PCWorld Forums

PCWorld Forums: Friends Connect To My Wireless - PCWorld Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Friends Connect To My Wireless

#1 User is offline   USANomad 

  • Newbie
  • Pip
  • Group: Members
  • Posts: 8
  • Joined: 27-December 09

Posted 02 April 2010 - 01:39 PM

I have a router that has wireless access. I have friends at my house that want WIFI access to the internet. I want to give them internet access, but I don't want to give them access to anything else on my network. How do I configure my router to give them only internet access and protect everything else from a snoop or worse?

USANomad
0

#2 User is offline   coastie65 

  • Moderator
  • PipPipPipPipPipPipPipPip
  • Group: Moderators
  • Posts: 20,651
  • Joined: 02-April 07
  • Location:Henrico, Va.

Posted 02 April 2010 - 04:05 PM

The only thing that comes to mind is to password protect the things you don't want them accessing. This desktop is hardwired to the router ( ethernet cable), but I do have a laptop connected wireless that my mother uses. She cannot access this computer. As for that, you can disable remote access in your computer as well.
Coolermaster HAF 912 Case....ASUS Z87Pro MOBO.....Intel Core i7 4770k Haswell ( OC'd to 4.6 Ghz ) .... Gelid Tranquillo cooler.... Samsung 830 256 GB SSD.... Primary HDD- WD 1TB Caviar Black SATA III /6.0 .... SECONDARY HDD - WD 1TB Caviar Black SATA II / 3.0....16Gb GSkill Ripjaws Series X 2133 Mhz Memory....Corsair AX850w PSU....EVGA GTX 680 Super Clocked Signature 2 Gb GDDR5 Video Card....Samsung CD/DVD RW, DL, DVD-Ram, w/ Lightscribe Optical Drive....Samsung SyncMaster 2243BWX 22" Monitor..... Windows 7 Home Premium 64 Bit OS




______________________________________________________________

Gateway FX6800-01e----Intel Core i7 960 ( 3.2 GHz)---- Seagate Barracuda 750 Gb SATA II / 3.0 Hdd---- 6 Gb Crucial 1066 Mhz memory, running in Tri Channel conf-----Corsair TX650w PSU----- EVGA Nvidia GTX 560Ti 1gb GDDR5 Vram ----DVD +/- RW / CD ,RAM/DL Optical drive w/ Label Flash-----Gateway TBGM-01 Motherboard.... Vista Home Premium 64 bit OS w/ SP2; Samsung Synch Master 2243BWX 22" Monitor.
0

#3 User is offline   SnyperTodd 

  • Moderator
  • PipPipPipPipPipPip
  • Group: Moderators
  • Posts: 2,244
  • Joined: 06-February 09
  • Location:Northern IL

Posted 02 April 2010 - 04:34 PM

What is the make and model of your router? Some allow you to create multiple SSIDs and set different permissions and security for each one. If your router has that capability, that would be the ideal solution for you.
"Obstacles are things you see when you take your eyes off the goal." -Alan Kulwicki, 1954-1993
0

#4 User is offline   smax013 

  • Member
  • PipPipPipPipPipPipPipPip
  • Group: Members
  • Posts: 13,139
  • Joined: 28-January 07

Posted 02 April 2010 - 07:54 PM

View PostUSANomad, on 02 April 2010 - 01:39 PM, said:

I have a router that has wireless access. I have friends at my house that want WIFI access to the internet. I want to give them internet access, but I don't want to give them access to anything else on my network. How do I configure my router to give them only internet access and protect everything else from a snoop or worse?

USANomad


As noted by SnyperTodd, this will likely be largely driven by your router.

For most routers, you are likely out of luck. Some do have the ability to create a "guest" wireless network that is separate from your entire personal network. I have an Apple Time Capsule that has such an ability...it has the ability to create "guest" network that cannot access my personal network (either wired or wireless).

If your router does not have such a capability, then you could get a second router and kind of "nest" the routers. Basically, you would have a setup like this:

Modem ---> Router 1 ---> Router 2

You would connect all your stuff to router 2 and let all your friends connect to router 1. You will be able to "see" all their computers and stuff, but they will basically not be able to see your computers and stuff. The downside is that this can slow down your connection some potentially as you are now running through two routers.

