A second subnet

[Guest]

Hi

I have to setup a new mobile classroom for users with laptops, who only need
access to the Internet.

The current setup of this company I believe is as follows:-

They are running Windows Server 2003 with 11 wireless PCs. They have a
D-Link DWL-2000AP connected for the wireless clients. I know that the default
ip address of the DWL-2000AP is set to 192.168.0.50.

What I don't know is whether the server or router is dishing out DHCP. I
ASSUME the server is set to static and the d-link is dishing out DHCP.

Anyway, the new mobile classroom needs to be put on a second subnet. I have
been given a Linksys WAP54G (wireless access point), which has a default ip
address of 192.168.1.254.

I need to connect the new laptop users to the current wireless printers, but
prevent them from accessing the current users network resources. The new
users only need internet access.

I wondered which is the best way to set this up. I assume I can leave the
default ip settings in place for the new linksys AP. Would I be best to give
the new laptops dhcp or static ips?

Also, what is the best way to configure it so that they can take their
laptops home as well and access the internet?

So to recap:-

1) new users need only internet access at work but not access to the
existing network resources.
2) They need to be able to access the internet at home as well.

All help really appreciated,

Kind regards,
Jason

 

[Doug Sherman [MVP]]

You need some kind of router to accomplish this. Both the DLink and Linksys
devices are access points; they are not DHCP servers; and by themselves,
they cannot do what you want.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Guest]

Many thanks for your reply, although a little vague.

Ok. I believe that the initial access point (the d-link), is connected to a
router. So can this router be configured to refuse the new users laptops
access to the existing network resources, but still allow them access to the
internet, with the linksys installed?

Are you saying that if I install the 2nd access point (the linksys), that
the laptops have to be given static ips, but cannot be prevented access to
the network resources.

Forgive me but I say a little vague, because you didn't mention how to
configure or set up a 2nd router to allow me to accomplish what I have been
asked to do, that is, if I choose to install a 2nd router, which I believe is
what you mean.

I have yet to find any forums that have been able to answer this question,
as to whether I use a 2nd access point or a 2nd router, and how to configure
the appropriate device to prevent new users from accessing the existing users
network.

I guess this question appears harder to answer than I assumed!

Many thanks
Jason

 

[Doug Sherman [MVP]]

"So can this router be configured to refuse the new users laptops
access to the existing network resources, but still allow them access to the
internet, with the linksys installed?"

Depends on the feature set of the router - probably not.

"Are you saying that if I install the 2nd access point (the linksys), that
the laptops have to be given static ips, but cannot be prevented access to
the network resources."

It doesn't matter. Unless you put the laptops on the same subnet as
existing machines they will not have access to anything except themselves
because the Linksys device is not a router.

"Forgive me but I say a little vague, because you didn't mention how to
configure or set up a 2nd router to allow me to accomplish what I have been
asked to do, that is, if I choose to install a 2nd router, which I believe
is
what you mean."

You do not have a "2nd router" - you need to get one. Connect the router's
WAN/Internet port to a LAN port on your present router (this is not the
DWL-2000AP ). Make sure the router's LAN settings are for a different
subnet. If you have a Windows domain, domain clients must point to the DC
for DNS. You can use the XP SP2 firewall to prevent access to existing
machines from the machines connecting through the new router.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Guest]

Thanks Doug for your response, that seems a bit more straigtforward.

Just a couple of other questions I need to confirm.

1) I gather I will have to disable DHCP on the 2nd router and give the
laptops a static ip.
2) I've never used the XP SP2 firewall to prevent client machines from
accessing an existing network. How is this configured?
3) Finally, with regards the linksys access point and your previous response:-

"It doesn't matter. Unless you put the laptops on the same subnet as
existing machines they will not have access to anything except themselves
because the Linksys device is not a router."

So basically, leaving the linksys default settings as they are will not give
the laptops access to the internet because the default gateway would be on
another subnet. In order to connect the laptops to the internet I would have
to put the linksys on the same subnet as the existing network?

If this is so, can I not just go ahead and do that, and configure the XP SP2
firewall settings on the laptops to prevent access to the existing network
resources?

