Where do I place my AP so it's not in my network?

[The-One]

I fell like an idiot for asking this but I just want to make sure. I'm setting up an AP for the first time. I want it outside of my network since I don't trust wireless and may allow people to use it from the neighborhood but I don't want them inside my network. So how does one go about doing this ?

Is it

Cable Modem---Switch---DGL-4100---Internal Network
...........................|
..........................AP

I don't currently own a switch but is that how to do it?
I would plug the AP and router into the switch ?

 

[supergper]

Setup a DMZ, that's where it goes

 

[The-One]

So you're saying I should use two routers right ?

Modem---Router---AP---DGL-4100---Internal Network
(each router by a different manufacturer)


Thanks for the info too
Never heard of DMZ until now.

 

[sdotbrucato]

It would more like

Modem to the router, then one port of the router would be designated for the DMZ, and the AP would hook up to that port. then the other ports would be part of the LAN, and you'd hook the switch into one of those ports.

 

[The-One]

Wouldn't using a DMZ host be less secure then just using

Cable Modem---Switch---DGL-4100---Internal Network
...........................|
..........................AP


?

 

[sdotbrucato]

Wouldn't using a DMZ host be less secure then just using

Cable Modem---Switch---DGL-4100---Internal Network
...........................|
..........................AP


?

You can't really put a switch after the modem, unless you're getting more than one IP from your ISP. A switch after the modem is going to try and grab an IP for each device the switch is going to.

 

[berky]

Wouldn't using a DMZ host be less secure then just using

Cable Modem---Switch---DGL-4100---Internal Network
...........................|
..........................AP


?

for this to work, you need to be able to have multiple non-private IP's from your ISP. this almost always costs extra and you don't want this.


to do what d3c1us is saying, your router would have to be a true router, not one of the standard home routers. basically it would have to support multiple LAN networks. A lot of basic home routers don't. but still, that's your best bet. you might be able to use another firmware that does support this functionality. or if you have 2 routers, you could technically use that too, but it's a bit overkill.

 

[The-One]

I have a DGL-4100 router which is just a basic cheap home router. So what can I do to keep this AP outside of my network? It sounds like I would have to buy a second router for a true DMZ or just allow it in my network. hmm

Berky: Are you saying I should buy a better router as my only real option? I know you obviously said that but how much is real router that will do this?

also thanks for the input guys

 

[sdotbrucato]

I have a DGL-4100 router which is just a basic cheap home router. So what can I do to keep this AP outside of my network? It sounds like I would have to buy a second router for a true DMZ or just allow it in my network. hmm

also thanks for the input guys

might you have an old PC laying around, or pick one up? Nothing too extensive, throw a *nix routing distro on it, and do it from there. Thats how I have it setup at my house, but I'm using Untangle which is more than a router and more of a UTM, but it gets it done.

There are plenty of threads on this forum about which distros are out their and anything else you'll need. Just throwing it out there as an option.

then the setup would be

...............................................................(DMZ Interface)AP
INTARWEBS -> Modem -> *nix router <
...............................................................(LAN interface)LAN-> Switch -> end users

 

[Met-AL]

I have a DGL-4100 router which is just a basic cheap home router. So what can I do to keep this AP outside of my network? It sounds like I would have to buy a second router for a true DMZ or just allow it in my network. hmm

Berky: Are you saying I should buy a better router as my only real option? I know you obviously said that but how much is real router that will do this?

also thanks for the input guys

Sure it does.

Advanced tab, Firewall Settings. Scroll down to DMZ Host, click the check box for "Enable DMZ" and then select the IP of your access point and save your settings.

BTW, the 4100 is not a basic cheap home router, it's actually one of the best home routers out there.

 

[EQTakeOffense]

Sure it does.

Advanced tab, Firewall Settings. Scroll down to DMZ Host, click the check box for "Enable DMZ" and then select the IP of your access point and save your settings.

BTW, the 4100 is not a basic cheap home router, it's actually one of the best home routers out there.

Exactly.

The DMZ (Demilitarized Zone) option provides you with an option to set a single computer on your network outside of the router. If you have a computer that cannot run Internet applications successfully from behind the router, then you can place the computer into the DMZ for unrestricted Internet access.

This is exactly what you want to do.

And, again, the DGL-4100 is not a basic cheap home router. It was one of the best route at the time. It's older brother the DGL-4500 is the best router out right now.

 

[Grentz]

I dont know how it works on the 4100, but becareful with DMZs on soho/consumer gear. Many times the DMZ is simply opening all ports from the outside to that specific IP address and NOT isolating it from the current private network at all.