Beyond that, the only other option that I can think of is to "lock" down stuff individually as coastie65 suggested. Depending on what you have, you may not be able to "lock" everything down.
Good riddance PCWorld.
0

#5 User is offline   smax013 

  • Member
  • PipPipPipPipPipPipPipPip
  • Group: Members
  • Posts: 13,139
  • Joined: 28-January 07

Posted 02 April 2010 - 08:00 PM

View PostSnyperTodd, on 02 April 2010 - 04:34 PM, said:

What is the make and model of your router? Some allow you to create multiple SSIDs and set different permissions and security for each one. If your router has that capability, that would be the ideal solution for you.


I think I understand what you are kind of getting at, but I did want to mention that having different SSIDs alone is not enough. The router needs to basically create a completely separate "private" network that uses a separate set of private IP addresses to my knowledge. If the second SSID uses the same private network (i.e. same range of private IP addresses), then it is still operating over the same overall network even thought there are two different wireless networks (which might have two completely different encryption setups)...that is at least how I understand it.

My Apple router literally setups a completely separate "guest" network that uses a separate set of private IP addresses. I also have to wireless networks (the Apple router can be setup to have one for 2.4 GHz and one for 5 GHz) that both are part of my personal network and a device can see anything on my personal network no matter the SSID/network that is uses.
Good riddance PCWorld.
0

#6 User is offline   SnyperTodd 

  • Moderator
  • PipPipPipPipPipPip
  • Group: Moderators
  • Posts: 2,244
  • Joined: 06-February 09
  • Location:Northern IL

Posted 02 April 2010 - 09:16 PM

View Postsmax013, on 02 April 2010 - 08:00 PM, said:

I think I understand what you are kind of getting at, but I did want to mention that having different SSIDs alone is not enough. The router needs to basically create a completely separate "private" network that uses a separate set of private IP addresses to my knowledge. If the second SSID uses the same private network (i.e. same range of private IP addresses), then it is still operating over the same overall network even thought there are two different wireless networks (which might have two completely different encryption setups)...that is at least how I understand it.


Right, and that's exactly how every router I've seen that allows multiple SSIDs works. It would be completely pointless to simply have multiple SSIDs that were identical other than their name.

As far as "nesting" the routers, that in itself won't keep them off of the network or keep them from seeing computers connected to router 2. It might work if you set each router to a different subnet, but the router connected to the modem may have to be set up to allow the other subnet through to the internet. If the guest computers' IP addresses are outside of the primary router's DHCP range, it may block them from the internet. Setting the network up like that could be far more complicated and troublesome than it's worth. Using two different DHCP servers won't work, either, because each router will see all of the devices on the network and both will attempt to assign each one an IP. When the routers are fighting like that, the entire network suffers. Case in point- My parent's network is, out of necessity, several routers deep in multiple branches. While I was getting that set up, we had massive but intermittent connectivity problems. It turned out that I had inadvertently left the DHCP server enabled on one of the secondary routers. Once I found that and disabled it, problem solved.

Some routers also have access protection settings, and you could deny network access to all computers except those you choose while still allowing internet access. Many of those settings are very detailed and you can do a lot with them. If the router doesn't support multiple SSIDs or detailed access restriction, the best solution in my opinion would be Coastie's- enable password protected sharing.
"Obstacles are things you see when you take your eyes off the goal." -Alan Kulwicki, 1954-1993
0

#7 User is offline   LincolnSpector 

  • Expert
  • PipPipPipPipPipPip
  • Group: Members
  • Posts: 2,611
  • Joined: 16-October 06

Posted 04 April 2010 - 09:30 AM

View PostUSANomad, on 02 April 2010 - 01:39 PM, said:

I have a router that has wireless access. I have friends at my house that want WIFI access to the internet. I want to give them internet access, but I don't want to give them access to anything else on my network. How do I configure my router to give them only internet access and protect everything else from a snoop or worse?

USANomad

Hi, Nomad.

Are you worried about your friends snooping on you, or about strangers getting on your network?

If it's the later, you can simply password-protect your WiFi and give friends the password.

Lincoln
0

#8 User is offline   LincolnSpector 

  • Expert
  • PipPipPipPipPipPip
  • Group: Members
  • Posts: 2,611
  • Joined: 16-October 06

Posted 04 April 2010 - 09:31 AM

View PostSnyperTodd, on 02 April 2010 - 04:34 PM, said:

What is the make and model of your router? Some allow you to create multiple SSIDs and set different permissions and security for each one. If your router has that capability, that would be the ideal solution for you.

What about password-protecting shared folders on your computers? How well does this protect you from snoops?

