[TOMOROGOOD]

Have 2 PCs ( xp home and xp pro ) connected by cable to Linksys WRT54G for simple file sharing in DHCP mode. So far so good, but when I turn on wireless access for guest to access internet, all the shared folders in the 2 PCs become accessible.

How to allow internet access and at same time blocking the sharing of folders ? Advices appreciated

[DragonFire]

Hmm the obvious way would be to set a password on shared drives.

DF

[TOMOROGOOD]

Morning DF, thanks. Besides using password, can the method below work?

A) Using different subnets :-

* wired PCs ip as 192.x.x.3/8 n 192.x.x.4/8, then
* wireless PC 192.x.x.3/21

B) Using different ip like:-

* wired PCs ip as 192.x.x.3/8 n 192.x.x.4/8, then
* wireless PC 192.x.y.3/8

If workable, then in router must I use non-DHCP mode?
If used DHCP, will above ip setting has effect so that the wirless PC will not be in same net as the 2 PCs?

Thanks in advance

[Dreamslacker]

Erm... It's going to be complex as to how you handle the ACLs and routing between the computers if you want to do VLSM. You will most probably need more than 1 router.

[p|sangp|sang]

u can try look for an option "isolate wlan from lan" but i only know this option exist for ddwrt

[DragonFire]

Quote:

Originally Posted by TOMOROGOOD

Morning DF, thanks. Besides using password, can the method below work?

A) Using different subnets :-

* wired PCs ip as 192.x.x.3/8 n 192.x.x.4/8, then
* wireless PC 192.x.x.3/21

B) Using different ip like:-

* wired PCs ip as 192.x.x.3/8 n 192.x.x.4/8, then
* wireless PC 192.x.y.3/8

If workable, then in router must I use non-DHCP mode?
If used DHCP, will above ip setting has effect so that the wirless PC will not be in same net as the 2 PCs?

Thanks in advance

Dreamslacker's right. It will be complicated. Feeling brave?

The idea is to create a DMZ of sorts for the wireless LAN. The upstream router will require a firewall feature to deny all access to regular NETBIOS ports from the DMZ, effectively isolating file and print services whilst allowing regular http traffic. (Best is deny all and allow http/https only)

It will work like this.

Broadband modem
|
|
Router/firewall
-WAN DHCP
-LAN subnet 192.168.1.0/24
-LAN DHCP scope from 192.168.1.50-100
-Local IP 192.168.1.1
-Static route. 192.168.255.0 255.255.255.0 via 192.168.1.2
-Access Control List. DENY TCP/UDP (see portlist) for 192.168.2.0/24
-portlist: 135,137-139, 445,515,593,1433-1434
|
|
Wireless router
-WAN Static 192.168.1.2
-LAN subnet 192.168.255.0/24
-LAN DHCP scope from 192.168.255.50-100
-Local IP 192.168.255.1
-Static route. 192.168.1.0 255.255.255.0 via 192.168.255.1

===
That's it. "Simple" isn't it?
A year ago I was planning to set something up like this as a public access WLAN. With a sniffer running in that LAN (evil laughter)

DF

[DragonFire]

I have another suggestion. If your router firewall allows blocking traffic to/from specific IPs you can just enter the portlist i put down in the last post for the guest IP.

This works only on IT noobs tho. Easily bypassed just by switching IPs.

DF

[TOMOROGOOD]

DF - Thanks for the details. Will try out your method; but now trying to understand your explanation. Is it involving 2 routers?

[DragonFire]

Yes 2 routers needed. One for wired lan and one for wireless.

DF

[TOMOROGOOD]

OK folks, finally solved - just dunno how effective it will be as I have not done much experimenting. Didn't have 2 routers, so using the 2 subnets method as follows:-

* 2 wired PCs ip 192.168.1.15 and 16; subnet mask 255.255.x.0 where x is not 255

* wireless PC ip 192.168.1.23; subnet mask 255.255.255.0 using the default subnet mask.

* on Linksys wireless router:
1 - select automatic configuration DHCP for "Internet connection type" portion; but Disable DHCP server on the Network Setup" tab.

2 - Wireless Mac filter - Enable, then select Permit Only and fill up the Mac address of the wireless device.

3 - Access Restrictions tab - -> Enable the allow internet access.

Tried for 2 days, so far so good - wireless PC can go internet but is out of the local net of the 2 wired PCs.