Is a 2nd Secure Network Possible?

CSBJ

Hey everyone, I’m sure something like this has been asked a million times but I couldn't find anything (I’m sure I’m asking the wrong questions).

Basically I am moving into a new office and unlike our current one where we only have a wired network, in the new one we need to have another network (with Wi/Fi) for visitors to the office.

Currently our ISPs modem is going into a Netgear ProSafe FV336Gv2 and to our switch from its LAN1 port. I believe the FV336Gv2 has a DMZ port on LAN4 if that is relevant.

I have some household Wi/Fi routers which I would love to be able to re-use but if I need new hardware that’s fine.

The number one priority for me here is security, i.e. I don’t want there to be any way for someone on the guest network to access the wired office network.

Can anyone offer me any advice on how to set this up?

Mr. G

Do you want one wireless network to be able to talk to the wired network (e.g. Printers), while the guest network not being able to talk to anything? Or just one network (i.e. The guest network)?

same ol sh1te

You may need to change router to get one that allows a second virtual guest network, many offer this function.

Mr. G

same ol sh1te wrote: »

You may need to change router to get one that allows a second virtual guest network, many offer this function.

Depends on what the OP wants to achieve. May need to buy a new router, alternatively use 2 routers if one wireless network needs to talk to the wired network and one isolated. The router can be vlan'd at the main router, and set up on LAN isolation thus nobody within the wireless network can talk to each other, nor can they talk to the wired network.

If you want to allow access to things like printing (which is shared on the wired and guest network) but not other devices, I would suggest getting a new router.

same ol sh1te

My understanding is he just wants a guest Wi-Fi network for customers with no access to the existing network.

wandererz

For a business requirement, Have a look at replacing your setup with Fortinet FortiGate firewall and access points.

It will give you what you need. Plus all the security you need, such as VPN, traffic separation, Web filtering, traffic shaping, and guest user management if needed.

Each port can be configured separately so the AP's can connect directly into the firewall. If you need to power the AP's via PoE then there are Fortigates with PoE ports as well.

So your ISP connection connects to the Web interface. Your LAN switch connects to Port1 on the firewall and the AP's connect into the other interfaces.

Simple to manage and possibly allow you to get rid of multiple systems.

same ol sh1te

wandererz wrote: »

For a business requirement, Have a look at replacing your setup with Fortinet FortiGate firewall and access points.

It will give you what you need. Plus all the security you need, such as VPN, traffic separation, Web filtering, traffic shaping, and guest user management if needed.

Each port can be configured separately so the AP's can connect directly into the firewall. If you need to power the AP's via PoE then there are Fortigates with PoE ports as well.

So your ISP connection connects to the Web interface. Your LAN switch connects to Port1 on the firewall and the AP's connect into the other interfaces.

Simple to manage and possibly allow you to get rid of multiple systems.

That's a big jump in expense for someone looking to re-use domestic gear if possible as mentioned in the OP

wandererz

same ol sh1te wrote: »

That's a big jump in expense for someone looking to re-use domestic gear if possible as mentioned in the OP

Everything is an expense. He could do this now properly or waste time and expense and redo it later on. He also mentioned that the number one priority for him was security and that he is setting up a new office.

He could end up pissing about messing with a cobbled together system and be no better off.

Alternatively, he could either go for a unit with integrated WiFi or separate WiFi, spend LESS than €1500 euro and have something that's secure and gives him what he wants.

And his "new" office really is new in terms of the access, services, control etc rather than a mishmash of rehashed legacy stuff.
Nobody likes to move to a "new" office only to have the same crappy problems as before.

Sometimes it's a matter of re-thinking things.

He could have multiple SSID's setup for office users and for guest users and keep them totally separate.

€1500 hardware cost against your annual tax bill isn't much.

But that's the OP's decision.

Previously he had asked the community about VPN access. This would satisfy that requirement as well.

It sounds like a small business.
He could have his firewall, WiFi access, VPN, Web Filtering, App Control, IPS, Traffic Shaping, AV (I must be missing something else here) all on the same system.

Of course then there will be the argument soon of what I just said above about it being "all on the same system".

But many small businesses out there don't concern themselves about that. If they do, then consider an HA setup. Yes, at additional cost, but you wouldn't get that on a non-commercial or cobbled together system.

