Announcement

Collapse
No announcement yet.

seperate public wireless from private lan

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • seperate public wireless from private lan

    Hi,
    we have a remote office (coffee shop) which is connected via an ipsec vpn to our main office. the vpn is used to set prices, log tills etc back to the main office. we also have a pc at the premises that the manager uses to input other data to our back office system. thats our private network.
    now they want to have public wireless access. i realise that i could segment the network and give the tills & pc static ip's which would be within a range that could enter the ipsec tunnel.
    the router could then lease ip's above that range and in the second segment. this would prevent public access to the private ipsec tunnel.
    however, if a user came along and set their wireless client within the private range, they could in effect, enter the ipsec tunnel.
    how do we prevent this from occuring?
    our coffee shop router is a cheap linksys AG41 (adsl) which vpn's to a draytek 2950.
    is there any way to prevent this?

  • #2
    Re: seperate public wireless from private lan

    One of my clients have to give access to Wireless Internet for members of the Press on match days. I have setup a separate ADSL broadband and wireless router for that purpose. It is not joined to the network at all.

    You also need to check PCI compliance, so personally, I would do the above but that's just my suggestion.

    I didn't want to take any chances.

    Comment


    • #3
      Re: seperate public wireless from private lan

      if only they would, it would be easy.
      so i'm left with 1 x adsl connection and a wireless access point to purchase.
      we do have colubris access points at the main office which allow us to to have public and private networks together via 802.1q vlans.
      i'm just wondering whether these would work remotely?

      Comment


      • #4
        Re: seperate public wireless from private lan

        Originally posted by louis-m View Post
        if only they would, it would be easy.
        so i'm left with 1 x adsl connection and a wireless access point to purchase.
        we do have colubris access points at the main office which allow us to to have public and private networks together via 802.1q vlans.
        i'm just wondering whether these would work remotely?
        If it's a standard VPN, I would think that it would work just fine. My first reaction when reading your initial post was to simply VLAN a public WAP off from the rest of the office. I do that at one place I work at. If you could deploy a public VLAN WAP to the remote office, then it should appear to be on the same network as everything else over the VPN. For instance, can you ping or RDP into the managers computer as you would be able to if the computer was in your building? If so, I'd say use the colubris WAPs.

        EDIT: How physically distant is the coffee shop from your office? Just curious to know how arduous it would be to experiment with setting up the WAP in the coffee shop.
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: seperate public wireless from private lan

          hi Nonapeptide,
          the shop is about a 2 miles away from the office. the colubris we have in the main office (CN3200 & CN320) work great. we have a public access area which uses html authentication & onboard dhcp for public use. we then have another 2 virtual wireless networks with different vlan egresses (9 &10) which go to the coporate networks and obtain their ip's from the network dhcp servers.

          i'm unsure whether this would work over ipsec. the colubris's are capable of transmitting data over ipsec and use this for remote management traffic and radius etc. only one way to tell i guess?

          Comment


          • #6
            Re: seperate public wireless from private lan

            From my understanding of your scenario, IPSec really wouldn't come into play in your plans. If the WAP is physically plugged into a switch in the coffee shop then its traffic will go over the VPN on an as-needed basis just as if it was on the main-office LAN. The VPN tunnel endpoints take care of the routing and IPSec work. Can you ping or remote desktop into devices in the coffee shop from the main office?

            Example: The colubris WAP would be installed in the Coffee shop and given the public wireless VLAN. The VPN tunnel provided by the Linksys and draytek make the head-office and coffee shop networks appear to be one unit so therefore WAP communication would proceed as normal just as if you had placed the WAP in the head office with the other two. The remote WAP does not need to worry about IPSec or RADIUS. Just deploy as normal.

            Can someone point out if my understanding is deficient?
            Wesley David
            LinkedIn | Careers 2.0
            -------------------------------
            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
            Vendor Neutral Certifications: CWNA
            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

            Comment


            • #7
              Re: seperate public wireless from private lan

              hi Nonapeptide,
              perhaps i haven't made myself clear on what i'm after. for example:

              main office is 192.168.1.0/24
              coffee shop is 192.168.2.0/24

              vpn is working fine and statically set tills & pc can access backoffice at main office.
              i need to stop any public access from accessing the ipsec tunnel. i could in effect, walk in there, log onto to the wap and access a server on the main office. even if i segment the coffee shop network, i could still change the ip on my laptop and it will access the tunnel and therefore the company network.
              i'm unsure as to whether 802.1q vlans would work in this scenario?
              eg ssid 1 > internet, ssid 2 > vlan 9, ssid 3 > vlan 10

              it's actually a bit of a pain as roaming managers want to just walk in there and logon the same way they do at the main office.
              so we have:
              1. wireless public access
              2. wireless private access
              3. wired private access
              Last edited by louis-m; 16th February 2009, 23:35.

              Comment


              • #8
                Re: seperate public wireless from private lan

                Methinks there is indeed some mis-communication going on but for the life of me I can't figure out where.

                Originally posted by louis-m View Post
                vpn is working fine and statically set tills & pc can access backoffice at main office.
                Good. Lovely.

                Originally posted by louis-m View Post
                i need to stop any public access from accessing the ipsec tunnel.
                Okay, but that restriction isn't necessary if you want to prevent the public being able to "see" your internal networked devices (servers, switches, etc.). VLANs can take care of that.

                Originally posted by louis-m View Post
                i could in effect, walk in there, log onto to the wap and access a server on the main office.
                Not if it was segmented into a private VLAN away from the office nodes... which I assumed (perhaps wrongly?) that your public wireless network at the main office already was.

                Originally posted by louis-m View Post
                even if i segment the coffee shop network, i could still change the ip on my laptop and it will access the tunnel and therefore the company network.
                I'm perplexed by this. VLANs would take care of this whole situation... and I thought VLANs were the primary means of segmenting your public wireless traffic from private traffic. Just add a WAP at the coffee shop that has a wireless network on the proper VLAN and it will be separated from the internal LAN.

                Originally posted by louis-m View Post
                i'm unsure as to whether 802.1q vlans would work in this scenario?
                That's actually what I thought the plan was from the beginning. That might be the main misunderstanding.

                My thought was this: If there is a public wireless VLAN at the main office that only has access to and from the internet, then deploying a WAP that uses that public wireless VLAN in the coffee shop would indeed tunnel traffic through the VPN, but would not in any way have access to servers or other devices. I'd just deploy one of your WAPs with the same configuration as the office WAPs (it would have both internal and public ssids). That way, remote managers would be able to log onto the network as normal at the coffee shop and public wireless users would have internet access and nothing more.

                Orů perhaps I'm still not understanding the situation. I think I'll sit back and let others field this question and maybe something I've overlooked will be revealed.
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment

                Working...
                X