two routers second firewall

Linksys Wrt54gl wireless router
October 19, 2009 at 11:28:57
Specs: Windows XP
If one cascades a wired gateway (router/firewall/dhcp/nat) with a wireless (dhcp/firewall disabled), would a intruding wireless client be inside the firewall of the wired gateway? Could one turn on the firewall of the wireless gateway to protect against intruding wireless clients? In other words, is the wireless gateway firewall only running between the WAN and LAN or between all ports?

See More: two routers second firewall

Report •

October 19, 2009 at 11:38:47
Very convoluted question.

Ask yourself what a legit wireless client would see/experience concerning the firewall. It would be the same if someone hacked your wireless encryption and gained wireless access to your network.

Report •

October 19, 2009 at 13:33:02
Sorry for the confusing question. Restating:
1. Does the gateway firewall protect the LAN switch ports from the WAN only or also between LAN ports?
2. Does the wireless access point client connection route through the firewall and then to the LAN or WAN or directly to the LAN? (ie the WAN is firewalled between the LAN. Q1)
3. Does it matter? Rogue hacker gets onto the wireless AP. Does a firewall help at that point?

Report •

October 19, 2009 at 13:42:40
Yes, the built in Firewall of a Wireless Router/Gateway applies only to the WAN ports and not the LAN ports and the Wireless Bridge that connects the Radio to the LAN.

You can setup a hardware firewall between your WAP and the LAN but this would be a configuration nightmare. What is the WAP used for? Is it only to provide internet access to the users or does it need access to the domain? Do you have a managed Switch if so then you could setup a VLAN to give the WAP access to only the Internet not the LAN?.

If you need to give access to the LAN and want to secure your WAP then I recommend using a combination of WPA2 WiFi encryption, Hide your SSID, MAC Filtering and Setup the Access Times on the WAP to only work during business hours.

That being said, these items can be defeated through...

MAC Filtering - MAC Spoofing
Hidden SSID - Net Stumbler
WPA2 - Cain and ARP injection. (But a really long password like 32 characters will make it almost impossible)

I used a 32 character random password for my WAPs because once you setup a profile you only need to enter the password once and with a Flash Football it makes it easy.

Report •

Related Solutions

October 19, 2009 at 13:48:45
More detail...
The assumption being that the dhcp is turned off and the wireless gateway is connected to the wired through the LAN not the WAN. Is the Wireless AP protected only with ssid disable, mac list, and wpa2 or could one somehow use the firewall and NAT with both gateways on the same network? The idea here would be to thwart a rogue wireless client.

The more I describe it the more it sounds like wireless security only. Maybe I'm over thinking it.

Report •

October 19, 2009 at 13:54:04
This would only apply if your WAP is truely a gateway to the WAN. Do you have any thing hooked into the WAN port? I was under the assumption you had another Edge Router that connected your LAN to the WAN. Is this a home network?

I guess the answer is yes if what you are describing is a hacker piggybacking your WiFi to do bad things to other networks. The problem is once they are on the inside most firewalls allow every thing through to the outside. You may have to invest in something that has an outgoing fire wall too like a Sonic Wall or Cisco ATA.

Report •

October 19, 2009 at 15:44:57
internet to modem to wired gateway wan
wired gateway lan to wireless gateway lan
wireless client to wireless ap in wireless gateway

wireless client will be inside the network due to wireless gateway firewall located only between WAN and LAN with wireless client presumed to be part of LAN

I guess even if the wireless client connected to the WAN side or outside firewall it wouldn't matter since the dhcp would need to be inside so it could only connect with a static i/p to the wan side. Like ap only (no gateway) wired to the wan of the wireless gateway. Then it would be firewalled but due to firewall and NAT it wouldn't be part of the LAN?

Report •

October 19, 2009 at 15:55:29
It can be if you configure it properly. This is why I said it would be a configuration nightmare. You would have to poke so many holes into it to allow you trusted system through that it defeat the purpose.

If this is a home network I would simply not worry about it and setup Software Firewalls on your Workstations to prevent an intruder on your WAP from getting into them. My favorit is Comodo.

But you can use what ever you want. If you want to catch some one using your WiFi then you will need sniffer like Wireshark to check for packets that are not yours.

Report •

Ask Question