Allowing Visitor Internet access

External Since: Jul 14, 2006 Posts: 22

Cliff thanks for your input. I do want to put the wireless clients outside
my LAN and just provide them access to the internet as a Courtesy. Can I use
two wireless routers and have the 1st wireless router provide wireless
clients access to the internet only and have the second router act as a
gateway to my LAN? Most low cost wireless router haves some firewall
functionality in them right? When using two routers like this does one have
to be a wired only router?

Chad

"Cliff Galiher" wrote:

> Based on the info provided, I don't think you can implement Merv's
> suggestion "as-is." It is common practice to deploy a firewall device in
> front of SBS, but in your case it appears that your SBS box has your public
> IP address directly. This would imply that your internet connection device
> (cable/DSL modem) is acting strictly as an ethernet bridge. That really
> prevents you from segmenting your network as Merv suggested.
>
> From a security perspective, BTW, I'd recommend adding a firewall to your
> configuration. Then you can move forward. Otherwise you will have to look
> at doing a more complex deployment. One thing to keep in mind when making
> this decision, which you may not have realized, is that by deploying the
> access point outside of the LAN, you won't be able to have it serve dual
> duty as a guest AP and provide authenticated access to your SBS server.
>
> Again, IMO, from security perspective, this is a *good* thing. Wireless
> access points are inexpensive and I'd rather buy two than try to go through
> the effort and risk of having one perform two tasks and attempt to keep
> guests isolated. I just wanted to point it out as I've seen people go
> through the setup and then not get the results they expected.
>
> -Cliff
>
>
> "Chad" wrote in message
>
> > Merv thanks for the super quick response!
> >
> > I will have a static IP address provided from comcast so how will these IP
> > addresses be assigned?
> >
> > For example:
> > cable (static) 75.144.223.1 - Wireless router w/ dhcp
> > 192.168.1.1...2...3....etc - SBS external NIC 75.144.223.2 - SBS internal
> > NIC
> > (w/dhcp) 192.168.16.1
> >
> > All internal LAN computers 192.168.2....3....4 etc
> >
> > Thanks
> >
> > "Merv Porter [SBS-MVP]" wrote:
> >
> >> Hi Chad,
> >>
> >> Yes. With two NICS in the SBS server, the SBS LAN is isolated from the
> >> router LAN. You could then turn on the DHCP service on the router and it
> >> should not interfere with the SBS DHCP service. That would give your
> >> your
> >> wireless guests Internet access (only) by providing them an IP address in
> >> the same subnet as the LAN side of the router.
> >>
> >> Owen Williams wrote a great article on setting up an even more secure
> >> wireless network:
> >>
> >> Configuring Secure Wireless Network Access with MicrosoftÂ® WindowsÂ® Small
> >> Business Server 2003
> >> http://home.comcast.net/~clearviewtc/
> >>
> >> --
> >> Merv Porter [SBS-MVP]
> >> ============================
> >>
> >> "Chad" wrote in message
> >>
> >> > Is there a way to provide wifi access to visiting clients just using a
> >> > wireless router? For example cablemodem - wireless router - sbs2003
> >> > (2
> >> > nic
> >> > standard) - switch - internal lan. Thanks
> >> >
> >> > "Owen Williams" wrote:
> >> >
> >> >> Bibbob:
> >> >>
> >> >> Following up on my earlier post (to Merv's response), I am using a
> >> >> configuration like this at one client's site so that an SBS2003
> >> >> network
> >> >> and a Guest PC can share a DSL Internet connection:
> >> >>
> >> >> +-------+
> >> >> |DSL Mdm| 192.168.1.1
> >> >> +-------+
> >> >> |
> >> >> +-------+ 192.168.2.1
> >> >> | Router| DHCP Server Enabled -
> >> >> +-------+ Exclude 1st 10 IPs
> >> >> | |
> >> >> | +-------------+
> >> >> | |
> >> >> |192.168.2.2 |
> >> >> | [Ext. NIC] |DHCP IP
> >> >> +-------+ +-------+
> >> >> |SBS2003| |GuestPC|
> >> >> +-------+ +-------+
> >> >> | [Int. NIC]
> >> >> |192.168.16.1
> >> >> |
> >> >> +--------+
> >> >> | Switch |
> >> >> +--------+
> >> >> | | | |
> >> >> | | | |
> >> >> [Domain PCs]
> >> >>
> >> >> SBS2003 runs either the RRAS or ISA2004 firewall so Ext. NIC
> >> >> (192.168.2.2) is protected.
> >> >>
> >> >> "GuestPC" could be a Wireless Access Point with a STATIC address of,
> >> >> for
> >> >> example, 192.168.2.3 (which is used primarily for WAP administration).
> >> >> Then, guest PCs with wireless capabilities associate with the WAP and
> >> >> get an IP address from the (wired) Router.
> >> >>
> >> >> Since Wireless Routers are easier to find (and often less expensive)
> >> >> than WAPs, you can use one as a WAP provided you:
> >> >>
> >> >> - disable the DHCP server on the Wireless Router
> >> >> - connect an Ethernet cable from the (wired) Router to one of the
> >> >> switch
> >> >> jacks (there are most often 4) on the Wireless Router. Do NOT connect
> >> >> anything to the Wireless Router's "WAN" or "Internet" jack.
> >> >>
> >> >> -- Owen Williams
> >> >>
> >>
> >>
> >>
>