Lincoln
0

#9 User is offline   SnyperTodd 

  • Moderator
  • PipPipPipPipPipPip
  • Group: Moderators
  • Posts: 2,244
  • Joined: 06-February 09
  • Location:Northern IL

Posted 04 April 2010 - 02:53 PM

View PostLincolnSpector, on 04 April 2010 - 09:31 AM, said:

What about password-protecting shared folders on your computers? How well does this protect you from snoops?

Lincoln


It'll be as secure as the password. The snoop would have to know the username and password of one of the accounts on the computer he's targeting, and even then the account he is logged into would have to have permission to view the file(s) he's after. Also, password protected file sharing requires at least one user account with a password. If no account has a password, nobody will be able to log in and access the shared folders on that machine.

This post has been edited by SnyperTodd: 04 April 2010 - 02:55 PM

"Obstacles are things you see when you take your eyes off the goal." -Alan Kulwicki, 1954-1993
0

#10 User is offline   rgreen4 

  • Moderator
  • PipPipPipPipPipPipPip
  • Group: Moderators
  • Posts: 9,206
  • Joined: 22-October 06
  • Location:S. Georgia

Posted 04 April 2010 - 07:28 PM

Guys - there is an easier way. Don't use the default work group name. Now the default for XP was MSHOME and the default for Vista was WORKGROUP. I honestly don't know what the default for Win 7 is as I don't have any machines using the default (I change it immediately). If your machines are set to a non standard work group name, the guest whose machine may be on the default, or anything other than your actual work group name cannot see your computers and thus cannot connect to them. That's the first level.

Second, if you are using a log in ID and password to log into your machine, then unless he has that info, he cannot access anything on your machine. This is the second level.

Finally, password protecting files is the third level.

I have a home network, and until I change the work group name from the default, a newly set up machine cannot see the others. Even after changing the work group name, unless I use a login and password that matches that machine, when I try to connect with that machine, I am presented a log in and password log in box. The only thing a newly set up machine can do on my network (if hard wired) is access the internet. If it is wireless, I have to set it up with the wireless access, but then the only thing it can do is to access the internet.
Siggy Courtesy of Solar Wings
Posted Image
0

#11 User is offline   smax013 

  • Member
  • PipPipPipPipPipPipPipPip
  • Group: Members
  • Posts: 13,139
  • Joined: 28-January 07

Posted 04 April 2010 - 07:32 PM

View PostSnyperTodd, on 02 April 2010 - 09:16 PM, said:

Right, and that's exactly how every router I've seen that allows multiple SSIDs works. It would be completely pointless to simply have multiple SSIDs that were identical other than their name.


You are probably correct...but I know that it can be done the way I described.

I have three wireless "networks" running. Two are tied into my personal network. When I log into either of the wireless networks (they have two different SSIDs, but also have different passwords for the network encryption), I am FULLY on my personal network with either wireless "network". I can see any device that is on either of the two wireless networks or on my wired network (this assumes that the device is setup to be "seen"). Both of those wireless "networks" are basically a subset of my broader personal network (thus, the reason I use quotes with them...they are more of a subset/part of a network rather than the whole network, so to speak).

My third wireless network is a totally separate network. It uses a completely different "subnet" (i.e. different set of private IP addresses). Any computer that logs into that wireless network CANNOT see any of my "personal" network. None of the wired devices or any of the devices that connect to the other two wireless "networks". This is totally and completely a "guest network".

My first two wireless networks are basically just like if you added a pure wireless access point to an existing wireless network. Such wireless networks are NOT segregated from the overall network unless you add a router with a wireless access point (or the wireless access point has some sort of router like/segregating function).

Now, as I said most routers that have a "second" SSID ability may be as you describe, but I know it is possible to have it be like I described. Thus, my point was to make sure that if one is looking for such a function on a router, make sure you really figure out which way it is working.

Quote

As far as "nesting" the routers, that in itself won't keep them off of the network or keep them from seeing computers connected to router 2. It might work if you set each router to a different subnet, but the router connected to the modem may have to be set up to allow the other subnet through to the internet. If the guest computers' IP addresses are outside of the primary router's DHCP range, it may block them from the internet. Setting the network up like that could be far more complicated and troublesome than it's worth. Using two different DHCP servers won't work, either, because each router will see all of the devices on the network and both will attempt to assign each one an IP. When the routers are fighting like that, the entire network suffers. Case in point- My parent's network is, out of necessity, several routers deep in multiple branches. While I was getting that set up, we had massive but intermittent connectivity problems. It turned out that I had inadvertently left the DHCP server enabled on one of the secondary routers. Once I found that and disabled it, problem solved.


