how to share my wireless internet access but not my files without using ANY security measure just WAP. network splitter?

what I'm trying to achieve here is to be able to give my student neighbor access to the internet using the wireless side of my DSL router but I wouldn't like to have to setup encryption/privacy in any of my intranet wired XP/Ubuntu based workstations or my NAS

I think this should be easy to setup but the solution has been eluding me for the last two weeks. I tried/intended to use firewall based solutions like ipcop pfsense and a few others but it got too complicated very soon, somehow whenever the router gets the WAP TKIP key (which I provided him along with the SSID name) it automatically lets the user access my wired network and workgroup.

of course, I took all my files offline and cleared the shared folders, but I still want to be able to share without having to disconnect my fileserver . I think two separate networks or some kind of "network splitter" prohibiting the traffic between my computers and the wireless network should do the job . unfortunately, I don't see how to do it in a inexpensive way or spending just a little bit.

yes I know about fonera devices and wrtg54g linux based devices. all I have is a switch , the router and a few pci wireless NICs and a spare computer .

richmondlaptop

Posted 2009-12-27T07:12:49.450

Reputation:

Answers

The primary problem in this post is addressed by RFC 1925, "(7a) (corollary). Good, Fast, Cheap: Pick any two (you can't have all three).

Although Sybreon has described the networking problem fairly well, the really cheap equipment most people have at home does not tend to have the flexibility to implement his suggested solutions. What you can do instead is use really cheap network routers and wireless routers, for example the older 802.11 G or even 802.11 B routers, to achieve a similar effect. Try the following configuration:

 Wifi Network|             Private network  
             |{subnet 3}       |
             |                 |{local network ports: subnet 2} 
       [wifi router]     [cheap router. Can also have Wifi]
       {WAN port}|          |{WAN Port}
                 |          |
                 |{subnet 1}|
        {dsl router's local network ports}
                 [dslrouter]
                     |{WAN port}
                     |
                     |  ISP provided network address
                     +
                  internet

As long as the router devices are actual routers, are performing NAT, and have some basic firewalling configured, both you and your neighbor are as safe from each other as you both are from random people on the internet.

In short, a NAT Router with basic firewalling is precisely the ""network splitter" prohibiting the traffic between my computers and the wireless network" you requested.

pcapademic

Posted 2009-12-27T07:12:49.450

Reputation: 3 283

+1 for using subnets. i've never thought of that before. – Ian Boyd – 2010-07-30T20:36:19.667

If your DSL router does not have multiple ethernet ports (most probably won't), you can put your 'private' network hanging off of your 'wifi' network. This will put the three networks inline and should accomplish what you want: internet -> DSL Router -> Wifi Rotuer -> private router – Peter – 2009-12-28T02:00:34.503

Let's start with a diagram. This is what I assume you want.

 neighbour---wifi---[dslrouter]---+---[switch]---local network
             WPA         |
                         +
                      internet

The reason why your neighbour can access your local network is because it typically exists in the same network segment as your local network. Most wifi routers will bridge the wireless network and the local network into one single network with the internet on an external network.

In order to keep your neighbour out, you have a few options (in decreasing order of difficulty and decreasing order of isolation):

Port 4 - Some wireless routers will allow you to isolate the last router port into it's own little physical segment. You can attach your local switch to this port and wire up your local network behind it. It will be isolated from the rest of the network (wireless and wired).
Bridge - Some wireless routers allow you to break apart the wireless and wired networks or to unbridge them in such a way that they do not automatically exist in the same segment. That can help but only if you block traffic between the two unbridged parts in the router firewall.
Virtual LAN - Some smart routers/switches allow you to create your own VLAN. Sometimes, even if they are dumb, you might still do it by enabling VLAN on all your own machines. So, you can effectively isolate your own machines in it's own VLAN which is sort of like having a physically disconnected LAN.
IP Segment - The last method is also the easiest method, that is to just place your machines and your neighbour on a different network ip segment e.g. you are on 10.x.x.x and your neighbour is on 192.168.x.x and then set up appropriate firewall rules on your router to block traffic between the two ip segments.

Regardless of what method you choose, you should still have your neighbour connect via an encrypted wireless network for his own safety and yours.

sybreon

Posted 2009-12-27T07:12:49.450

Reputation: 1 048

I highly disagree with the "encrypted wireless network" for safety. You should encrypt only sensitive data regardless of wires. As for using passwords on wireless, again, should rather use them on your user. Setting up any of those so called "wireless security methods" is lazy security work and mostly just done just for appearances. Fonera is out there to prove that. – cregox – 2010-03-30T23:37:56.860

Another method of doing #2 is to use something like ddwrt which opens up a lot of options on the router. – Unfundednut – 2009-12-27T10:41:59.603