Public and private wifi network security when private is upstream from public

2

Disclaimer: I'm pretty sure the terminology I'm using is mistaken, please advise what terms are more suitable/correct.

I have two questions, both about the same situation, right at the bottom.

Background

The most simplified view of my network is as follows:-

Modem (fibre-optic) -> OfficeRouter -> PublicRouter

That is to say, the LAN cable from the modem goes to the WAN slot in my OfficeRouter, and the PublicRouter is connected to one of the LAN slots in my OfficeRouter.

Both OfficeRouter and PublicRouter broadcast their own SSIDs, called privatessid and publicssid. Additionally, up to a dozen PCs are connected to OfficeRouter via LAN (through switches).

Limitations

Physical placement constraints mean I cannot change the relative ordering of my routers.

Current networking setup

Each router runs its own DHCP service, so all clients connecting to OfficeRouter (via privatessid or LAN) get something on 192.168.0.* and all clients connecting via PublicRouter get something on 192.168.1.*

Security question

How can I 'mask' or prevent access to machines connected to OfficeRouter from machines connected to PublicRouter? One of the byproducts of my unfortunate physical arrangement of routers is that all the office machines are directly accessible by anyone connected to publicssid.

Networking question

Is it possible to handle more than 255 connections to publicssid? Do I just have to change the subnet mask for that to work, or is there something I'm missing. The routers in question are fairly basic, are there practical considerations for handling that many connections at once?

Ng Oon-Ee

Posted 2016-11-21T06:43:34.217

Reputation: 165

1If they are fairly basic (possibly consumer grade) most likely your public routers performance (at least for WiFi) is going to be horrible before you even reach those 255 clients. In addition you'd have to substract 2 additional IPs from it (Router itself and Broadcast) besides the Network ID so it's only 253. By setting up rules on your "OfficeRouter" you could prevent that traffic. It does depend on the model which options are available or not for that. – Seth – 2016-11-21T06:48:38.493

Yes, I've noticed horrible performance even with the current settings. Not sure how I'd test where the bottleneck is though (probably just internal WLAN bandwidth?). Any example of what sort of 'rules' would be needed? Only allow 192.168.1.* source packets to anything except 192.168.0.*? – Ng Oon-Ee – 2016-11-21T07:01:08.263

Yep, that's the kind of rules you'd need and yes if you only have that one access point the number of WLAN clients is most likely the problem. – Seth – 2016-11-21T07:04:45.170

also keep in mind that although it may IP technicallY possible to change your Setup so it fits more than 255 Clients it will probably be a physical problem of the Router itselfs - most consumer grade router can only handle between 30 to 50 Clients so make shure you look into the Techspecs Datasheet what it says there – konqui – 2016-11-21T07:21:10.560

Answers

1

This is almost impossible to do on a consumer grade router - you are, in effect, making your Office network insecure by allowing guest access to traverse it - and worse, you are probably using NAT which will further obfusicate and make tracking issues worse.

If you can use OpenWRT or another Linux variant you could set up separate VLANS for 2 of the Interfaces on your office router for your Office and for the guest router. You would then need to set each up seperately, and use firewalling to control the routing between the devices. You would need to use VLANS to ensure that traffic is always routed through the router (or use EBTables which would be even messier) AFAIK this is not something you can do through the web Interface, and requires a lot of work at the command line (but its doable, I've done something very similar)

davidgo

Posted 2016-11-21T06:43:34.217

Reputation: 49 152

Asked: 2016-11-21T06:43:34.217

Viewed: 65 times

Active: 2017-06-09T07:21:48.857