Slashdot Mirror
Wireless/Wired Router Solutions for 2 Networks?
DaveTheBrave asks: "I'm currently running a home based business on an el cheapo Netgear wireless router off a broadband cable modem connection. I'm looking to upgrade to something better with more flexibility. My in-laws recently sold their home and will be moving into my home temporarily while they are building another. They have a home based business and my mother-in-law is also notorious for attracting viruses, adware and other nasty stuff on her PC (which I have to routinely clean - hence my need for a better network solution). What is the best/easiest solution to segment and keep separate my network from theirs (both wired and wireless) off of one incoming cable modem? I'm looking for something around or less than $500."
Depending on how long it takes for the in-laws new home to be built perhaps just getting a second cable modem would be the solution. Where I live a years worth of broadband would be about $450.
One cheap PC. Three NICs: one to cable modem, one to each of the two subnets you want. Install OpenBSD, config, voila...
Trolling is a art,
would be to hook up two more routers to the current router -- pointing the two NEW routers to the OLD router as their WAN "gateway". Then on the LAN side of the two NEW routers, make each a separate network segment (i.e., 10.0.0.0/24 and 10.0.1.0/24 or something).
Wireless-wired routers are pretty cheap. You should be able to do it for under $200. Not "elegent", but do-able.
my mother-in-law is also notorious for attracting viruses, adware and other nasty stuff on her PC Dude, your mother-in-law attracts viruses.. mine attracts good quality porn. I love cleaning that up,(and secretly copying it to my machine :)
You can get two Linksys WRT54Gs for about US$120. Configure one as a router and keep your inlaws in the wireless segment. Configure the other one as a bridge to be your firewalled network zone. If absolutely necessary, you can give them access to the wired segment in the outmost router and still keep them out of the innermost, trusted network. ;-)
If you have some spare time reflash the WRTs with OpenWRT for extra flexibility. While you're at it, you might want to score a few extra points with your inlaws by migrating their PCs to Linux, or at least installing Ad-Aware and Spyware S&D
-- Estoy feliz, feliz de que no sea cierto.
Firewall Firewall Firewall!!!
Firewall your system, and/or deny her IP in the hosts.deny file or the Windows equivalent if there is.
Pretty sure there are some good firewalls that are alot less than, $500, no hardware needed.
A couple off the top of my head
ZoneAlarm
BlackIce
-- Brought to you by Carl's JR
I was thinking along the same lines, but using a dedicated distro like http://www.clarckconnect.com/
One cable modem, two subnets, no routing between them...
Clarkconnect comes free, with a range of possible upgrades like auto snort updates, security checking, and auto updates for the registered version.
Advantages : webpages configuration with quite a good help and easy set-up...
You can implement Mailscanner+SpamAssassin on the cheap.
The "intrusion prevention" updates part comes with a (small) price, and alltogether, the licence for a home office is around 200$...
Also, setting up is "secure by default" (you want a port opened, you do it...) and you are up and running after maybe 10-15 minutes config...
enjoy 8)
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
http://www.clarkconnect.com/
This one works...
When I see what I can do when sober, I'm thinking I could start hitting the bottle and at least enjoy my errors 8p
"Use the Preview Button! Check those URLs!"
Sorry again
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
This thing's a pretty versatile device for under $100. Load OpenWRT on it and you'll have a capable Linux machine/distro suitable for small-network routing and firewalling with iptables, vconfig and brcfg. The ,a href="http://wiki.openwrt.org/OpenWrtDocs/Configur ation#EthernetSwitch">built-in Ethernet switch is 802.1q VLAN capable and configurable at the per-port level, so you can split the network in two and still have the 'router' connected to both and handling Internet traffic with some modifications to the startup scripts and dnsmasq config. Sounds like a fun project, in any case.
Or directly bargain. "OK, I'm spending 2 hours disinfecting your computer, so how about buying Chinese for everyone for dinner?" (That's about $40.00)
If she's that bad either she will learn to be more careful, or at least you will have a break in between fixes.
...Cisco PIX501 :)
Switch to firefox/thunderbird. Put ms anti-spyware beta on desktop and norton or some other av program, spybot and turn on teatimer.
Should make her relatively safe.
