How do I segregate wifi from LAN?

Microsoft Windows small business server...
September 21, 2010 at 09:53:10
Specs: Windows
Hello and thanks for reading,

I need to provide Internet wifi access to our visitors in the office while keep our network safe.

We have one Cisco 3560, I've created one VLAN for VoIP and assigned several ports to it, in these ports I attached the VoIP phones and also one SOHO Wifi router. The VoIP is using the attached router, but I want also to use the Wifi router for the wireless connections (mostly people with smartphones and visitors with their laptops). I don't want them to gain access to our LAN. All the other ports are in the default VLAN.

DHCP is active in the Wifi router but I can't connect to the Internet using my laptop. The laptop takes the switch default gateway instead of the router. I don't know if I can add a default gateway to the VLAN...

We recently added a server (SBS2008) to the office, it provides DHCP to the clients. When I switch on the server, then the wifi clients get the switch default gateway, but the DHCP server is now the SBS, and I can connect to the Internet BUT using the other ISP.

The diagram is simple like this:

Router for the LAN
switch 3560 -------- WIFI Router (for VoIP and wireless clients)

I'm using the same subnet for both VLANs.

I can't get it working :-( Any help would be great !



See More: How do I segregate wifi from LAN?

Report •

September 21, 2010 at 10:08:01
Diagram should look like this;

Router for the LAN
| ******* |
Firewall ******* WIFI Router
switch 3560 -------- (for VoIP)

Wifi router is off the main router. This way your company is protected behind the firewall. You don't need a router for the voip, just use vlans

Report •

September 22, 2010 at 00:51:22
Thank you very much wanderer!

The problem I have is that our firewall only have one WAN port, I can't connect the wifi router to the WAN port as I'm using it for the LAN router.

I wanted to use one ISP for the LAN, and the other (wireless) for the VoIP and the ocasional wireless users.

I could put the wifi router and the VoIP devices in a different subnet, will this solve the problem?

Thanks again


Report •

September 22, 2010 at 08:08:19
Sorry but I will try to clarify. The wifi router does not connect to the firewall. It connects to the internet router. If the internet router doesn't have enough lan ports then put a small switch in between the internet router and the firewall. Connect the wifi router to the switch as well as the firewall.

You want your wifi BEFORE your firewall. In effect you are creating a DMZ for the wifi.

Can you put the wifi and voip in a different subnet?

No matter where you locate it the wifi will be in a different lan subnet than the corp network or it can't route.

The problem is that once past the wan port they are on YOUR CORP NETWORK before they hit the internet. Behind the firewall means you have negated what the firewall is doing for you. You breached your corp lan security.

You MUST put the wifi router BEFORE the firewall and not between the firewall and the internet.

Report •

Related Solutions

September 22, 2010 at 15:16:36
Thank you very much wanderer,

No, the wifi router does not connect to the firewall, I have only one WAN port in the firewall (but it has have 3 LAN ports, and alo a DMZ port), I plugged the wifi router to the main switch but in a different VLAN (from one of the LAN ports of the wifi router to one of the ports of the 3560 switch).

The internet router does have more ports but I can't manage it, NAT is off, so I use the firewall for NAT.

Can I use one of the firewall extra LAN ports for this configuration (i.e. the DMZ port)?. Something like this:

WAN*******LAN1******LAN2*****LAN3******DMZ (firewall ports in this line)
***************|*******************************wifi router

Yes, I can put the VoIP devices and the wifi router in a different subnet. I wanted to use VoIP with a different ISP because we only have 2mbps/2mbps and quite a lot of internet traffic. As the extra ADSL is more than enough for the VoIP, I want to use it for wifi connections (mostly visitors with their laptops)

Thank you so much,


Report •

September 22, 2010 at 15:31:30
Putting the wifi in a dmz would be just fine. Doing vlans properly so the wifi has no access to the other vlans is just fine.

But you speak about another ISP provider?

Than all of this is a moot point. You would not run it thru your network/firewall at all. You would connect it to the new services modem.

We call this a security air gap. No connection between your voip/wifi lan and your business lan.

I was working on the thought you only had one internet service.
There is no security better than an air gap.

Best of luck.

Report •

September 23, 2010 at 06:27:28
Thanks wanderer,

Yes, we have two ISP providers, two different Internet connections.

Yes separating everything would be the best, but the problem is that all the VoIP phones are powered by the 3560 switch (PoE).

If I connect everything as you proposed before:

WAN*******LAN1******LAN2*****LAN3******DMZ (firewall ports in this line)
***************|*******************************wifi router

I could add a static route for the VoIP subnet and put the wifi router as next hop?


Report •

September 23, 2010 at 07:28:04
Yes separating everything would be the best, but the problem is that all the VoIP phones are powered by the 3560 switch (PoE).

Just an FYI, if you find it necessary to plug a VoIP phone into a non PoE switch you can power it with an injector. You can buy inexpensive injectors singly or an injector device that allows you to plug many PoE devices in at one time.

I've got a bunch of injectors that came with wireless access points and I use those whenever I find it necessary (and I have) to plug a VoIP phone into a non PoE switch. I plug the injector in the wiring closet and int most cases, leave it sitting on the switch in question.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***

Report •

September 23, 2010 at 07:51:17
Thanks for the information Curt, this is a great solution for me.

So I can buy one power injector, and use an old switch to plug all my 12 VoIP phones ?. This would be great.

EDIT: Ok, I understand now, I need one power injector per device... As I have a dozen devices, it will be cheaper to buy a new PoE switch.


Report •

September 23, 2010 at 08:11:04
judaster how are you expecting to connect the second isp to your firewall when you list it as having only one wan port?

You can run voip phones with your present switch which is just fine. It is your wanting to combine wifi guest access with phone access which is the problem.

No ip route is going to make your inside network secure from the wifi guests but a vlan will.

If it was me I would put the wifi on the new isp and get a poe switch to run the voip phones off the wifi router.

Report •

Ask Question