Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Routers (Linux?)

  • 02-07-2003 10:58am
    #1
    Registered Users, Registered Users 2 Posts: 2,393 ✭✭✭


    Hi all,

    This post may be slightly OT, but please bear with me. (Admins, feel free to move).

    We have a wireless link to a building 200 yards or so away, with WEP switched on. All is well, as the 3 or 4 PCs in that building are isolated from the buildings own network, and use our DNS, Gateway and DHCP settings. They are even joined to our domain, and have IP addresses in the same range as the rest of the PCs in our building.

    Now, I want to ensure that PCs in the remote building don't get used as a base to do undesireable things on our network. They are all W2K SP3 PCs and all sit in a reserved range of IPs that I set up on my DHCP server.

    What I want to do is have a router between the two sites that restricts data access from the outside site to the inside site to certain ports and protocols.

    Smoothwall would seem to be the choice here, (I am also looking at Freesco).

    Here come the questions (at last!).

    Will I have problems because all the PC's are on the same IP range and Subnet?

    Is there a way around this?

    Am I better off taking the remote PCs off the domain (I'd rather not) and giving them a seperate IP range, and using smoothwall or Freesco to restrict access?

    Suggestions welcome as always.

    "Google & Boards, helping clueless sysadmins since 1999."


Comments

  • Registered Users, Registered Users 2 Posts: 15,817 ✭✭✭✭po0k


    hmmm....I'm no expert but...

    you could setup a VLAN with your building's PCs on one, and the ones over the wireless link on the other, with the domain controller sitting in both, acting as the bridge for data?
    I've very little experience with using Domains at the moment (give me a week or two :)) but I would think that either the VLAN or your latter idea of assigning them to a seperate Ip range may be the way to go.
    Or does the WAP have any sort of router/firewall capabilities itself?
    Could have it like this:

    main switch <
    (eth0)smoothwall box(eth1)
    >WAP->>>>--next door's PC cluster
    and setup the smoothwal box for IP Masquerading, and block the ports you want?
    Dunno if that would allow PCs on the main switch side find PCs in next door.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    so don't bother asking on IrishWan...
    unless you intend to route external IP traffic through your link etc.

    Basics:
    SSID is of couse off
    you are using highly directional anennas
    you are using H polarization
    MAC filtering ( in case anyone uses 00-DE-AD-00-BE-EF)
    Best to turn any properitary settings on the Devices (they are the same brand right ?)

    What RF devices ? - because if they do not have built in VPN's then you setup your own elsewhere. Windows has PPTP built in - it's very like RAS - use an IP instead of a phone number) so you can use this as an extra level - as is based on the users PW.

    Look at Zebedee / CIPE / Vtunnel as other IP encryption schemes.

    There is always SecureID or Cisco PIX if you have lots of money.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    www.vbnets.com/tutorials/security.html

    Some of the devices also NAT and have PPP - so changing your RF gear might be a quick/cheap way to get some more security..

    Also could try 802.11g - security through obscurity...

    And YES you are better off putting the other PC's on a different subnet - less broadcast traffic


Advertisement