External Since: Jul 06, 2005 Posts: 625

There is only one "wireless" router in this example (unless you actually
have two devices on your network). The router has a WAN (public) side and a
LAN (private) side. In the router configuration, you forward incoming
traffic for your selected SBS services to the IP address of the SBS
"external" NIC. You turn on DHCP for the wireless router. If you only need
wireless Internet access (web browsing) for your guests, you do not need a
second wireless router. DMZ is not necessary.

For guests, you could use static IP address in the same subnet as the
wireless router's LAN, but this could be a nightmare to administer because
the onsite admin would probably have to have access to each guest's laptop
since guests may not know how to assign a static IP address to their laptop.
They would also have to disable or delete the static IP when they left your
premises. Probably best to keep guest access as automatically IP
assignment.

Does that answer your questions?

--
Merv Porter [SBS-MVP]
============================

"Chad" wrote in message

> Merv, in this example do I forward the ports from the 1st router or the
> second router or both? Do I turn on DHCP for the 1st wireless router to
> provide IP addresses for the wireless clients to access the internet and
> disable DHCP for the second wireless router?
>
> What about setting DMZ for the first router so all the ports are
> accessible?
> Can a wireless router support wireless clients without DHCP being enabled?
>
> Thanks for your input.
>
> Chad
>
>
>
> "Merv Porter [SBS-MVP]" wrote:
>
>> Hi Chad,
>>
>> See the diagram at:
>>
>> Two Nics, a static IP address, ISA, router
>> (the diagram works with or without ISA)
>> http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleVi...article
>>
>> The WAN side of your router will use the static IP address supplied by
>> your
>> ISP. The workstations will be 192.168.16.x.
>>
>> --------------------------------------------------------------
>> Internet
>> |
>> Router (WAN, static IP 75.144.223.1)
>> |
>> Router (LAN, static IP 192.168.1.1)
>> |
>> SBS (External NIC, static IP 192.168.1.2)
>> ||
>> SBS (Internal NIC, static IP 192.168.16.2)
>> |
>> Switch
>> | | | | | |
>> Workstations (dynamic IPs 192.168.16.x)
>> --------------------------------------------------------------
>>
>> In the router, forward the ports for the services you need to the
>> external
>> NIC IP address:
>>
>> SSL... 443
>> RWW... 4125
>> VPN... 1723 and GRE Protocol 47 (for PPTP VPN)
>> Mail Server... 25 (if you'll be hosting your own Exchange mail server)
>> RDP... 3389 (straight RDP session to SBS server)
>>
>> Once you get it physically set up, run CEICW to configure the SBS server
>> for
>> DHCP and other services:
>>
>> CEICW Walkthrough
>> http://www.sbs-rocks.com/sbs2k3/sbs2k3-n2.htm
>>
>>
>> --
>> Merv Porter [SBS-MVP]
>> ============================
>>
>> "Chad" wrote in message
>>
>> > Merv thanks for the super quick response!
>> >
>> > I will have a static IP address provided from comcast so how will these
>> > IP
>> > addresses be assigned?
>> >
>> > For example:
>> > cable (static) 75.144.223.1 - Wireless router w/ dhcp
