dynamic plan. I think what will happen is that each router will try to grab the IP address from the other router and you will get conflicts and lose connectivity.

It would seem from reading your post that you have a dynamic address. You would need to pay a few extra bucks to get the static address to do what I have done. I do know that it is possible to have a router log onto ATT and then have routers behind that router each creating their own network, but this I have never done and thus I don't know all of the settings. It is definitely more complex than what I have done.

Lou

Edit: I refer to the Netopia as a switch, but this may be the wrong terminology. Perhaps someone could comment who knows more detail. Since the netopia does not have an ethernat on the WAN side but rather the WAN side is its built in modem going to a phone line, it is different than a conventional switch. Exactly how the data is being negotiated I do not know, but from a functional stand point, it is like having having 4 modems bridged to one port each.

 

[Ira]

Thanks everyone for the replies.

The most important thing first...I have the AT&T "High Speed Internet Pro S" plan, which is one of their Business Services plan (even thought this is at my home), which includes five static IP addresses. My WAN IP address has never changed.

My previous post might have been a little confusing when I said that the router was configured to get the WAN address dynamically from the ISP. However, I can also specify the WAN IP address I get dynamically in the router's WAN configuration as the static WAN IP address, reboot it, and it will connect. It only fails when I try to use one of the "other" static IP addresses (which gives me the "peer refused IP address" error message in the router log), or if I try to connect two routers to the DSL modem (via the unmanaged switch "in the middle"), with both routers trying to get their IP addresses dynamically. In the latter case, the first router connects and the second router fails. In the latter case, the log for the router that failed to connect doesn't have any useful messages -- only that it keeps trying to connect but fails.

The other odd thing is that "whois" shows five public IP addresses (nnn.nnn.nnn.18 thru nnn.nnn.nnn.22) belonging to me, but I can only use "22".

pete_c...I have tried the exact configuration you have shown in your last post (although I'm not sure what you mean by "NAT'd to an autonomous network, unless you mean different LAN IP addresses). I have tried...

ISP -> Speedstream 5360 DSL modem -> unmanaged switch -> two routers/firewalls -> laptops (wired, one to each router)

The two firewalls have NAT on, DHCP enabled, and different LAN IP addresses (e.g., 192.168.1.1 and 192.168.2.1). I connected a laptop (configured to get a DHCP LAN IP address) to each router, and got the expected DHCP-assigned IP address from both.

Lou...it sounds like your networks really are separate, i.e., there isn't much traffic between them. In my case, I will be having a lot of shared traffic between the two LANs. Mostly it will be laptops connected via wireless to my wireless router (my wireless LAN) needing to get to NAS boxes on the wired LAN. So I still have the question regarding data flow between my two private LANs. Can routing rules be set up to go from my wireless private LAN to my separate wired private LAN without going thru the DSL modem or ISP? If I use a SSL VPN connection on my laptop connected to my wireless LAN to get into my wired LAN, will all traffic be going back thru the ISP?

It sounds like there are (at least) three possible problems here...1) My ISP (AT&T) has something configured incorrectly which is keeping me from using the other four static WAN IP addresses that I've been paying for these last ten years, and/or 2) My ten year old Speedstream DSL modem is keeping this from working, and/or 3) I really don't have a static IP plan even though my bill says I do and I've been getting the same WAN IP address for years.

Thanks,
Ira

 

[pete_c]

I did a quick read on your modem and it should function as depicted; switch; multiple routers.

Here:

Modem

Sometime in the late 1990's / early 2000's I had a lab set up (at work) and needed a separate external acess to the internet with multiple public IP's.

I think I had some issues with the DSL modem provided by AT&T at the time so asked AT&T for something that worked easier and faster.

I needed to set my testing up fast and didn't want to horse around much. They gave me a Westell combo modem I believe and I was able to configure it quickly.

only fails when I try to use one of the "other" static IP addresses (which gives me the "peer refused IP address" error message in the router log),

I would open a "service" ticket with AT&T. They might have allocated your IP's to someone else.

BTW - another story - a few years back helped a person (who was one of two folks working at an AT&T CO). set up their internet in an AT&T CO. It so happened that he asked for internet access and was given a PC and a modem. He had the keys to all of the cages in the CO and I was able to tap into one of many ISP provider setups and get him an IP in a couple of minutes.