Shadus
You already have a cheapo Netgear router, which I imagine can do NAT. So buy one of the new Netgear Gaming routers that allow you to do bandwidth limiting, and set that up as your primary router, hanging off the modem. Plug your in-laws into this directly. Then take your old cheapo and plug it into the new router and hide all your machined behind it. That gives you access (through 2 layers of NAT) to the net, and protects you from your in-laws' virii, as well as allowing you to gaurentee a reasonable slice of bandwidth from the gaming router to your cheapo router so that even in the case of your in-laws' machines saturating the internet connection with virus traffic, you still have sufficient bandwidth to finish your CounterStrike game before going into the other room and forcing them to unplug from the network while you clean their boxen.
Get another cable modem, and just keep them completely separate.
If you're willing to spend $500, you can fund that set up for almost a year.
You can get the Linksys WRT54G/GS and then install other linux firmware (one example that i use is: http://www.sveasoft.com/ ) and it will give you a tremendous amout of power and control in a $40-70 box. You can route/have VLANs/have firewalls/etc. with it.
kiwi
(note, make sure not to get the v4 hardware of the wrt54g, as it does not run the firmware.)
Replace the Netgear with a crummy PC or Soekris device using m0n0wall
Does anyone know of any (wifi or not) routers (4+ ports) that don't have to be reset every week or so. I'm _so_ beyond tired of all this cheap (as in quality) Linksys/Netgear/Belkin crap I could just about scream.
As a bit of follow-up info to posts suggesting that you invest in a Linksys WRT54G or GS in order to run custom firmware, be aware that the current version of the WRT54G, the v5.0, has half the RAM and flash capacity of previous models. This makes it impossible to flash most custom firmware such as OpenWRT or DD-WRT.
The current version of the WRT54GS, v4.0, is reported to also have half the capacity of previous GS models, which leaves it with as much as older WRT54G models. This means you can get an off-the-shelf GS with the open-source firmware capabilities of old WRT54G models if you're willing to pay $20 more.
Linksys is also supposed to be releasing the WRT54GL, which many have speculated is a relabeled WRT54G v4.0 for $10 more. However, last I checked it was only available in Europe (and by checking I mean both searching the 'net and talking to Linksys support, who ended up referring me to a wholesaler after being unable to find a North American retailer who had them in stock).
Arguing about vi versus Emacs is like arguing whether it's better to make fire by rubbing sticks or banging rocks.
I have the setup you have described at home, and for similar reasons. I work at home quite a bit and have a home office specifically for my work. However, I keep my play machines and work machines absolutely segmented to protect my customers from me doing something stupid on one of my personal machines. (I have as yet gotten anything, but how do I know the next CD I buy wont have something worse than what sony was spewing . . . but I prefer to be paranoid when it comes to my customers' security). In any case for ~300 dollars you can purchase:
Soekris 4801 SBC computer with case and power supply.
You will need to purchase a Compact flash card for the OS.
Monowall will only cost you time.
You can attempt to get a wireless card working on the 4801, however, I didnt want to futz with antennae and soldering, so I use a separate wap for each network. The 4801 has 3 interfaces by default (you can add more with the pci slot), but 3 is enough for what you want. An uplink to your cable modem, and two separate network segments.
Monowall will let you completely firewall the two interfaces from each other and still use the same uplink or you can allow limited traffic between them (I allow ssh between my segments).
Now, you can do the same thing with any computer and monowall, the soekris is just a one stop shop that's tiny, doesn't eat much power and will get the job done...I personally like it.
Check ebay for soekris 4801's, there's usually one that shows up every week or two from some nerd that wanted to play with it but decided they wanted something else for their project (or a new toy) for $300.
Run the openwrt linux distribution on a linksys wrt54gs router (make sure you do not get a ver 5 box). This will allow you to partition the network however you want. Linux CLI skills are a definite must. That will give you all the capabilities of a $1000 or so name-brand wireless router.
Styrofoam IS biodegradable, you're just impatient!
What I would do is, get a cheap pentium crap box, stick three nic's in it, and OpenBSD. One nic goes to the cable modem, the other two go to the wireless routers. Just ignore the WAN port, use them as switches that have wireless built in.
Each router(being used as a fancy wireless ready switch, and nothing more), lives on its own subnet, and you can use firewall rules to dictate access rights between the two of them.
This gives you two separate network segents, on different layer 2 broadcast domains, and a strong traffic cop to enforce your rules between them.
Besides, OpenBSD kicks ass.
--Nuintari
slashdot : where an opinion can be wrong.
(I) Like a bridge over doubled routers
it will carry me (bits) home.
Seriously, here's what I would do:
Cable feeds switch.