I know it will work as I have basically done it.

But, I think we are more or less at the same place...it is just a function of how you set it up.

I was talking about the "guest" network would be off router 1, not router 2. Router 2 would be the "personal" network.

And I am not talking about bridging the wireless network or anything like that. I am talking about taking an ethernet cable from the modem to the WAN port of the router 1. And then another ethernet port from one of the LAN ports on router 1 to the WAN port of router 2. With this setup, the WAN IP for router 1 will be the Internet or ISP provided IP address from the router. The LAN IP address of router 1 will be the "gateway" private IP address from what ever range of IP addresses the first router is setup to use. The WAN IP address of router 2 will be a private IP address from router 1's range of private IP addresses (this could be assigned by the DHCP server of router 1 or could be a static IP address). The LAN IP address of router 2 will be the "gateway" private IP address from what ever range of private IP addresses the second router is setup to use. Under this scenario, any thing connected to router 1 will not see anything connected to router 2...just as any other Internet user cannot "see" your computer "behind" a router (at least not without some effort). In other words, to any computer "behind" router 2, everything connected to router one will be like anything on the Internet on typical router setup.

Now, this likely will effect ping rates, but it should not effect overall throughput (unless you have a bunch of people using the connection through router 1).

The point is that I know it can be done as I have basically done this (I am operating behind two routers...even though I do not connect anything to the "first" router other than the second router...I have to do this as I use Vonage and the Vonage device has a router built in and they want their device "ahead" of the actual router).

Quote

Some routers also have access protection settings, and you could deny network access to all computers except those you choose while still allowing internet access. Many of those settings are very detailed and you can do a lot with them. If the router doesn't support multiple SSIDs or detailed access restriction, the best solution in my opinion would be Coastie's- enable password protected sharing.


This does not surprise me at all even though I have not used such a router. The only thing that I have encountered is some "parental access" controls that are on my Vonage device, but I have never looked to closely at whether that is just Internet controls or something more. Thus, I do not doubt that you are correct that some routers would have this function.
Good riddance PCWorld.
0

#12 User is offline   smax013 

  • Member
  • PipPipPipPipPipPipPipPip
  • Group: Members
  • Posts: 13,139
  • Joined: 28-January 07

Posted 04 April 2010 - 07:43 PM

View Postrgreen4, on 04 April 2010 - 07:28 PM, said:

Guys - there is an easier way. Don't use the default work group name. Now the default for XP was MSHOME and the default for Vista was WORKGROUP. I honestly don't know what the default for Win 7 is as I don't have any machines using the default (I change it immediately). If your machines are set to a non standard work group name, the guest whose machine may be on the default, or anything other than your actual work group name cannot see your computers and thus cannot connect to them. That's the first level.

Second, if you are using a log in ID and password to log into your machine, then unless he has that info, he cannot access anything on your machine. This is the second level.

Finally, password protecting files is the third level.

I have a home network, and until I change the work group name from the default, a newly set up machine cannot see the others. Even after changing the work group name, unless I use a login and password that matches that machine, when I try to connect with that machine, I am presented a log in and password log in box. The only thing a newly set up machine can do on my network (if hard wired) is access the internet. If it is wireless, I have to set it up with the wireless access, but then the only thing it can do is to access the internet.


This overall approach (i.e. locking down computers on the network) will certainly prevent access to stuff on the computers that you do not want.

It will not, however, prevent someone from "snooping" on stuff being sent across the network. Granted someone likely has to be more than a "typical" computer user to do this kind of "snooping", but the original poster did not necessarily clearly define what he/she meant when saying "snooping" (I assume it mean not being about to access file on the computer and NOT meaning intercepting of network traffic, but you know that old saying about "assuming" :D ). The only way to prevent "snooping" of data being sent across the network is to either encrypt all that data being sent or not allow access to the network to begin with (i.e. have a separate network).

So, it really comes down to what level the original poster wants to go to...i.e. how paranoid that person really is. :D
Good riddance PCWorld.
0

#13 User is offline   SnyperTodd 

  • Moderator
  • PipPipPipPipPipPip
  • Group: Moderators
  • Posts: 2,244
  • Joined: 06-February 09
  • Location:Northern IL

Posted 05 April 2010 - 06:48 AM

View Postsmax013, on 04 April 2010 - 07:32 PM, said:

I know it will work as I have basically done it.

But, I think we are more or less at the same place...it is just a function of how you set it up....


You're right, you're right, it will work that way. I wasn't even thinking of running into the WAN port on router 2. Hey, I was tired.

