Subnetting for Security

Netgear rangemax dual ban... / Wndr3300
April 23, 2009 at 05:42:25
Specs: Win XP Pro
We have a coffee shop that we want to have access to
wireless internet, but we don't want those accessing the
wireless to have access to our business LAN. Will
placing a wireless router in the coffee shop and putting it
on a subnet give us what we want?

See More: Subnetting for Security

Report •

April 23, 2009 at 06:08:14
I think what you mean is that you want to put it on a different subnet than the business LAN & add a routing table so both subnets can use the same internet connection. That's a good idea.

How do you know when a politician is lying? His mouth is moving.

Report •

April 23, 2009 at 06:08:25
Need to describe your setup a bit more, how would the wireless be connected to the LAN.....?

Is the LAN wireless, is there only one internet connection....?

I assume you will have 1 internet connection and you have a wired LAN and then you want the wireless cafe as well, both feeding of this 1 internet connection.

A vlan should work here.

So you could go,

Internet connection--> router --> switch---> then connect the LAN PCs to the switch on some vlan and then connect an access point to the switch (for the wireless cafe side of things) on another vlan and tag both through to the gateway router.

Report •

April 23, 2009 at 07:26:12

We are using an AdTran Netvanta 3200 router for the WAN
connected to an unmanaged 24 port Netgear switch and then to
a Netgear wireless router that I would like to be on the subnet.
The wireless router needs to have internet access without
having access to the LAN (the other part of the network).

I am new to subnetting, and routing tables. How would I set this
up? Do you still need more info?

Report •

Related Solutions

April 23, 2009 at 08:51:44
Sorry but given your setup I would not consider subnetting as any form of security.

What would be secure would be to replace the unmanaged switch with one that is managed and VLAN capable.

You would place your lan in one vlan and the customer access in another. This would separate the networks with no way for a customer to gain access to your lan while still providing internet access for both.

Report •

April 23, 2009 at 10:21:44
We don't have the money available for a managed switch right
now. Are there any other alternatives?

Report •

April 23, 2009 at 10:39:31
How important is your data?

If you want cheap don't buy anything except a used wireless router off of craigslist. Setup up like this diagram

Set the windows firewall/3rd party firewall on your pcs to block all traffic except for your pcs host names. Everyone will be in the same subnet but the software firewalls will block access.

Or better yet replace your present router with a linksys wrvs4400n which supports vlans

Report •

April 23, 2009 at 13:12:00
Remove your business lan from the internet. That is the only way to be secure. It is easy and cheap too. Just pull the plug.

"Best Practices", Event viewer, host file, perfmon, antivirus, anti-spyware, Live CD's, backups, are in my top 10

Report •

April 23, 2009 at 13:19:10
:-) that doesn't work with POS systems that use debit/credit cards. Business's require internet access these days and that requirement is expanding.

Report •

April 23, 2009 at 14:28:27
While it's nice to have the higher-end hardware, for instances like this I'll use my cheap physical hardware model...

I'm assuming right now you've got the switch plugged in directly to the Ethernet port on the Adtran (not really familiar with this device). In this case, I'll assume it is already doing NAT. I'll also assume that the Adtran NAT's to 192.168.1.x

You'll need to buy 2 cheap wireless routers of your choice, and possibly 1 new switch depending how many devices you have on the business side

Wire and configure as follows (all subnet masks are

                 (LAN 192.168.1.x)
                 Switch 4-port (or more)
                 /                    \
                /                      \
Cheap Wireless Router      Cheap Wireless Router
(Business Side)            (Wireless Coffee Shop)
(Set WAN     (Set WAN
(Set LAN 192.168.2.x)      (Set LAN 192.168.3.x)
    (DHCP On)                  (DHCP On)
(If needed for more PC's)

Configured in this way, the Business side devices will be on the 192.168.2.x subnet, and the coffee shop side will be on the 192.168.3.x subnet, but both will access the Adtran on 192.168.1.x subnet.

And yes I realize it is double NAT'ing, but this is a cheap and easy real world solution I use for clients that can barely rub together 2 nickels, and it protects their networks.

Report •

April 23, 2009 at 17:28:15
If a customer is connected to the net and your business is connected they are then both connected. No amount of vlan or smart switch would change that.

You should get an Untangle, monowall, or such or other type of managed computer/device to protect your system if you don't want to buy more equipment.

Pre-made virtual machines at vmware even, you don't need to buy a computer.

"Best Practices", Event viewer, host file, perfmon, antivirus, anti-spyware, Live CD's, backups, are in my top 10

Report •

April 24, 2009 at 07:57:11
"If a customer is connected to the net and your business is connected they are then both connected. No amount of vlan or smart switch would change that."

I have to disagree. their only "connection" when using vlans is the internet and not each other. You can't even hack it like you could just using subnetting.

meathead9999 suggestion, though good, can still be hacked via the public net to the private net. Usually cheap routers only do nat and don't have a firewall that will allow you to deny all ip from the public net.

Now if you could put a deny on the private router for the public net it would be as secure as a vlan imo.

Only problem I see is the complexity of such a setup for a small business owner not skilled in the IT trade. Replacing the present router with a vlan capable one is easy to install/maintain and only a couple of hundred bucks.

Report •

April 27, 2009 at 05:57:39
I like your idea. Here is our existing setup:
T1 into frame relay to Adtran NetVanta3200 Router then to
24 port Netgear Prosafe switch. From the switch all business
LAN computers are connected either via direct CAT 6 or
wirelessly via 2 AP's in the main building. Also connected to
the 24port switch is the Netgear WNDR3300 RangeMax Dual
Band Wireless-N router for the coffee shop. This is the router
that should not be able to see or connect to the rest of the
LAN, just the internet. Is this possible using your idea?
Thanks for your time.

Report •

Ask Question