Switch feeds two NAT/firewall routers, one for your network and one for the family.
To mitigate viruses, configure the family router to block all incoming ports and all outgoing ports except the ones they absolutely need, e.g. http, https, and maybe passive-ftp. LEAVE OUTGOING MAIL-POP3 and -SMTP BLOCKED and teach them to use webmail.
Configure your NAT router as you see fit.
Some cable modems come with more than one LAN-side port and can act as a switch or hub if they sense they have more than one IP address assigned.
Most cable operators will sell you a 5-pack of IP addresses for so-many-dollars-a-month.
If the IP addresses are too expensive, do as another person suggested and put a 2nd-tier NAT router above the two "LAN" routers in place of the switch. The real benefits to the switch are:
1) both LANs can host inbound traffic on the same port
2) if the other LAN gets 0wned and people block its IP, your LAN are less likely to be blacklisted.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If I had $500 to blow
For Your Connection
Cable Modem (shared)
to
Router (shared)
to
Hardware Firewall (not shared)
to
Wireless Router (not shared)
to
Your Software Firewall on your computer (not shared)
For your parents
Cable Modem (shared)
to
Router (shared)
to
Hardware Firewall (not shared)
to
Their Software Firewall on their computer (not shared)
For the hardware firewall I've used these and liked them: http://www.trendnet.com/products/TW100-BRV304.htm
For the software firewall (on windows) I'm a big fan of an old version of Kerio Personal Firewall (version 2.15)
http://www.dachboden-wg.de/dlm/download.php?id=2
Under $300, no problem.
Around $500? You can get a NetScreen 5gt for less than $500, and they have an Untrust/Work/Home mode. However, for around $600 (search froogle), you can pick up the 5gt wireless. 802.11g built in, up to 4 different SSID's at one time, and you can drop each SSID into a different zone.
Plus, both of these allow you to license inline virus scanning and their Deep Inspection engine (which can thwart other attacks or strange activity). Crazy IPSec throughput, easy configuration through a CLI or a GUI, and too many other things to list that would make any self-respecting geek drool.
Need Free Juniper/NetScreen Support? JuniperForum
Connect your router WAN port to the regular port of the main router. Use different IP address range. If the parent router (with DHCP or non-DHCP) has IP of 192.168.1.1, use your router to assign IP in the range 10.10.1.xxx or 172.16.255.xxx
You have both VLANs with access to the net, but no access to each other.
I think that's what you were asking for.
The cool thing about all of this is that you just configure the routers/base stations and then the machines do the rest themselves wherever you plug them in (for Macs at least, Avahi needs a bit more work, and is still masked with Gentoo 2005.1). Then, when people start moving stuff around, it still configures itself. No more discussions about where the printer goes...just unplug the damn thing and move it where you want it.
Beautiful. Another thing that Apple has done right, Microsoft doesn't get and Linux needs to work on more.
Safe@Office - a wired and wireless security appliance, with DMZ/VLAN capabilities, secure wireless (seperated from the LAN which can be good for you!) as well as additional services like anti-virus and such. Also has remote access capabilites and runs on Check Point firewall - if security is important to you. Check it out on http://www.safeatoffice.com/ If you get mixed up, try speaking to one of the representitives in a chat - they are quite helpful. They're a tad expensive, but it may save you having to manage two appliances or worse, two modems.
My router (Linksys WRT54G) has a function where it can put each client into a virtual network.
Coupled with bandwidth throttling, each client is completely unable to affect any other client.
I'm not sure if netgear has this functionality or not, but the WRT54G is a pretty cheap router.
See OpenWRT and get one of the many $50-80 boxes that it can run on. You can separate your network into as many as you want that way.
They have a home based business and my mother-in-law is also notorious for attracting viruses, adware and other nasty stuff on her PC
Is there a WiFi equipped coffee shop nearby? "Hi mom, let me show you to your office..."
If you've got an extra computer with a couple nic's, heck even a sub-$500 computer would do, check out Astaro Security Linux. You can get a home use license for free and for around $60 you can upgrade it to include web filtering from Cobion, Spam Assassin based anti spam, and Kaspersky AV for Web/Email - all in a nice neat package. I use the full blow version with intrusion protection to protect our company's network and short of Checkpoint it's probably the best out there. You name it, it's got it - Statefull packet inspection, VLAN support, DHCP, VPN, etc.
You've got your in-laws about to move in with you, and you think your computer network is the biggest problem???
