flat assembler
Message board for the users of flat assembler.

Index > Heap > how to set wifi network cannot connect lan network

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
hi fasm members,

got a networking question at customer place, maybe somebody who more knowledge could insight me,

the issue is like this,

i network 10 devices using 192.168.1.* with 4g router at 192.168.1.1 as gateway,

some devices share folders (without password due to 3rd party application that wouldnt function if share drives are protected with password)

if i turn on wireless connection, the new device will get 192.168.1.150~200 (dhcp range i set)

and they could read those share drives,

so, based on above situation, what is the method to share wireless connection but prevent access to share drives?

i got myself a tp-link tl-wa901nd access point, it seems, it couldnt prevent connection to shared drives .

any ideas?
Post 25 Jul 2013, 15:17
View user's profile Send private message Reply with quote
six_L



Joined: 03 Jan 2005
Posts: 6
six_L
Set your wireless AP to bridge mode, not router mode.
Post 26 Jul 2013, 05:22
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
i could set the AP to bridge, but still able to ping 192.168.1.(my should be hidden ip list)

eg, now the new connected devices via wireless get 192.168."2".150~200 (dhcp range)
netmask 255.255.0.0
gateway 192.168.1.1

if they use ipscanner to scan 192.168.1.x, they would get live ip,

i check open wrt, flash it with open wrt, since this device is supported,

still trying to create separate network, maybe need some firewall rules to block 192.168.1.2 to 192.168.1.149 access from wlan0

this is taking more time that i expect, =(
Post 26 Jul 2013, 07:24
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 698
Location: Adelaide
sinsi
So they all need to be on the same network (192.168.1.0) but some need isolation from shares?
Disable file and printer sharing (if Windows) then they can't even see shares.

A netmask divides an IP address into the network and the node.
255.255.0.0 makes the network 192.168.x.x, to separate 192.168.1.x and 192.168.2.x it needs to be 255.255.255.0.

Still not sure what you're trying to do though...
Post 26 Jul 2013, 07:49
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
sorry for confusion, let me detail,

my 4g gateway = 192.168.1.1
my windows machine range = 192.168.1.2 to 192.168.1.149 (shares must without password due to third party software limitation)

i want to give free wireless access to others, but i dont want they able to access my windows machine range ip.

i got a tp-link access point loaded with open wrt

i have no solid clue yet how to separate these 2 networks, but i assume the following,

the tplink ap got 2 interface, 1 lan, 1 wlan,
i set lan (cable connected to my 4g gateway 192.168.1.1)
192.168.1.254
255.255.255.0
192.168.1.1

ssh to 192.168.1.254, i able to ping 8.8.8.8, so, it is connected,

the issue is wlan,
192.168.2.1 (wlan static ip)
255.255.255.0
gateway (i am confuse here, should i set to 192.168.1.254? or 192.168.1.1 or 0.0.0.0)

so, wireless devices will get 192.168.2.* and able to connect internet but cannot view share from 192.168.1.*
.
i welcome any ideas to separate wireless network with lan network,
thank you
Post 26 Jul 2013, 08:11
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
sinsi wrote:

So they all need to be on the same network (192.168.1.0) but some need isolation from shares?

they dont have to,
the goal is,
2 networks,
wlan cannot go to lan, but could access internet.
Post 26 Jul 2013, 08:13
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
maybe something like this,
i will try the following,
http://wiki.openwrt.org/doc/recipes/routedap

still welcome ideas, thanks.
Post 26 Jul 2013, 08:15
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 698
Location: Adelaide
sinsi
I was going to suggest two routers but it looks like routed AP will make one into two, so I would try that.
Post 26 Jul 2013, 08:31
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
i think i am quite near,
i set the following based on link above,

/etc/config/network
Code:
config interface 'lan'
        option ifname 'eth0'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.254'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option dns '8.8.8.8'
        option ip6assign '60'

config interface 'wifi'
        option proto    'static'
        option ipaddr   '192.168.2.1'
        option netmask  '255.255.255.0'
        option dns      '8.8.8.8'
    


/etc/config/firewall
Code:
config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config zone
        option name             wifi
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config forwarding
        option src              wifi
        option dest             wan
    


/etc/config/wireless
Code:
config wifi-iface
        option device   radio0
        option network  wifi
        option mode     ap
        option ssid     OpenWrt
        option encryption none
    


once i ssh into ap,
i could ping 8.8.8.8
ping 192.168.1.1
ping 192.168.2.146 (my laptop wireless ip obatained from ap)

but wireless client, 192.168.2.* still fail ping outside, =(
Post 26 Jul 2013, 08:40
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 698
Location: Adelaide
sinsi
Maybe give wifi the same gateway? That's your internet yes?
Post 26 Jul 2013, 08:48
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
ok, i try,
so wifi
192.168.2.1
255.255.255.0
192.168.1.1

with 255.255.255.0? .......
Post 26 Jul 2013, 09:18
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
doesnt work =(

i suspect this part
Code:
config forwarding
        option src              wifi
        option dest             wan 
    
Post 26 Jul 2013, 09:27
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 698
Location: Adelaide
sinsi
So you are sharing your 4G USB modem plugged into your computer via windows?
192.168.1.1, who is that?

I am having trouble working out topology.
Post 26 Jul 2013, 09:55
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
the 4g modem got lan port, with its ip address at 192.168.1.1
it is a box with lan port but internally connected to 4g wireless network

any pc which set their network to
192.168.1.*
255.255.255.0
192.168.1.1 (gateway == the 4g modem ip address)

will get internet connection.

still no luck, trying various setting, phewww
Post 26 Jul 2013, 10:12
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
i think i need answer for the following question,

does eth0 need to bridge?
does wlan0 need to bridge?

what is wan in here? since this ap is not a ppoe dialer,
Post 26 Jul 2013, 10:18
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
spending hours, learn nothing, how funny this thing is so complex?
Post 26 Jul 2013, 12:19
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
ok,
i discovered the following,

/etc/config/network
Code:
config interface 'lan'
        option ifname 'eth0'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.254'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option dns '8.8.8.8'
        option ip6assign '60'
    


/etc/config/wireless
Code:
config wifi-iface
        option device   radio0
        option network  lan
    


/etc/config/dhcp
Code:
config dhcp lan
        option interface        lan
        option start    200
        option limit    220
        option leasetime        1h
    


such configuration will be like normal access point, extend the current eth0 network to wireless,

to attain my goal, maybe i could research about how to iptable or set firewall to disallow connection from 192.168.1.150 above to below 192.168.1.150,

wireless clients able to connect internet right now, and able to see shares, i need to stay up late today,
Post 26 Jul 2013, 13:26
View user's profile Send private message Reply with quote
six_L



Joined: 03 Jan 2005
Posts: 6
six_L
draw a bitmap for showing the connection.
Post 26 Jul 2013, 18:14
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
here the diagram, i hope it helps to explain my situation,


Description:
Filesize: 18.85 KB
Viewed: 4404 Time(s)

diagram.png


Post 26 Jul 2013, 19:45
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17463
Location: In your JS exploiting you and your system
revolution
sleepsleep: This problem has been looked into before. You need three routers connected in a Y configuration. This is the only safe way. People do this to allow house guests external access, and disallow internal access.
Post 26 Jul 2013, 20:08
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.