DMZ on more advanced routers like Smoothwall/Cisco gear/etc. though is in regards to making a separate network with a separate IP scheme and total isolation from the standard private or green network except for what you allow through.

 

[Met-AL]

I dont know how it works on the 4100, but becareful with DMZs on soho/consumer gear. Many times the DMZ is simply opening all ports from the outside to that specific IP address and NOT isolating it from the current private network at all.
.

That is exactly what it does. Here is the entry from the help file:

DMZ Host
DMZ means "Demilitarized Zone." If an application has trouble working from behind the router, you can expose one computer to the Internet and run the application on that computer.

When a LAN host is configured as a DMZ host, it becomes the destination for all incoming packets that do not match some other incoming session or rule. If any other ingress rule is in place, that will be used instead of sending packets to the DMZ host; so, an active session, virtual server, active port trigger, or port forwarding rule will take priority over sending a packet to the DMZ host. (The DMZ policy resembles a default port forwarding rule that forwards every port that is not specifically sent anywhere else.)

The router provides only limited firewall protection for the DMZ host. The router does not forward a TCP packet that does not match an active DMZ session, unless it is a connection establishment packet (SYN). Except for this limited protection, the DMZ host is effectively "outside the firewall". Anyone considering using a DMZ host should also consider running a firewall on that DMZ host system to provide additional protection.

Packets received by the DMZ host have their IP addresses translated from the WAN-side IP address of the router to the LAN-side IP address of the DMZ host. However, port numbers are not translated; so applications on the DMZ host can depend on specific port numbers.

The DMZ capability is just one of several means for allowing incoming requests that might appear unsolicited to the NAT. In general, the DMZ host should be used only if there are no other alternatives, because it is much more exposed to cyberattacks than any other system on the LAN. Thought should be given to using other configurations instead: a virtual server, a port forwarding rule, or a port trigger. Virtual servers open one port for incoming sessions bound for a specific application (and also allow port redirection and the use of ALGs). Port forwarding is rather like a selective DMZ, where incoming traffic targeted at one or more ports is forwarded to a specific LAN host (thereby not exposing as many ports as a DMZ host). Port triggering is a special form of port forwarding, which is activated by outgoing traffic, and for which ports are only forwarded while the trigger is active.

Few applications truly require the use of the DMZ host. Following are examples of when a DMZ host might be required:

A host needs to support several applications that might use overlapping ingress ports such that two port forwarding rules cannot be used because they would potentially be in conflict.
To handle incoming connections that use a protocol other than ICMP, TCP, UDP, and IGMP (also GRE and ESP, when these protocols are enabled by the PPTP and IPSec ALGs ).
Enable DMZ
Note: Putting a computer in the DMZ may expose that computer to a variety of security risks. Use of this option is only recommended as a last resort.

DMZ IP Address
Specify the LAN IP address of the LAN computer that you want to have unrestricted Internet communication. If this computer obtains its address Automatically using DHCP, then you may want to make a static reservation on the Basic &#8594; Network Settings page so that the IP address of the DMZ computer does not change.

OP would be better doing it the way he originally wanted to. My Cable ISP gives me two IP addresses to use, maybe his does to.

 

[berky]

I dont know how it works on the 4100, but becareful with DMZs on soho/consumer gear. Many times the DMZ is simply opening all ports from the outside to that specific IP address and NOT isolating it from the current private network at all.

DMZ on more advanced routers like Smoothwall/Cisco gear/etc. though is in regards to making a separate network with a separate IP scheme and total isolation from the standard private or green network except for what you allow through.

QFT



DMZ's on most SOHO routers are exactly as described here. the only thing they do is forward any incoming requests (that aren't set up manually for port forwarding) to that LAN host. All hosts in the LAN can still talk to each other.


to the OP, I don't know of any soho routers off-hand that will do multiple LANs natively, but i'm sure there are a few out there. However, I *think* that DD-WRT/Tomato have this functionality. That may be an option for you, but you may still have to buy a router that is supported by the firmware... and you have to be willing to install 3rd party firmware on your router.

 

[The-One]

Thanks for the input guys. It sounds like I will have to attain another IP address from my ISP or buy another router and build a real DMZ. What do you guys think about me buying a $50 router and putting the AP in that network and then using my DGL-4100 for my internal network?

 

[marley1]

why even let neighbors use it? if they want internet have them get their own, setup wireless with wpa. if that router can be flashed you can use dd-wrt and make a vlan with just the wireless.

 

[oldpablo]

My wireless router has something called access point isolation, which means anyone connecting via wireless is treated as if they are in their own network. I've seen it on other routers and think it's a pretty standard feature that a lot of people probably don't know is there. See if you have it.

http://wireless.wikia.com/wiki/Wi-Fi#Wireless_Isolation