2

I have a configuration with two subnets. For this example I will call them 192.168.1.128/26 (128) and 192.168.1.64/26 (64). The 64 subnet contains all the internal devices that guests should not be able to access. The 128 subnet is basically the wireless broadcast subnet.

My problem is that I have two kinds of users that will be connecting to this (128) subnet. First are the guests that should have access only to the internet. Second, are the staff that should have access to the internet as well as the internal devices on the 64 subnet.

I am using basic Linksys routers and I can manage the routing between subnets just fine. My question is, how can I limit the users that get routed to the 64 subnet to the static list of "staff" users?

Joe
  • 123
  • 5

1 Answers1

3

Generally you block or permit access using firewall rules (packet filtering). If you are using the stock firmware of a linksys, I am not sure if this is possible, if you are using dd-wrt or something, then you can do it with iptables rules.

Since this is your guest wireless network, it would probably be very unwise to identify staff systems by the assigned IP address or mac address, which pretty much rules out doing any kind of access control with firewall rules.

What you probably need to do is consider setting up a VPN on your staff wireless clients, that will permit staff to establish a VPN into the trusted network.

Another option might be to just setup an additional SSID/subnet just for your staff accounts and use a different level of wireless authentication. You might have no encryption/authentication on your guest SSID. On your staff SSID, you would use WPA2 with a strong pre-shared key, or ideally one of the enterprise authentications available under WPA.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 2
    The 2nd route - much simpler. Set up two SSID's, or if you can't, then buy a 2nd wifi access point and do it that way. Then you actually have *three* subnets, and you can set up firewall rules as appropriate – Mark Henderson Feb 28 '12 at 19:29
  • I was hoping to avoid the need for multiple SSID's although, I'm beginning to think that might be necessary. I think I'll give dd-wrt a shot before that...assuming I can. – Joe Feb 28 '12 at 19:36