But it sounds like HA is not a priority in this case.

He could setup all of the above himself if he wanted to.

Of course there are also other options out there. I'm just going from recent experience.

But I await the usual tide of boards.ie retort.

Also remember that this is about suggestions / recommendations. The above is my suggestion.
The OP can read every comment and then make his/her own decision.

The question is whether This is the "same ol sh1te" or not.

CSBJ

Mr. G wrote: »

Do you want one wireless network to be able to talk to the wired network (e.g. Printers), while the guest network not being able to talk to anything? Or just one network (i.e. The guest network)?

same ol sh1te wrote: »

My understanding is he just wants a guest Wi-Fi network for customers with no access to the existing network.

So to be clear I want to have 1 Wi/Fi network that is totally separate from the existing wired network (no printer sharing, access to NAS, server, other PCs, etc.). Basically one wired network for all the company equipment and one Wi/Fi network for public access and there to be no access from one to the other.

CSBJ

same ol sh1te wrote: »

You may need to change router to get one that allows a second virtual guest network, many offer this function.

wandererz wrote: »

For a business requirement, Have a look at replacing your setup with Fortinet FortiGate firewall and access points.

It will give you what you need. Plus all the security you need, such as VPN, traffic separation, Web filtering, traffic shaping, and guest user management if needed.

It was my understanding that FV336Gv2 is a SMB firewall and included many of these functions already. My problem is that we cheeped out originally and did not get the equivalent firewall that included an AP as we had no need for it at the time.

What I am wondering is if there is any way to basically add in new hardware and get the missed functionality back?

CSBJ

wandererz wrote: »

Everything is an expense. He could do this now properly or waste time and expense and redo it later on. He also mentioned that the number one priority for him was security and that he is setting up a new office.

He could end up pissing about messing with a cobbled together system and be no better off.

Alternatively, he could either go for a unit with integrated WiFi or separate WiFi, spend LESS than €1500 euro and have something that's secure and gives him what he wants.

And his "new" office really is new in terms of the access, services, control etc rather than a mishmash of rehashed legacy stuff.
Nobody likes to move to a "new" office only to have the same crappy problems as before.

Sometimes it's a matter of re-thinking things.

He could have multiple SSID's setup for office users and for guest users and keep them totally separate.

€1500 hardware cost against your annual tax bill isn't much.

But that's the OP's decision.

Previously he had asked the community about VPN access. This would satisfy that requirement as well.

It sounds like a small business.
He could have his firewall, WiFi access, VPN, Web Filtering, App Control, IPS, Traffic Shaping, AV (I must be missing something else here) all on the same system.

Of course then there will be the argument soon of what I just said above about it being "all on the same system".

But many small businesses out there don't concern themselves about that. If they do, then consider an HA setup. Yes, at additional cost, but you wouldn't get that on a non-commercial or cobbled together system.

But it sounds like HA is not a priority in this case.

He could setup all of the above himself if he wanted to.

Of course there are also other options out there. I'm just going from recent experience.

But I await the usual tide of boards.ie retort.

Also remember that this is about suggestions / recommendations. The above is my suggestion.
The OP can read every comment and then make his/her own decision.

The question is whether This is the "same ol sh1te" or not.

Firstly if money has to be spent that is no problem but the reason I am asking is well there is no point on spending a load of money and dumping a perpetually good firewall if a simple fix or workaround will meet our needs.

You mention a “unit with integrated WiFi or separate WiFi”. What do you mean by separate WiFi? Is this not what my question is all about… adding in additional equipment to get separate WiFi?

The existing setup function PERFECTLY for what we have needed (there are no “crappy problems”) and it would continue to do so in the new office with the exception that we would like to offer a separate “public” WiFi for guests.

Also regarding VPN access this isn’t a problem as like I said above the FV336Gv2 is a SMB firewall and already includes VPN and many of the functions you mentioned. I just want aware of this fact when I posted.

wandererz

Aha, I thought you were referring to a Netgear modem or router.
Normally, with a firewall you would have a DMZ port available or be able to retask one of the LAN ports as a dedicated DMZ port and then connect the wireless AP or router to that and keep things separated, even if it was a 3rd party AP that you were using.