View Postrgreen4, on 04 April 2010 - 07:28 PM, said:

Guys - there is an easier way. Don't use the default work group name. Now the default for XP was MSHOME and the default for Vista was WORKGROUP. I honestly don't know what the default for Win 7 is as I don't have any machines using the default (I change it immediately). If your machines are set to a non standard work group name, the guest whose machine may be on the default, or anything other than your actual work group name cannot see your computers and thus cannot connect to them. That's the first level.

Second, if you are using a log in ID and password to log into your machine, then unless he has that info, he cannot access anything on your machine. This is the second level.

Finally, password protecting files is the third level.

I have a home network, and until I change the work group name from the default, a newly set up machine cannot see the others. Even after changing the work group name, unless I use a login and password that matches that machine, when I try to connect with that machine, I am presented a log in and password log in box. The only thing a newly set up machine can do on my network (if hard wired) is access the internet. If it is wireless, I have to set it up with the wireless access, but then the only thing it can do is to access the internet.


Good suggestions. The only problem with using a non-standard workgroup name is that it takes 15 seconds of the machine being unattended to find out what workgroup it's on, and then the snoop can change his workgroup to match. Still, it will keep low-tech snoops out. In Windows 7, and Vista if I remember correctly, the snoop would still be able to see the computers on the other workgroup, but would need the username and password of an account on a machine to access it. It's the same as having password protected sharing enabled, which is your second level, and (IMO) the best idea if the OP has a basic router that won't support anything discussed above.
"Obstacles are things you see when you take your eyes off the goal." -Alan Kulwicki, 1954-1993
0

#14 User is offline   smax013 

  • Member
  • PipPipPipPipPipPipPipPip
  • Group: Members
  • Posts: 13,139
  • Joined: 28-January 07

Posted 05 April 2010 - 10:57 AM

View PostSnyperTodd, on 05 April 2010 - 06:48 AM, said:

You're right, you're right, it will work that way. I wasn't even thinking of running into the WAN port on router 2. Hey, I was tired.


Not a problem. It also likely did not "help" that it is not something that is not commonly done. After all, not too many people will have a need or desire to run two routers. :D

This post has been edited by smax013: 05 April 2010 - 10:57 AM

Good riddance PCWorld.
0

#15 User is offline   brocksamson 

  • Full Member
  • PipPipPip
  • Group: Members
  • Posts: 89
  • Joined: 15-December 10

Posted 16 December 2010 - 02:59 AM

I am curious if this "daisy chaining" of wireless routers would work for something I am working on....

Using a linksys wrt54g, I of course want to use the better WPA2 security but certain items like my DSi and games can only use WEP (or so says nintendo at least for the online gaming) Using this setup for better security, I have turned off SSID broadcast with a strong password and configured my router to only allow access to MAC ID's that I authorize.
Here are my questions:

1. in this scenario is there anything more I can do to secure it b/c I have heard about MAC address spoofing ? how hard is it to do this spoofing ?
and
2. Could daisy chaining a 2nd router in allow me to use the stronger WPA2 for the rest of network? Or is there another solution?
GO TEAM VENTURE!!!
0

#16 User is offline   crazy4laptops 

  • Expert
  • PipPipPipPipPipPip
  • Group: Members
  • Posts: 3,169
  • Joined: 20-November 07
  • Location:USA

Posted 16 December 2010 - 01:12 PM

View Postbrocksamson, on 16 December 2010 - 02:59 AM, said:

1. in this scenario is there anything more I can do to secure it b/c I have heard about MAC address spoofing ? how hard is it to do this spoofing ?
and
2. Could daisy chaining a 2nd router in allow me to use the stronger WPA2 for the rest of network? Or is there another solution?


MAC address spoofing is hard for the average joe... but with KisMAC I can view all MAC addresses of devices and AP's on any given wifi network. Which would be the first step in MAC address spoofing.
No SSID broadcast can be detected by KisMAC when the other devices ping the AP

The networks I've tested KisMAC on are WPA2 and I was not connected to the AP as I observed the incoming flood of MAC addresses from the entire network (at school)

The facts about KisMAC are real, but if you live in a house/neighborhood you don't have much to worry about, its the apartment complex is where KisMAC is the most effective.

Daisy chaining two Wifi AP's should work... just remember check that the DHCP addresses are different for each network or else bad things happen if you have a DHCP loop.

Simple layout- Cable modem > Router 1 (master) > Router 2 (Guest)

HTH!
-C
Even the experts started out as beginners
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users