Many thanks Doug for all your help

Jason

 

[Doug Sherman [MVP]]

In no particular order:

1. If you enable the SP2 firewall (don't do this if you are running third
party security software), you then configure an Exception for File and
Printer Sharing. You can change the scope of the exception to block/allow
only certain machines based upon IP address. This may not be practical if
everyone is on the same subnet and you use DHCP:

http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx

2. You wouldn't have to disable DHCP on the second router as long as you
configure its LAN settings to be on a different subnet.

3. If the primary goal here is to isolate the existing network from the new
machines, a better way to do this would be to connect the existing machines
through the new router. Then new laptops could connect to the existing
router through an access point and they would have Internet access. You
would not need to worry about firewall settings on existing machines to
block access from the new laptops because by default the new router will not
allow this kind of connection. Note - although laptops could not access
existing machines, the laptops themselves could be accessed from existing
machines.

However, this will not work if the new laptops need to be joined to the
domain and/or access existing printers connected to the new router. Of
course, you could always leave the printers where they are.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Guest]

Thanks Doug once again. Sorry for stringing this out.

I feel under the cirumstances if you agree.

I would either prefer to keep the existing setup as it is and put the second
router on a different subnet (installing the router to a switch in the new
mobile classroom which is in a different part of the building), and have the
clients connect to the internet this way, but prevent access to the existing
network via XP SP2 as per your response:-

"You do not have a "2nd router" - you need to get one. Connect the router's
WAN/Internet port to a LAN port on your present router (this is not the
DWL-2000AP ). Make sure the router's LAN settings are for a different subnet.
If you have a Windows domain, domain clients must point to the DC for DNS.
You can use the XP SP2 firewall to prevent access to existing machines from
the machines connecting through the new router."

OR

Install the second access point (linksys) on the same subnet and again use
the windows xp firewall security settings or a third party security software
on each laptop to prevent acccess to the existing resources.

Do you agree?

Just 2 more pointers really to recap:-

1) By installing the second access point rather than a router, and putting
it on a different subnet, this will NOT allow the laptops to access the
internet, as it is on a different subnet to the exisiting network?

2) Finally, forgive my vagueness here, if I install a second router instead
and enable DHCP on the router, how can I be sure that the new laptops will
get their DHCP settings from the new router, rather than from the existing
network?

Hope this makes sense.

Many, many thanks,
Jason

 

[Doug Sherman [MVP]]

I would either prefer to keep the existing setup as it is and put the second
router on a different subnet (installing the router to a switch in the new
mobile classroom which is in a different part of the building), and have the
clients connect to the internet this way, but prevent access to the existing
network via XP SP2 as per your response:-

"You do not have a "2nd router" - you need to get one. Connect the router's
WAN/Internet port to a LAN port on your present router (this is not the
DWL-2000AP ). Make sure the router's LAN settings are for a different
subnet.
If you have a Windows domain, domain clients must point to the DC for DNS.
You can use the XP SP2 firewall to prevent access to existing machines from
the machines connecting through the new router."

OR

Install the second access point (linksys) on the same subnet and again use
the windows xp firewall security settings or a third party security software
on each laptop to prevent acccess to the existing resources.

Do you agree?

- Yes

Just 2 more pointers really to recap:-

1) By installing the second access point rather than a router, and putting
it on a different subnet, this will NOT allow the laptops to access the
internet, as it is on a different subnet to the exisiting network?

- Yes. Another way of looking at it is that an access point must be the
same subnet, a router must provide a different subnet.

2) Finally, forgive my vagueness here, if I install a second router instead
and enable DHCP on the router, how can I be sure that the new laptops will
get their DHCP settings from the new router, rather than from the existing
network?

- Contact with a DHCP server is initiated by the client using broadcast
packets. These kind of packets cannot cross a router. As long as the new
laptops connect to the new router, the only DHCP server they can get an
address from is the router itself. Once they have such an address they can
send directed packets through the router as long as they are on a different
subnet.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

 

[Guest]

Thanks Doug for all your help, this is a lot clearer now.

Lastly, I had wondered if the routers can be configured to prevent the
laptops from accessing the existing network.

However, I have enough to go on and that should be sufficient.

Many thanks,
Jason