security:allow guests internet access only

[andyp]

Im a newbie to Untangle, used it for 2 weeks and its great.

i want to setup a wireless network that will allow open access to internet for visitors to my factory, but prevent them accessing data on the LAN.

I have an existing wireless setup protected by wep key which is used by my staff.
I use an ubuntu server and all clients are XP, some users have shared drives also.
untangle server is in bridge mode and sits between my main hub and an ADSL router .
i have spare ethernet ports in my ADSL router.

is this a job for DMZ ? or perhaps setup another subnet ?

i'm happy to buy another wireless router if required....

[geniehost]

Hello Andyp,

I try what is in this thread http://forums.untangle.com/showthread.php?t=2334 , and I notice a wireless client not able to access my network resources, but only internet!


You may give it a try.

regards,
Genie

[Sonik]

id think you may have to get another nic for dmz as when the wireless clients come in they will hit lan before untangle so access control would have to be done elsewhere, this is however if I am understanding your setup.

[andyp]

Thanks for the advice.

i think ive solved it,.... but unsure about the security aspect.

i set up UT as a router and have a different subnet on the internal and external ports.
i added an extra NIC and have DMZ as bridge mode.
DHCP is set up for my internal port using UT and ive set DHCP on my ADSL router thats on the external port.

I have a wireless router attached to the DMZ port set in bridge mode.

what this means is that anyone who attaches to the wireless on the DMZ is assigned an DHCP IP addr from the wireless router on the external port. because this is on a different subnet to my internal port (which has all my company data which i want to protect) they can't map drives or see any information.

the wireless access to the internal port is protected by WEP key so people need to have the password before they can get on the internal net.....i'm also going to restrict access to this by MAC addr.

I'm new to this, and arrived at this solution by trial and error and much internet surfing.....

could this arrangement be described as 'secure '.
for my files i use samba so these are protected by the unix permissions etc so the main point of failure would be the XP clients shared drives ... i think.

[Statikk]

I would ditch the MAC filtering as it provides little security and the maintenance/headache wouldn't be worth it. Then I would bump WEP up to WPA2.

[hinzinho]

For added security, you can create a script to change the WPA shared key daily. This guarantee a one day pass to your wireless AP.