Seriously, I'd grab a junker PC from somewhere and turn it into a dedicated firewall/router. Have one LAN card connect to your broadband, one to your gear and a third to your in-laws' gear. If you want to play games as well, have a 4th LAN card connecting to your gaming stuff - you want to keep that separate if possible.
Once you've got that working, with all LAN cards on distinct subnets, you can think about the following:
- if you open up the firewall appropriately, you can connect from your subnet to the in-laws' subnet, but not back the other way. Might be handy if you need to constantly fix their PC/s, but make sure they can't connect back to your subnet or you could be in trouble
- bandwidth throttling. If your in-laws' PCs are going to be spewing junk to the world courtesy of malware, you might want to throttle back how much bandwidth their systems get
- reporting. As per the previous point, you might want to regularly check how much traffic is being generated from the in-laws' subnet, and use it as a "nasty stuff" warning system
- port blocking and content checking. You might want to only allow specific ports (e.g. 80, 443, 25) to connect out from the in-laws' network, and block/alert when other connections are attempted
- spam filtering. If you suck down all their traffic onto your own mail server, clean it using e.g. SpamAssassin, and only then let the inlaws see it, you might save yourself a world of hurt later on. If nothing else, allowing only your mail server to connect outwards on port 25 (i.e. disallowing outgoing port 25 connections from other systems) might let you restrict the systems in your house from being used as spam relays
On another tack, now you've got all the opportunities in the world to convert the in-laws to Linux (or Macs), and the wonders of virus- and spam-free computing! After the 957th bout of Windows viruses here, I'm about to forcefully convert my kids to Linux on the grounds that I don't have the time to continually fix their PCs and they're not interested in learning how to do it themselves.
Good luck - it sounds like a potentially ugly situation
Your network
IP Address 192.168.2.x
Subnet Mask 255.255.255.0
Default Gateway (router) 192.168.1.1
Second Network
IP Address 192.168.3.x
Subnet Mask 255.255.255.0
Default Gateway (router) 192.168.1.1
Router Settings
IP Address 192.168.1.1
Subnet Mask 255.255.0.0
I think this would divide your network into two subnets with both subnets allowed to talk to the router, or am I nuts?
Ed Almos
The more corrupt the state, the more numerous the laws. - Tacitus, 56-120 A.D.
Short of getting them their own modem, use ipcop and setup 2 subnets.
It wont be perfect since a lot of viruses dont care about subnets, but the next best thing if you cant swing a 2nd connection.
---- Booth was a patriot ----
I work with a school district. Most of the schools are part of a wired WAN, but there were a couple that were out of range of the SHDSL gear we were using. One had a cable internet connection, and we used a VPN to connect to it. (A linux box was doing NAT and running Squid/squidguard, in addition to the VPN.)
Someone in management decided that they wanted to switch from Cable to the local telco monopoly's brand of DSL. So we order the DSL, and I go switch it over - pretty simple, just move the ethernet cable from the cablemodem to the DSL box, and restart the DHCP client (the VPN will pick up the change just fine.)
Two days later, my pager goes off - the school is offline. So I go out there, and it turns out I can't ping the default gateway - I call the telco, and they go through their "reinstall your TCP/IP stack" script - lo and behold, restarting the DHCP client and all is fine.. the machine now as a new IP address (odd that the DHCP lease was valid when I restarted it - it should have been given the same address.)
Two days later (almost exactly 48 hours), the same thing happens! I go out there, and do the same song and dance - get a new IP address, and all is fine. The telco still blames Linux, despite the fact that this same box had been running for over *TWO YEARS* on the cable network without a single service call.
Two days later, my pager goes off *again*. This time, I decide to hook it back up to the cable (which isn't due to be removed for another week or so.) I leave it right up until the cable guy goes to pick up the modem. It runs perfectly, I never heard a peep out of it.
Two days after I switch it back over to the DSL, it goes down *AGAIN*. At this point, it's blatantly obvious that it's the telco - so a quick cronjob to kill the DHCP client every day, then restart it, and this problem never recurs.
About a year later, I was talking to someone who works for the Telco, and he tells me that they deliberately kill connections that have been up for 48 hours, because they think it will stop people from running servers (regardless of the fact that dyndns will counter that.) The helpdesk people are told "if resetting the client machine fixes a problem, then that means that the problem was with the client's computer."
Maybe your ISP is doing something similarly braindead.