Jump to content

Interesting home/wireless networking problem


Recommended Posts

A friend of mine just called me with an interesting wireless network problem he is about to have and asked for possible solutions. Currently, he's running a wireless Applenet network at home with an Airport Express as his wireless router, which connects to the cable modem. He runs WPA and he is the only user so his network is pretty much secure. He has several computers on the network which talk together plus he often goes out to the internet.

The problem is that he's about to get a roommate who also wants to get out to the internet. This is OK, but he needs to be able to hide his computers and traffic from the new user. Simple enough, eh?

Normally I would solve this by having two subnets in the house and put his computers on one subnet and the roommate's on another and set the protections appropriately. However, I have no idea if the Apple Express or other home routers support having multiple subnets. Could somebody with more Apple (almost everybody) and more home networking experience please suggest a solution to this problem.

TIA for your suggestions. I wonder it it will come down to having two internet connections and two separate wireless routers using different frequencies.

Link to comment
Share on other sites

I wouldn't be comfortable without a firewall between the two sections of the LAN personally. I'm not familiar with the Apple routers though so can't offer many suggestions on how to implement that. It could certainly be done with some of those Linux-based routers. I guess the other option would be to have strong security on each and every PC on the LAN, but that would be a pain to maintain and wouldn't prevent packet snooping.

Link to comment
Share on other sites

Can you packet-sniff encrypted packets though? Why does he need to hide the Macs, unless he's running something that leaves ports open with no authentication?

An Airport express is too basic to do subnets unfortunately. About the only thing I can think of offhand that does that kind of thing would something like my friend's Dlink DFL 700 which does subnets, but you'd probably want one that does it over wireless and that one doesn't.

Link to comment
Share on other sites

If the data is encrypted sniffing is mostly pointless. Switches make sniffing harder too since by a host doesn't automatically see traffic between two other different hosts the way they did with a hub. It's still possible to trick switches though into passing on packets intended for other hosts. Short of probing the LAN for devices running in promiscuous mode though it's hard to tell if your traffic is being sniffed or not. Someone who knows how to manipulate switch behaviour though is probably going to get in anyway as you say.

That guest mode option may well be the nicest way to achieve what you want if it works as described.

Link to comment
Share on other sites

...if the guy is truly a hacker, nothing will. :-)
Exactly.

I'm kind of surprised that it's a concern -- I mean, he's willing to live with the guy, but not to trust him with his network/computer?

OTOH, it's also possible that the hacker might be external, have hacked into the roommate's computer, and tried to access your friend's computer from the local machine, which is sometimes easier (but less so if they're independent -- the problem is usually because they're set up by the same administrator).

Link to comment
Share on other sites

have him get 2 new wifi routers (any cheap brand will do) and connect the first router's WAN port to a LAN port on the airport router and connect the second router's WAN port to a LAN port on the second new router... turn off wifi on the first new router (the one connected to the airport) and put a new WPA password on the second new router and have the roommate connect to that one... he won't be able to see anything on the airport's network but will have internet access through the magic of NAT :-)

p.s. the middle router doesn't need to be a wifi router since it won't need to be broadcasting a wifi network anyway.

mjb

Link to comment
Share on other sites

I don't see how that setup would block access to the Airport network. The firewalls block unrequested traffic coming in the WAN port from reaching the LAN ports/Wireless clients. They generally won't stop anything going the other way so plugging a device into the Airport's LAN port gives it unadulterated access to any clients of the Airport network be they wired or wireless.

If new hardware is an option and I was paranoid about the untrusted PC I'd do something like this... (assuming the cable modem has a valid subnet rather than expecting a single PPPoE client)


                 Internet

                    |

                Cable modem

                    |

                    |

            Cheap 100Mb switch

            |                |

            |                |

       (firewall)       (firewall)

        Airport      Cheap Wifi Router

        .     |              .

        .     |              .

        .    LAN     Untrusted Wireless PC

        .

    Wireless Client

The firewalls on the two wifi routers would prevent unwelcome probes from the other side. If I felt like hacking into such a setup though I'd target the Airport wireless since cracking it over time would be quite feasible. Just the risk you take for wireless convenience. There's also nothing stopping the roommate from spilling a beer over the friend's computer, but you've got to draw the line somewhere.

Link to comment
Share on other sites

oh, i assumed he wanted the roommate to have internet access through the existing internet connection... if not, then wpa is definitely secure enough to keep him off the network.

p.s. if the roommate wanted the new guy to have access to the internet through the existing connection, but no access to the lan on the airport, he would have to segment off a new nat'ed lan such that the roommate's connections out would route, but at the same time could not see the airport lan. this is the reason for "internet <-> airport <-> nat router a <-> nat router b"... if there was just "nat router a", the roommate could gain access to the airport lan. basically, this does the same thing for the airport lan on the internal network as is being done from the internet, i.e. hiding the lan network through nat.

mjb

Link to comment
Share on other sites

You have it correct. The idea is to allow the new guy to use the wireless network to access the internet, but to wall off his computers and their traffic from the new guy. It's not that he doesn't trust the new roommate. He has to do it for fiduciary reasons.

Thanks for all the suggestions guys. I've encouraged him to explore the guest network option.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.