--- David Nicol wrote:
- I write software so I dunno networking,
requesting
help from the user group. I was invited to
manage a very
small network whose owner wants to make it
available
for web-browsing to anyone roaming the
neighborhood via
wireless. However, as best I know this gives
access to
the other computers on the network, and I'm
curious to
know if there is a way to expose a single
computer to
the world as a wireless server, without giving
access to
the rest of the network.
Internet to 5-port switch Switch to Wireless AP and a NAT/Firewall device NAT/Firewall to private network
as I see it the question is, is there a way to expose the one server, while still providing wireless for your other devices, using a single access point, and the answer is no. He's going to need a second access point. One AP for the public wireless and one for his unrestricted private.
I disagree. The way I see it he could build a tri-homed firewall. Three NICs , One NIC is a wireless on a private IP range, one NIC is assigned a different IP range, and the third connects to the Internet. I don't know enough about switches to analyze the first answer, but it seemed reasonable, basically the same as my solution - except the switch is the tri-homed device. My solution has the added benefit of offering some protection to the wireless device and also prevents maliscious persons from using the wireless to launch attacks. The downside is, if the tri-homed device is compromised all is exposed. Another solution here would be to have a gateway firewall machine, put the wireless on the DMZ side of this firewall add a DMZ firewall protecting the internal network from both the wireless and the Internet.
solution #2:
Internet | +----------+ | Firewall | +----------+ | | +----------+ +------| Wireless | | +----------+ | +----------+ | Firewall | +----------+ | | +----------+ | LAN | +----------+
solution #1:
Internet | +----------+ | Firewall | |----------| | FW | FW | +----------+ | | | | +----------+ | +------| Wireless | | +----------+ | +----------+ | LAN | +----------+
Granted this configuration is an advanced firewall, and the previous set up requires two different firewalls. In all cases the first firewall is a gateway firewall and the others are choke firewalls. However it is doable without a second access point. The first solution can be done with a single iptables configuration.
Brian JD