Routers (Linux?)

Jaden · 02-07-2003 11:58am #1

Hi all,

This post may be slightly OT, but please bear with me. (Admins, feel free to move).

We have a wireless link to a building 200 yards or so away, with WEP switched on. All is well, as the 3 or 4 PCs in that building are isolated from the buildings own network, and use our DNS, Gateway and DHCP settings. They are even joined to our domain, and have IP addresses in the same range as the rest of the PCs in our building.

Now, I want to ensure that PCs in the remote building don't get used as a base to do undesireable things on our network. They are all W2K SP3 PCs and all sit in a reserved range of IPs that I set up on my DHCP server.

What I want to do is have a router between the two sites that restricts data access from the outside site to the inside site to certain ports and protocols.

Smoothwall would seem to be the choice here, (I am also looking at Freesco).

Here come the questions (at last!).

Will I have problems because all the PC's are on the same IP range and Subnet?

Is there a way around this?

Am I better off taking the remote PCs off the domain (I'd rather not) and giving them a seperate IP range, and using smoothwall or Freesco to restrict access?

Suggestions welcome as always.

"Google & Boards, helping clueless sysadmins since 1999."

po0k · 02-07-2003 3:02pm

hmmm....I'm no expert but...

you could setup a VLAN with your building's PCs on one, and the ones over the wireless link on the other, with the domain controller sitting in both, acting as the bridge for data?
I've very little experience with using Domains at the moment (give me a week or two

) but I would think that either the VLAN or your latter idea of assigning them to a seperate Ip range may be the way to go.
Or does the WAP have any sort of router/firewall capabilities itself?
Could have it like this:

main switch <

(eth0)smoothwall box(eth1)

>WAP->>>>--next door's PC cluster
and setup the smoothwal box for IP Masquerading, and block the ports you want?
Dunno if that would allow PCs on the main switch side find PCs in next door.

Capt'n Midnight · 02-07-2003 6:07pm

so don't bother asking on IrishWan...
unless you intend to route external IP traffic through your link etc.

Basics:
SSID is of couse off
you are using highly directional anennas
you are using H polarization
MAC filtering ( in case anyone uses 00-DE-AD-00-BE-EF)
Best to turn any properitary settings on the Devices (they are the same brand right ?)

What RF devices ? - because if they do not have built in VPN's then you setup your own elsewhere. Windows has PPTP built in - it's very like RAS - use an IP instead of a phone number) so you can use this as an extra level - as is based on the users PW.

Look at Zebedee / CIPE / Vtunnel as other IP encryption schemes.

There is always SecureID or Cisco PIX if you have lots of money.

Capt'n Midnight · 02-07-2003 9:18pm

www.vbnets.com/tutorials/security.html

Some of the devices also NAT and have PPP - so changing your RF gear might be a quick/cheap way to get some more security..

Also could try 802.11g - security through obscurity...

And YES you are better off putting the other PC's on a different subnet - less broadcast traffic

Routers (Linux?)

Comments