However, I don't think you can do this with this particular prosafe firewall. The DMZ port in the traditional sense of the word does not exist.
I may be mistaken though.

By "integrated" and "separated" I mean that some firewalls have an antenna built into them which is good for small areas, others have a separate access point to position the AP wherever you need signal.

CSBJ

wandererz wrote: »

Aha, I thought you were referring to a Netgear modem or router.
Normally, with a firewall you would have a DMZ port available or be able to retask one of the LAN ports as a dedicated DMZ port and then connect the wireless AP or router to that and keep things separated, even if it was a 3rd party AP that you were using.

However, I don't think you can do this with this particular prosafe firewall. The DMZ port in the traditional sense of the word does not exist.
I may be mistaken though.

By "integrated" and "separated" I mean that some firewalls have an antenna built into them which is good for small areas, others have a separate access point to position the AP wherever you need signal.

Thanks for the clarification.

I cant post a URL as I am a new user but if you image search for FV336G you can see that LAN4 has a DMZ light. I can only assume this means it has the ability. Its been a while since I have been in its settings so I could be wrong. I will look into it on Monday and report back.

If it is a DMZ port and I understand you correct it should be just a case of activating the DMZ port and connecting another router with built in AP. Is that correct? The Firewall will keep everything on the 2 networks separate?

same ol sh1te

CSBJ wrote: »

If it is a DMZ port and I understand you correct it should be just a case of activating the DMZ port and connecting another router with built in AP. Is that correct? The Firewall will keep everything on the 2 networks separate?

...or simply replace the Netgear with an AP router that can be configured to have guest or hotspot network functionality.
I only recommend Mikrotik but this is a serious router for the price (will need an advanced network knowledge configure)
http://routerboard.com/RB951G-2HnD
https://www.interprojekt.com.pl/mikrotik-routerboard-rb951g2hnd-level-128mb-p-1370.html

Mr. G

CSBJ wrote: »

Firstly if money has to be spent that is no problem but the reason I am asking is well there is no point on spending a load of money and dumping a perpetually good firewall if a simple fix or workaround will meet our needs.

You mention a “unit with integrated WiFi or separate WiFi”. What do you mean by separate WiFi? Is this not what my question is all about… adding in additional equipment to get separate WiFi?

The existing setup function PERFECTLY for what we have needed (there are no “crappy problems”) and it would continue to do so in the new office with the exception that we would like to offer a separate “public” WiFi for guests.

Also regarding VPN access this isn’t a problem as like I said above the FV336Gv2 is a SMB firewall and already includes VPN and many of the functions you mentioned. I just want aware of this fact when I posted.

For a small business, spending over 1k is a lot if you have only 10 employees. Cisco and DrayTek have some nice small business routers which are reliable and are only a few hundred euro.

It sounds like the OP is not that familiar with firewalls, so therefore I think it is crazy recommending a powerful firewall (e.g. Sonicwall), when the slightest mis-configuration could open the entire network. The routers aimed at small businesses are ideal in this scenario because they are easy to configure and do not cost the earth to buy and run. For more expensive firewalls, they often have fans which are both noisy and to run the equipment can be quite expensive when you add up the yearly electricity paid on them.

If you feel what you have at the moment works for the business, and your current firewall is secure, then leave it as is.

With regard to the access point, set up a VLAN on the main router to seperate Port 3 from the entire network and only allow internet access. This can easily be done and if you need a hand with configuring this, let us know. Next, connect an access point to Port 3. This can be a business-grade access point installed on a suspended ceiling in the office for best coverage, or just a consumer-grade router. Change the web gui admin password. If it's a consumer grade router: Change the SSID to the name of the firm (or whatever name you wish to show) and disable security if you wish for it to be open. Then set up LAN isolation so wireless clients cannot snoop on other wireless clients. Then test to ensure that wireless clients cannot connect to the wired network by ensuring that it cannot successfully ping a wired network device from the wireless network. Ensure that you can successfully ping the device from within the network first. For max security, you may wish to do this before you enable wireless connectivity on the access point.

If you wish to show a splash page you could install dd-wrt on the router. It is probably a good idea to install dd-wrt on the router anyway.

Cisco Meraki access points are worth the subscription and are very easy to configure if you are looking for a business-class access point.

