Hi,

I'm a developer by trade but I've done some networking in the past (mostly buying and creating machine specifications but also a bit of firewall management and AD policies,) In a previous company I was even Manager of the Systems department (Developers and IT guys)

Anyway I've recently joined a small ( 6 person,) company and so it is upto everyone to do what they can. Currently we have a wired Windows AD network with a 2003 SBE server as the Domain controller.

We all have smart phones that the company pays the bill for and because we spend time out on site, they are all configured to read off of our Exchange server. Trouble is that they are running up big bills with the 3G data. So one of our directors (my boss,) wants me to see if I can set up a secure wireless network to give the smart phones internet access when they are in the office so that they wont use their 3G to get data. It is only to provide Internet access not direct access to our network and as such if we can have it as a seperate network but sharing our internet connection that would be great.

There is a wireless DSL router coming in from our ISP (which seams to have been reconfigured as a bridge,) with four ports in the back connected to a Zyxel firewall which is in turn connected to our network. The firewall settings on the ISP side are configured to let it log on to the ISP domain with our ISP user account and to automatically obtian IP and gateway settings i.e. no fixed IP... My boss tell me that the techies from the ISP set this up in order to let us use our firewall??? and doesn't want me to touch the ISP router or the firewall if I can help it.

We Also have a TPLink Wireless Access point / Router/ bridge with a single ethernet port I tried setting up the wireless settings for it and could get my phone to connect securely to it. I then connected it into the back of our ISP DSL Router but when I tried loading Google as a test page on my phone, it dropped the WIFI and switched to 3G as it couldn't connect to the Internet. I also see on the TPLink Wireless point in order for it to use the DHCP sevice on it for the wireless devices that it must have a fixed IP.

I don't want to put the wireless into our network if I can help it for security so I was thinking if I get a router can I put it into the ISP wireless router port and configure it the same way as our firewall is i.e. automatically obtain IP address etc and log in as an ISP user and then use it as a gateway for the separate wireless network with their own internal IP addresses?

ISP Router ---------------------------------New Router ---------------------------------------------------Wireless Acess point
| Auto IP, 192.168.1.1 192.168.1.2 and DHCP enabled
|
|-----------Firewall --------------------------------------------Network
Auto IP, 192.168.* 192.168.* (completely seperate network)

branko.gajic2 commented: acer amdathlon(tm)64_2 +0

Sorry I was trying to do out a diagram of the proposed set up but it got a bit mangled...

Really what I want to do is set up two seperate networks with a shared internet link.

There are several ways to accomplish this. The simplest is to have a router that has the ability to create two internal VLANs. So you could have two private subnets and allow this router to route between the subnets and the internet. You would plug the wireless access point on one VLAN. This would keep the wireless and your corporate LAN traffic seperate. On the router, you would create the appropriate ACLs to allow/block traffic between the two VLANs.

If you want to accompish this with more than one router, that can be done as well. However, aside from plugging the routers together, they would also have to share their routing information. Otherwise, you will not be able to get traffic flowing (between the two private subnets and internet) from the various subnets you establish on your network.

With regard to...

automatically obtain IP address etc and log in as an ISP user and then use it as a gateway for the separate wireless network with their own internal IP addresses?

I do not see how you are going to accomplish this. I am not aware of any ISP Internet plan that allows you to log into their network twice from two different clients to establish a seperate connection. Of course, if you contact your ISP, they would be more than happy to drop another DSL connection for your wireless network at an additional charge.

If the requirement is to keep the corporate LAN and wireless network seperate, the best option is a router that can establish more than one VLAN (many of these consumer based routers cannot be configured in this manner). If the router has a built-in firewall, even better so you can restrict traffic between the two VLANs. This is the cleanest and simplest design.

Hi,

Yes it is the setup of the ISP router that keeps confusing me - At present, it has the DSL phone line going into it and then our firewall connected into one of it's 4 ethernet ports. It has a wireless capability but seams to have been configured either by the ISP or someone else in the past as a bridge?? i.e. it does not have the wireless enabled and the firewall seams to be logging into the ISP with the ISP account.

So basically what I should be doing then is putting a router behind the firewall to split the network into two seperate VLANS one for the wireless and one for the wired that do not communicate / share data with each other.

I was looking at the HP V100 5 port router part no JE454B, Click Here It has a firewall and claims to allow multiple users to share a single Internet connection.

I took a quick look at the specs...the phrase "user share an internet connection" just means that the users on the private side of the router can all access the internet. They mention up to 253 users. This is because the router provides one private VLAN /24 subnet (253 IP for users, 1 IP for the private side of the router as the gateway address).