>> > 192.168.1.1...2...3....etc - SBS external NIC 75.144.223.2 - SBS
>> > internal
>> > NIC
>> > (w/dhcp) 192.168.16.1
>> >
>> > All internal LAN computers 192.168.2....3....4 etc
>> >
>> > Thanks
>> >
>> > "Merv Porter [SBS-MVP]" wrote:
>> >
>> >> Hi Chad,
>> >>
>> >> Yes. With two NICS in the SBS server, the SBS LAN is isolated from
>> >> the
>> >> router LAN. You could then turn on the DHCP service on the router and
>> >> it
>> >> should not interfere with the SBS DHCP service. That would give your
>> >> your
>> >> wireless guests Internet access (only) by providing them an IP address
>> >> in
>> >> the same subnet as the LAN side of the router.
>> >>
>> >> Owen Williams wrote a great article on setting up an even more secure
>> >> wireless network:
>> >>
>> >> Configuring Secure Wireless Network Access with Microsoft® Windows®
>> >> Small
>> >> Business Server 2003
>> >> http://home.comcast.net/~clearviewtc/
>> >>
>> >> --
>> >> Merv Porter [SBS-MVP]
>> >> ============================
>> >>
>> >> "Chad" wrote in message
>> >>
>> >> > Is there a way to provide wifi access to visiting clients just using
>> >> > a
>> >> > wireless router? For example cablemodem - wireless router -
>> >> > sbs2003
>> >> > (2
>> >> > nic
>> >> > standard) - switch - internal lan. Thanks
>> >> >
>> >> > "Owen Williams" wrote:
>> >> >
>> >> >> Bibbob:
>> >> >>
>> >> >> Following up on my earlier post (to Merv's response), I am using a
>> >> >> configuration like this at one client's site so that an SBS2003
>> >> >> network
>> >> >> and a Guest PC can share a DSL Internet connection:
>> >> >>
>> >> >> +-------+
>> >> >> |DSL Mdm| 192.168.1.1
>> >> >> +-------+
>> >> >> |
>> >> >> +-------+ 192.168.2.1
>> >> >> | Router| DHCP Server Enabled -
>> >> >> +-------+ Exclude 1st 10 IPs
>> >> >> | |
>> >> >> | +-------------+
>> >> >> | |
>> >> >> |192.168.2.2 |
>> >> >> | [Ext. NIC] |DHCP IP
>> >> >> +-------+ +-------+
>> >> >> |SBS2003| |GuestPC|
>> >> >> +-------+ +-------+
>> >> >> | [Int. NIC]
>> >> >> |192.168.16.1
>> >> >> |
>> >> >> +--------+
>> >> >> | Switch |
>> >> >> +--------+
>> >> >> | | | |
>> >> >> | | | |
>> >> >> [Domain PCs]
>> >> >>
>> >> >> SBS2003 runs either the RRAS or ISA2004 firewall so Ext. NIC
>> >> >> (192.168.2.2) is protected.
>> >> >>
>> >> >> "GuestPC" could be a Wireless Access Point with a STATIC address
>> >> >> of,
>> >> >> for
>> >> >> example, 192.168.2.3 (which is used primarily for WAP
>> >> >> administration).
>> >> >> Then, guest PCs with wireless capabilities associate with the WAP
>> >> >> and
>> >> >> get an IP address from the (wired) Router.
>> >> >>
>> >> >> Since Wireless Routers are easier to find (and often less
>> >> >> expensive)
>> >> >> than WAPs, you can use one as a WAP provided you:
>> >> >>
>> >> >> - disable the DHCP server on the Wireless Router
>> >> >> - connect an Ethernet cable from the (wired) Router to one of the
>> >> >> switch
>> >> >> jacks (there are most often 4) on the Wireless Router. Do NOT
>> >> >> connect
>> >> >> anything to the Wireless Router's "WAN" or "Internet" jack.
>> >> >>
>> >> >> -- Owen Williams
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>