Topic: Need to configure to connections from one SME server and ISP connection.

[turtle2472]

I found this thread but it recommended me not revive the thread but rather start a new one so here I am.

Here's what I'm looking to do:

Code: [Select]

                          Main network as currently configured being controlled by SME
ISP <-> SME Server 7.3 -<
                          WRT54G Unsecured WiFi hotspot with no access to Main network but access to the web
Is this doable? The idea is to create an open unsecured WiFi hotspot with only internet access.  This way my network is secured and the hotspot is open.  I wouldn't mind if I could VPN into the server from the WRT54G for certain occasions it would be convenient to me.

[cactus]

I found this thread but it recommended me not revive the thread but rather start a new one so here I am.

Here's what I'm looking to do:

Code: [Select]

                          Main network as currently configured being controlled by SME
ISP <-> SME Server 7.3 -<
                          WRT54G Unsecured WiFi hotspot with no access to Main network but access to the web
Is this doable? The idea is to create an open unsecured WiFi hotspot with only internet access.  This way my network is secured and the hotspot is open.  I wouldn't mind if I could VPN into the server from the WRT54G for certain occasions it would be convenient to me.

No there is NFR for it in the bug tracker, but at the moment SME Server only officially supports two network cards in server-gateway mode and does not allow for hotspot provisioning.

I believe the WRTG54G has wired ports as well why not connect that to the ISP and connect your server to the WRT54G lie this, since you do not need to access your LAN from the hotspot provided adresses:

Code: [Select]

--- ISP --- WRT54G --- SME Server --- LAN
              |
           Hotspot

[Jáder]

Hi
AFAIR By default this last config (SME as server-gateway connected to WRT54g and this one to internet) will give to WiFi clients a LAN IP addresses.

I know I saw somewhere a patch to create separete networks for WiFi and LAN ports... but that also implies to change firmware to something like dd-wrt. Are you ok with that ?

Anyone see other way to do this ? Am I wrong ?

Jáder

[cactus]

Hi
AFAIR By default this last config (SME as server-gateway connected to WRT54g and this one to internet) will give to WiFi clients a LAN IP addresses.

No you can have different IP ranges, that can not see each other.

Suppose the WRTG54G is configured to handout IP addresses in the range 192.168.x.y/255.255.255.0, you could assign either 10.0.a.b/255.255.255.0 to your SME Server is server-gateway mode or if you really want to stick to 192.168 subnets, you could also choose 192.168.!x.y/255.255.255.0.

You will have to configure you WRT54G to forward certain requests to the IP number assigned to your server (e.g. 21 (ftp), 25 (smtp), 80 (http), 443 (https) to name a few common ports).

You initial setup is very uncommon, why do you want hotspot clients behind your gateway (in your LAN) if you do not want them to access the LAN at all?

[turtle2472]

I'd be fine reflashing the WRT54G to DD-WRT, but my reasoning for wanting to run the WRT54G through the server is ease to me.  I don't want to have to port forward everything and have yet another device giving IP addresses on the network.  I'd say it could be being lazy, but it's a lot to have to ensure all port forwarding is set right when I'm already adding a dynamic IP on top of this.

So I could put my WRT54G in front with it passing out 192.168.1.1 and have it assign SME an IP while port forwarding everything to it. Then have SME maintain it's current IP set of 192.168.4.1+.  Then people on the hotspot that got my servers IP (say 192.168.1.5) there would have to go through SME's defenses to get into the network?

[cactus]

I'd be fine reflashing the WRT54G to DD-WRT, but my reasoning for wanting to run the WRT54G through the server is ease to me.  I don't want to have to port forward everything and have yet another device giving IP addresses on the network.  I'd say it could be being lazy, but it's a lot to have to ensure all port forwarding is set right when I'm already adding a dynamic IP on top of this.

AFAIK there is no need to run custom firmware for my suggested setup and closing down everything but webaccess for a certain range of IP numbers is a lot of work as well as this is a non-standard seyup and network layout.

So I could put my WRT54G in front with it passing out 192.168.1.1 and have it assign SME an IP while port forwarding everything to it. Then have SME maintain it's current IP set of 192.168.4.1+.  Then people on the hotspot that got my servers IP (say 192.168.1.5) there would have to go through SME's defenses to get into the network?

Correct.

[mercyh]

I think you are trying to do the same thing I do. Here is my layout. This is dependent on your ISP handing out more then 1 IP address per connection. (Either Static or dynamic IPs will work but you need two.)

WAN Modem
  V
  V
  V
Switch>>>>>>>>Wireless router
  V
  V
  v
SME or other Firewall/Router for the LAN
  V
  V
LAN Switches
  V
  V
LAN Workstations and devices.

This puts the public hotspot on the WAN side of the firewall any traffic coming from the hotspot looks like web traffic.

[cactus]

Switch>>>>>>>>Wireless route

....

This puts the public hotspot on the WAN side of the firewall any traffic coming from the hotspot looks like web traffic.

The WRT54G has a build-in switch ans therefore a extra switch should not be needed.

[mercyh]

Actually Catus' suggestion is a good one and makes it so you can do it with only one IP address.

Plug the Modem into the WAN port of the WRT54G. Turn DHCP on and let it control the hotspot. Plug the your LAN router into any port on the WRT54G and assign a static IP address outside of the DHCP range. If you do not want to deal with multiple port forwards through several routers just put the IP address of the LAN router/firewall into the DMZ on the WRT54G (this makes it the same as if it were directly connected to the internet.)

[turtle2472]

You are genius'!  Thanks for the suggestion.  I can't believe I didn't think of DMZ and the WRT54G.  This should work great.  I'll see about putting it into action and post back how it works out for me.

So my mapping will be:

Code: [Select]

ISP
\/
WRT54G (Public Access)
\/
SME
\/
Switches -> 802.11n (Private "n" only)
 |      \_________________
 \/                       \/
Wired Clients          802.11G (Private "g" only)