I recommended using Port 3 because Port 4 is DMZ'd, while 1 and 2 may be for network switches.

Don't forget to configure QoS on the main router to ensure wired network traffic gets priority from the wireless network so neighbours don't ruin your download speeds.

liamo

We have a similar requirement in that we have a guest WiFi network with no access to our LAN.
We have a few public IPs and we simply used one of those on the WAN side of the WiFi device.
That works really well for us. Of course, not everyone will have multiple IPs.

You may also wish to consider an EdgeRouter Lite
Here's a review of the device.
And here's a page with a config file for one wired and one wireless LAN, both with Internet access, and no comms permitted between the two LANs.
It seems like a great little device. I'm expecting delivery of one this week and am dying to try it out.

same ol sh1te

I've hard great things about those Edge routers liamo, have you configured any? I have a big Unifi job coming up and usually use a decent Mikrotik, this could do the same job and leave with gear all the same brand. Can you configure hotspot on them? How mature is the firmware?

liamo

Hi

No, I haven't configured any. I'm expecting my first device on Friday of this week.

Having said that, I've been playing with VyOS a good bit lately and have been having great fun (and great results). Both VyOS and EdgeOS have Vyatta as their parent codebase so their feature-set is pretty similar as is the CLI.

As to the maturity of the firmware, Ubiquiti released EdgeOS in 2011 (I think) and have updated it multiple times since. Of course, the original Vyatta has been going since 2006 or thereabouts so that's also a factor.

The reviews have been very positive and if I get the functionality I expect from it for €100 I'll be pretty pleased.

I did have a Mikrotik a while back but I was having Wireless issues with it and sold it on. Also, I didn't take to the Mikrotik interface or commands. I'm finding the VyOS CLI very intuitive and clear compared to Mikrotik. Of course, that's just my opinion.


Liam

same ol sh1te wrote: »

I've hard great things about those Edge routers liamo, have you configured any? I have a big Unifi job coming up and usually use a decent Mikrotik, this could do the same job and leave with gear all the same brand. Can you configure hotspot on them? How mature is the firmware?

same ol sh1te

liamo wrote: »

I did have a Mikrotik a while back but I was having Wireless issues with it and sold it on. Also, I didn't take to the Mikrotik interface or commands. I'm finding the VyOS CLI very intuitive and clear compared to Mikrotik. Of course, that's just my opinion.

Wireless issues on the RB751/951 were fixed in V6 of RouterOS which is out if beta since last yr. I'm the opposite, I find RouterOS very intuitive as it's laid out exactly the same in Winbox which runs well under Wine, I mostly use that and open a terminal in it, cli doesn't take long to figure this way

I think I'll chance an Edge Router for the job

wandererz

CSBJ wrote: »

Thanks for the clarification.

I cant post a URL as I am a new user but if you image search for FV336G you can see that LAN4 has a DMZ light. I can only assume this means it has the ability. Its been a while since I have been in its settings so I could be wrong. I will look into it on Monday and report back.

If it is a DMZ port and I understand you correct it should be just a case of activating the DMZ port and connecting another router with built in AP. Is that correct? The Firewall will keep everything on the 2 networks separate?

If it is a v2 Netgear as you mentioned, then that so-called DMZ port does not work as you think it does or as it should. Also, that unit is no longer supported, hence you will not find any support or support references to it since 2009 or so.

You can go ahead and install a microtik, a this, a that, a whatever.

It is great to mess about, learn about stuff etc.
Then go ask yourself how many legitimate businesses do this that or whatever.

Ultimately, you will end up in the position you are at the moment. You need stuff done and there's no-one there to help you and and you've got to resort to cobbling stuff together from here and there. And it simply just does not work.

I am afraid that i have exhausted the level of advice i am willing to provide as it's just too distressing and everyone has their own opinion.

Happy hunting and hopefully you have the secure networks you requested. Remember though, if you want it separated, then keep it physically separate.

You asked:
"Is a 2nd Secure Network Possible?"

The answer is YES.

Now let others advise you.

CSBJ

Thanks for all the helpful info everyone. Unfortunately I am out of the office until the start of August. I will be sure to let you know how I got on once I get back and have had a chance to play around with it a bit.