Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: General Question - Alternitive VLAN?

  1. #1
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Question General Question - Alternitive VLAN?

    The old forum had a place for general discussion but this is the only place I could see this could fit?

    Need some help/advice.

    A company I do work for called me and said they got a letter saying that cooperate says they must open free hotspots for all their locations by next Thursday.

    Requirements:
    - 24/7 Uptime
    - Block all porn and illegal content
    - Dont let the hotspot interfere with POS systems
    - Specific SSID Name
    - No Security

    Shes using a standard Dlink consumer router using WPA2 for her POS system.

    Other stores are getting seperate lines such as Clearwire and making those the hotspots....Clearwire is not available in her area. She cant just open her router up to the world as hotspot!? She called them and explaned the situation, they said if she does not get it done they will shut her store down.

    My only idea is setting up a VLAN to isolate traffic creating 2 networks. But her router does not support VLANS. She called BestBuy and they said just buy another router and use a splitter? How would you do that? They couldnt say...she bought it anyway and still is very confused.

    I was also thinking if setting up sometype of a subnet, but dont subnets need to be manually assigned IPs, she needs DHCP.

    Does anyone have any advice on how she could route hotspot traffic and POS traffic so they dont conflict as well as meet the rest of the requirements? Or will she have to shut down....
    QUOTE=cybrsnpr;118082]I think you have the right idea, but I also think you are really trying to kill a gnat with a small nuclear device!

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: General Question - Alternitive VLAN?

    Not sure what the above would have to do with "international communities" so I moved it.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: General Question - Alternitive VLAN?

    Depending on her second router, I would be firmware hacking it (I'm partial to DD-WRT myself) and loading some simple firewall rules into it for outbound traffic through the "Internet" interface. That way nothing has to change, you just slap a cable from the first routers LAN ports to the new routers Internet port, configure the new router for DHCP/LAN and put the wifi on a channel at the far end.

    A few well tuned firewall rules so that there is no traffic other than web/webssl to the router and you're good to go - you can add keyword/content filtering at a basic level.

    Proper web traffic filtering would go another route - a smoothwall installation doing transparent http interception for example - but you can't expect a router to handle that kind of load, they don't have the processing power or the memory to do so. In the past I have used a standard beige box running [insert choice of *nix here] with a wifi interface and an ethernet interface exactly how you would expect to see the new wifi router in the above. That way I can leverage the full power of a good, quick, firewall solution on a Linux box, with the ease of squid+DansGuardian+sarge.

    Good reporting is your saving grace here, someone will always slip porn through the tracks.

    Then of course we have problems like outbound DNS tunneling, but that's getting extreme
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: General Question - Alternitive VLAN?

    Why not put in a new phone line for DSL to keep this new "free Internet" network completely seperate from the other business network? Seperating traffic via use of VLAN or Packet Filtering can be very hard to do 100% effectively if you dont really know what you're doing - physical seperation FTW. Even if that can't be done by Thursday Id do something else temporarily and have that as the permenant solution for after the new line can be installed - it done properly it will eliminate the worry of someone coming in via the free network to screw with the business systems, which in terms of the peace of mind value is priceless.

    Then do as Gitsnik suggested to deal with the porn/illegal traffic filtering - something like DansGuardian is the defacto standard for doing this, although keep in mind that no web filtering solution is 100% effective so it may need to be monitored as well. Something like IPCop or Smoothwall can also be used to filter out other sorts of traffic (non web stuff like P2P, IRC, etc).

    And by the way, the corporate office for this chain sounds like it's staffed by a bunch of ginormous a$$hats. Im sure I didn't have to tell you that though.
    Last edited by lupin; 08-15-2010 at 02:27 AM.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Junior Member Agarax's Avatar
    Join Date
    Mar 2010
    Posts
    43

    Default Re: General Question - Alternitive VLAN?

    OK

    Here's what I would do. And I think next Thursday is a really shitty deployment schedule .

    I would use (pfSense) with squidguardian or dansguardian. pfSense is a fork of m0n0wall geared toward commodity hardware and, in my opinion, a bit more robust and feature filled.

    Buy an old P4 for $50 bucks off of craigslist and install two compatible G wireless NIC cards for about $20 bucks each. Encrypt one and set it aside for the POSes, set the other one aside for customers.

    If the shit really hits the fan they have pay-for customer service if she really needs to set it up and can't wait for the forums.

  6. #6
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default Re: General Question - Alternitive VLAN?

    Thanks for the quick replies...

    I kinda get what Gitsnik is talking about. I run DD-WRT on my home router...I see the VLAN options, but never tinkered with them....I just use it for a webserver and SSH server so i can SCP my stuff useing my DDNS when ever I need it. Iv never set manual firewall rules before Also I had to get my WRT54GS v1 off ebay...not sure if the Dlink she bought is flasable...Ill need to check.

    Thanks lupin for your advice. A new phone line with the speeds they demand would be a extra $80.00 USD =>.<= And as soon as i saw 24/7 uptime i laughed....even you need to power cycle a router everyonce and a while And no porn filter is 100% proof...but a few keywords should be enough I think.

    I sent her a text to see if she could find a router that supports VLAN, iv heard it can be done....she found one Dlink one (Guess she likes them) and is going to get it tommrow.

    Any ideas where I could get a headstart on setting it up without calling Dlink?
    QUOTE=cybrsnpr;118082]I think you have the right idea, but I also think you are really trying to kill a gnat with a small nuclear device!

  7. #7
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    15

    Default Re: General Question - Alternitive VLAN?

    The fact that you say it is a store using a standard Dlink router tells me it is a fairly small and typical network. If that is the case, you could do this:

    If she already spent the money on another router, why not just put her existing router and network behind the new one and plug the new one directly into your ISP connection with WiFi setup for the public customers w/web filtering, etc.