If you have the DSL connection plugged into a firewall with 4 ports, I would tend to think that firewall/Internet router product does have the capability of logging into your ISP (PPoE client). However, those devices can also be configured as bridges, hence why you have another Internet Router plugged into that "firewall".

I think adding additional routers behind your internet router will only complicate your design. I would recommend that you first figure out what are the capabilities of your firewal/internet router. If there is no real reason why you have it in bridge mode, I would reconfigure that so that your firewall/router logs into your ISP. Then, since these are single VLAN routers, you could just plug two routers (you have one already) into that firewall, and configure each one with a different private subnet. Enable NAT on each internet router, and on the firewall do not allow traffic to pass between the two ports, only allow the traffic to go out to the internet. enabling NAT on the two routers, will remove the requiremnet of having to configure routing tables between the firewall/router and the other two internet routers.

It sounds like you really need someone that has experience with this to assist you, only because based on your initial posting, it sounds like your boss is concerned about the config and doesnt want for it to be touched.

You could theoritcally leave the desin as is and buy and additional two routers, that plug into your internet router, and configure NAT on all of the routers. There will be double NAT'ing on the way out and its an unecessary design, but you can make it work.

Hi,
Sorry for taking a while to reply - been busy with other things.

Maybe I didn't make this too clear on my initial postings.

Our ISP router which seams to be configured as a bridge has 4 ports.

Our existing Firewall has two ports (one into the ISP Router, one into our Network Switch to connect to our LAN) It is set as our LAN gateway on Our Windows 2003 Small Business server Domain Controller.

I wanted to take the second router and plug it into one of the three spare ports on the ISP router to create a seperate private network that would share the ISP connection through their router. It would not be plugged into our LAN switch and would be outside of our existing firewall - the router I found earlier appears to have it's own buit in firewall.

I thought if I configured the new router with the same ISP details as are on our firewall, that because they are going throught the same router they could share the ISP account ( Is this not the case?)

I could then put our Wireless Router into the new second private network behind the new router which would be the Wireless Routers Gateway server, and I would set the Wireless Router to have a static IP in this network and enable it's built in DHCP service for connecting devices.

Thus our wireless network would share the ISP but traffic from our wireless network would be treated by our Firewall (existing one,) as external traffic and connected devices would require a VPN and asscociated security rights to access our LAN network.

The Wireless network really just has to provide internet access but not direct access to our LAN Network.

I suppose it all hinges around what I can and cannot do with the ISP router come bridge.

IF I get stuck, I do have access to more expertise for a price but at that point we have to decide is it worth the bother....

I thought if I configured the new router with the same ISP details as are on our firewall, that because they are going throught the same router they could share the ISP account ( Is this not the case?)

I dont think they will allow you to log in from more than one client device. You can always try...I would not suggest this design in any case.

I could then put our Wireless Router into the new second private network behind the new router which would be the Wireless Routers Gateway server, and I would set the Wireless Router to have a static IP in this network and enable it's built in DHCP service for connecting devices.

got it! Yeap this could be done.

I suppose it all hinges around what I can and cannot do with the ISP router come bridge.

correct, if you reconfigure your internet router and remove the "bridge" mode and turn routing on, you can have this design to work. The problem here is the bridge.

REFER BACK to my last statement in the previous post...

You could theoritcally leave the desin as is and buy and additional two routers, that plug into your internet router, and configure NAT on all of the routers. There will be double NAT'ing on the way out and its an unecessary design, but you can make it work.

If you reconfigure your internet router from bridge to routing, you can plug your firewall into one port and a new second router into another port. Now if you get this far, the last step is to either:

1) configure both routers (firewall and new router) behind your internet router to NAT, OR
2) you will need to update the routing tables on all three routers (internet router, firewall, and new router).

Either option will work for a network of this size. Its probably easier to go with #1 and allow for the double NAT on the way out of your network. Packets will make their way back to the clients on the return trip based on the NAT tables rather than routing tables. Enabling NAT (which is the default on these consumer based routers) will save you the time in setting up the routing tables on all three routers. I can clarify this in more detail if you need help with that.

Thanks,
It's good to know I at least heading in the right direction.... I'll see what we can do when the new router arrives

Yes, again there are several ways to design this, but it can definately be done using three routers.

Well, Everything is up in the air just now as we are looking at switching ISP from DSL to a wireless provider.

Basically, our current ISP is the old national Telco carrier and the performance is intorrible .e.g. I have spent all day today applying Windows updates to a new Windows 2008 R2 server. They are blaming the local exchange and saying it is a previous generation that is not due for upgrade yet.

Given that if we switched to another ISP with DSL (we would hit the same issue as it would go through same exchange,) We have been looking at Wireless (looked at a fibre providered but no cables near by)

So, there is no point in doing anything for the time being until we get our new provider and discuss with them...

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.