guzziguy Posted September 7, 2009 Report Posted September 7, 2009 A friend of mine just called me with an interesting wireless network problem he is about to have and asked for possible solutions. Currently, he's running a wireless Applenet network at home with an Airport Express as his wireless router, which connects to the cable modem. He runs WPA and he is the only user so his network is pretty much secure. He has several computers on the network which talk together plus he often goes out to the internet. The problem is that he's about to get a roommate who also wants to get out to the internet. This is OK, but he needs to be able to hide his computers and traffic from the new user. Simple enough, eh? Normally I would solve this by having two subnets in the house and put his computers on one subnet and the roommate's on another and set the protections appropriately. However, I have no idea if the Apple Express or other home routers support having multiple subnets. Could somebody with more Apple (almost everybody) and more home networking experience please suggest a solution to this problem. TIA for your suggestions. I wonder it it will come down to having two internet connections and two separate wireless routers using different frequencies.
mirumu Posted September 7, 2009 Report Posted September 7, 2009 I wouldn't be comfortable without a firewall between the two sections of the LAN personally. I'm not familiar with the Apple routers though so can't offer many suggestions on how to implement that. It could certainly be done with some of those Linux-based routers. I guess the other option would be to have strong security on each and every PC on the LAN, but that would be a pain to maintain and wouldn't prevent packet snooping.
Currawong Posted September 8, 2009 Report Posted September 8, 2009 Can you packet-sniff encrypted packets though? Why does he need to hide the Macs, unless he's running something that leaves ports open with no authentication? An Airport express is too basic to do subnets unfortunately. About the only thing I can think of offhand that does that kind of thing would something like my friend's Dlink DFL 700 which does subnets, but you'd probably want one that does it over wireless and that one doesn't.
The Monkey Posted September 8, 2009 Report Posted September 8, 2009 Doesn't the Apple Express have an option to connect as a Guest?
Sherwood Posted September 8, 2009 Report Posted September 8, 2009 Yes it does, and that's how I'd set it up. Guests can't network, they can only connect to the net. That's the way to go.
guzziguy Posted September 8, 2009 Author Report Posted September 8, 2009 Will this stop somebody from sniffing the network? Of course, if the guy is truly a hacker, nothing will. )
mirumu Posted September 8, 2009 Report Posted September 8, 2009 If the data is encrypted sniffing is mostly pointless. Switches make sniffing harder too since by a host doesn't automatically see traffic between two other different hosts the way they did with a hub. It's still possible to trick switches though into passing on packets intended for other hosts. Short of probing the LAN for devices running in promiscuous mode though it's hard to tell if your traffic is being sniffed or not. Someone who knows how to manipulate switch behaviour though is probably going to get in anyway as you say. That guest mode option may well be the nicest way to achieve what you want if it works as described.
Dusty Chalk Posted September 8, 2009 Report Posted September 8, 2009 ...if the guy is truly a hacker, nothing will. )Exactly. I'm kind of surprised that it's a concern -- I mean, he's willing to live with the guy, but not to trust him with his network/computer? OTOH, it's also possible that the hacker might be external, have hacked into the roommate's computer, and tried to access your friend's computer from the local machine, which is sometimes easier (but less so if they're independent -- the problem is usually because they're set up by the same administrator).
mjb Posted September 8, 2009 Report Posted September 8, 2009 have him get 2 new wifi routers (any cheap brand will do) and connect the first router's WAN port to a LAN port on the airport router and connect the second router's WAN port to a LAN port on the second new router... turn off wifi on the first new router (the one connected to the airport) and put a new WPA password on the second new router and have the roommate connect to that one... he won't be able to see anything on the airport's network but will have internet access through the magic of NAT ) p.s. the middle router doesn't need to be a wifi router since it won't need to be broadcasting a wifi network anyway. mjb
mirumu Posted September 8, 2009 Report Posted September 8, 2009 I don't see how that setup would block access to the Airport network. The firewalls block unrequested traffic coming in the WAN port from reaching the LAN ports/Wireless clients. They generally won't stop anything going the other way so plugging a device into the Airport's LAN port gives it unadulterated access to any clients of the Airport network be they wired or wireless. If new hardware is an option and I was paranoid about the untrusted PC I'd do something like this... (assuming the cable modem has a valid subnet rather than expecting a single PPPoE client) Internet | Cable modem | | Cheap 100Mb switch | | | | (firewall) (firewall) Airport Cheap Wifi Router . | . . | . . LAN Untrusted Wireless PC . Wireless Client The firewalls on the two wifi routers would prevent unwelcome probes from the other side. If I felt like hacking into such a setup though I'd target the Airport wireless since cracking it over time would be quite feasible. Just the risk you take for wireless convenience. There's also nothing stopping the roommate from spilling a beer over the friend's computer, but you've got to draw the line somewhere.
Currawong Posted September 8, 2009 Report Posted September 8, 2009 If it's just a room, turn the power down in the preferences to 10% or 25% as well. I'm not sure how much that will benefit security, but making it necessary to get much physically closer to the AE to crack it will make it less of a target surely.
grawk Posted September 8, 2009 Report Posted September 8, 2009 wpa is secure enough it's not getting cracked by your roommate, really. The order would just be put the less secure network in front of the more secure one, or get an airport extreme, which allows for guest networks.
mjb Posted September 8, 2009 Report Posted September 8, 2009 oh, i assumed he wanted the roommate to have internet access through the existing internet connection... if not, then wpa is definitely secure enough to keep him off the network. p.s. if the roommate wanted the new guy to have access to the internet through the existing connection, but no access to the lan on the airport, he would have to segment off a new nat'ed lan such that the roommate's connections out would route, but at the same time could not see the airport lan. this is the reason for "internet <-> airport <-> nat router a <-> nat router b"... if there was just "nat router a", the roommate could gain access to the airport lan. basically, this does the same thing for the airport lan on the internal network as is being done from the internet, i.e. hiding the lan network through nat. mjb
guzziguy Posted September 8, 2009 Author Report Posted September 8, 2009 You have it correct. The idea is to allow the new guy to use the wireless network to access the internet, but to wall off his computers and their traffic from the new guy. It's not that he doesn't trust the new roommate. He has to do it for fiduciary reasons. Thanks for all the suggestions guys. I've encouraged him to explore the guest network option.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now