    The customer/public WiFi could exist on the new LAN on the new router while your private protected business network could be behind the old router she's always had.

    You could apply certain exemption rules (for services and web filtering, etc) to the old router's NAT'd address on this new LAN so that her business computers can operate as usual. Not sure if they have any public services running on their business network, but if not then you don't have to worry about forwarding any ports to the old router from the new one.

    Specific filters can be set on the old router to prevent the public WiFi LAN from connecting to any services, etc.

    It could be the simplest and cheapest method to achieve what you want.

  8. #8
    Junior Member Agarax's Avatar
    Join Date
    Mar 2010
    Posts
    43

    Default Re: General Question - Alternitive VLAN?

    Just run a cat 5 cable from one of the switch ports on the guest AP to the VLAN switch port on the main router.

  9. #9
    Junior Member
    Join Date
    Mar 2008
    Posts
    94

    Default Re: General Question - Alternitive VLAN?

    Wow. Great news guys! Shes all setup and very happy!

    She went out and bought a Netgear WNR3500L Router yesterday, she picked me up this morning to install it and setup the VLAN.

    We got there and I took a look at the box, it did not say anything about VLAN but she insisted that the guy at Staples said it did. I opened it up and took a look at it. Looked pretty good. We unplugged her old Router, a Dlink DIR-655 and hooked up the new one and powered it on. Her setup is 4 Ethernet computers, a Charter modem and a wireless desktop. I plugged in the 4 computers and then went to the Modem to take the "Internet" Ethernet and plug it in just to realize, the Modem did not have a "Internet" Ethernet cable? It had a 4 port switch and a USB. I looked at the old setup and who ever set it up had the USB going from the router to the Modem and it seemed to work? I've seen Cable Modems that have USBs before, but never seen one that was missing a "Internet" Ethernet....where is this world heading lol. So I did the next best thing, Plugged in the USB to the Modem to the router like whoever set up there old one. I got into the control panel and started poking around. I tried the "setup wizard" for the fun of it to see if it could get us going. Normally i like to program things manually. It said it could not find a Internet connection....like I figured the USB must not be working like I thought, but just in case I poped in the Quick Start CD and ran into the same issue. No Internet. Alright...Plan B. I grabbed some cross-over cat 5 and wired the router "Internet Port" to one of the Modems "LAN Port"s. I tried the CD again, it worked. I then punched in all her static IP details. We were online! The cross over cable was a got'cha but so far so good.

    After the CD finished, I went into the control panel to setup the VLAN not sure what I would find. On my DD-WRT it has all the checkboxes and stuff to put in....to my surprise it had a feature called "Guest Network" with its own SSID and security settings...it had a checkbox that said something like "Connect to Local Network". I unchecked that. I then set up both SSIDs and security settings. I could not find nothing about VLAN so im thinking that the "Guest Network" might be the VLAN technology...that was easy....

    Then we went into parental controls and tossed in about a dozen or so keywords. Finally we changed the default password. We went to another computer on the network and "tested" the parental controls and they seemed to work. So far so good.....I pulled out my Ubuntu Laptop and saw the 2 SSIDs, I tried both and they seemed to work fine. Did some surfing, connected to pidgin...all that good stuff.

    So I guess i call it mission accomplished. I called for a ride home and as I was waiting I poped in my USB pendrive and played with the USB settings....kinda neat. I've never worked with a router that had a USB port so I learned a lot. I could really see its use as a webserver for FTP server.

    She gave me the old router for payment, eh..fine with me. I looked it up, figured out you need to use dlinks special software for USB support and it only supports FTP, not HTTP. and its not flashable... Looks like its going in a box. oh well.

    I called her a few hours later and she said the guy came by and tested it. He was very impressed and wondered how we got it work lol. So she was happy...i got a router i cant do anything with...lol...win win for everyone i guess

    Thanks guys for all your help. Plan B. was the firewall system....
    QUOTE=cybrsnpr;118082]I think you have the right idea, but I also think you are really trying to kill a gnat with a small nuclear device!

  10. #10
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default Re: General Question - Alternitive VLAN?

    Gitsnik almost has it. Set up a beige box with smoothwall. It's going to need 3 network interface cards. Set it up as a red, green, purple, network configuration. Red is the internet, green is the office network, purple is the customer wifi network. Hook her wifi to the green interface, hook the new wifi to the purple. Set up the wifi as dumb access points, they won't be doing any routing anymore. You'll probably need to install the Dansguardian addon for the porn blocking. This will probably be the easiest and safest way to do what you want. It's almost how I have it set up at home, minus the second wifi and porn blocking. Wifi is separate from wired, my wife's bookkeeping business runs on the wired network as well. This way we can still have wifi for the phones and laptops, and if someone wins the lotto with my wpa2 password, they still can't get to the desktops.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

Page 1 of 2 12 LastLast

Similar Threads

  1. WPA key and general BT question
    By Oblivion_Zero in forum Beginners Forum
    Replies: 2
    Last Post: 04-09-2010, 08:21 AM
  2. General MD5-Question
    By spYro in forum OLD Newbie Area
    Replies: 1
    Last Post: 01-19-2010, 05:05 PM
  3. BT4 + EEE 701 + VLAN Hopping + UCSniff 3.0
    By ecks90 in forum OLD BackTrack 4 Howto
    Replies: 1
    Last Post: 10-22-2009, 10:59 AM
  4. General Question About DNS Cache Poisoning, urget :)
    By vLov3r in forum OLD Newbie Area
    Replies: 4
    Last Post: 06-12-2009, 04:39 PM
  5. Vlan stuff (vconfig)
    By gusti in forum OLD BT3final Support
    Replies: 1
    Last Post: 06-23-2008, 12:32 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •