Prev: Wireless zero configuration and VOIP
Next: Wireless Zero Configuration still not fixed in SP1
From: Mike in Nebraska on 29 Mar 2008 11:38
Here's my situation, and I welcome any and all comments:

Goal: Provide wireless access to the LAN for authenticated users (am
leaning toward MAC-filtering to do this), and Guest/Visitor access to the
internet only without compromising the LAN or posing a security risk.

Equipment: Server - SBS 2003 Premium SP2, unmanaged switch (D-Link DES
1024D), L2/L3 managed switch (D-Link DES 3828), 5-port router, firewall -
ISA 2004 SP2 (software-based), wireless router - D-Link DIR-524, wireless
AP's - 7 D-Link DWL-2200AP's and 3 DWL-2100AP's.

IP's: 5 static IP's from the ISP. One is assigned to the 5-port router,
leaving 4 available.

Buildings to connect: 5 - Admin, Lab, Bunk House, and 2 long-term houses.

Desired Encryption: WPA2 - Personal ( didn't want Enterprise as I'd have to
introduce IAS and a RADIUS server)

Deployment: One AP each in the houses and LAB, 2 in the Bunk House, and the
rest in the admin building

General Concept: Run the CAT5 from the ISP to the DES-1024D, then CAT 5 to
my 5-port router and another to the wireless router (DIR-524). Assign each a
static IP. The server handles DHCP for the LAN and the DIR-524 will handle
guests/visitors. Three AP's wired to the DIR-524 via patch panel and house
wiring in the Admin bldg.; the rest connected via directional antennas aimed
at the omni-directional antenna on the admin bldg roof.
The guest/visitor WLAN is flexible on how it is actually setup - physically
and network-wise. The wireless WLAN to tie into the LAN I'd like to run into
the DES-3828 so I can setup a VLAN for them.

Needs: What mode(s) do I use for each? Same SSID for each WLAN, or separate
for each AP? Channel selection? How do I set up the VLAN's? (The DES-3828
is a 24-port switch.)

Problems Noted: I tried the general concept above and couldn't get IP's from
the DIR-3828, despite good signal strength. Tried a laptop cabled to the
DIR-524 and it got an IP fine, so the DHCP component works. As for the
DES-3828, I tried for about 7 months, off and on, with D-Link tech support
to get VLAN's set up and working - no luck. At that time we tried using the
same AP's in multiple SSID mode so a user could connect to either "side"
dependent on access rights.

As I mentioned, I am flexible on setup and configuration.

Mike
Platte River Whooping Crane Maintenance Trust, Inc.
a conservation non-profit (501(c)(3)) organization
Wood River, NE


From: Jack (MVP-Networking). on 29 Mar 2008 16:57
Hi
It not really possible to engineer such project via newsgroup.
This page can provide you with an idea of Network segregation.
http://www.ezlan.net/shield.html
As for multi APs. If you would like to create roaming areas, use the same
SSID but different channels.
Otherwise, give every node it own SSID and channel.
Jack (MVP-Networking).

"Mike in Nebraska" <Miike_Webb(a)whoopingcrane.org> wrote in message
news:eCK5qLbkIHA.3512(a)TK2MSFTNGP03.phx.gbl...
> Here's my situation, and I welcome any and all comments:
>
> Goal: Provide wireless access to the LAN for authenticated users (am
> leaning toward MAC-filtering to do this), and Guest/Visitor access to the
> internet only without compromising the LAN or posing a security risk.
>
> Equipment: Server - SBS 2003 Premium SP2, unmanaged switch (D-Link DES
> 1024D), L2/L3 managed switch (D-Link DES 3828), 5-port router, firewall -
> ISA 2004 SP2 (software-based), wireless router - D-Link DIR-524, wireless
> AP's - 7 D-Link DWL-2200AP's and 3 DWL-2100AP's.
>
> IP's: 5 static IP's from the ISP. One is assigned to the 5-port router,
> leaving 4 available.
>
> Buildings to connect: 5 - Admin, Lab, Bunk House, and 2 long-term houses.
>
> Desired Encryption: WPA2 - Personal ( didn't want Enterprise as I'd have
> to introduce IAS and a RADIUS server)
>
> Deployment: One AP each in the houses and LAB, 2 in the Bunk House, and
> the rest in the admin building
>
> General Concept: Run the CAT5 from the ISP to the DES-1024D, then CAT 5 to
> my 5-port router and another to the wireless router (DIR-524). Assign each
> a static IP. The server handles DHCP for the LAN and the DIR-524 will
> handle guests/visitors. Three AP's wired to the DIR-524 via patch panel
> and house wiring in the Admin bldg.; the rest connected via directional
> antennas aimed at the omni-directional antenna on the admin bldg roof.
> The guest/visitor WLAN is flexible on how it is actually setup -
> physically and network-wise. The wireless WLAN to tie into the LAN I'd
> like to run into the DES-3828 so I can setup a VLAN for them.
>
> Needs: What mode(s) do I use for each? Same SSID for each WLAN, or
> separate for each AP? Channel selection? How do I set up the VLAN's? (The
> DES-3828 is a 24-port switch.)
>
> Problems Noted: I tried the general concept above and couldn't get IP's
> from the DIR-3828, despite good signal strength. Tried a laptop cabled to
> the DIR-524 and it got an IP fine, so the DHCP component works. As for
> the DES-3828, I tried for about 7 months, off and on, with D-Link tech
> support to get VLAN's set up and working - no luck. At that time we tried
> using the same AP's in multiple SSID mode so a user could connect to
> either "side" dependent on access rights.
>
> As I mentioned, I am flexible on setup and configuration.
>
> Mike
> Platte River Whooping Crane Maintenance Trust, Inc.
> a conservation non-profit (501(c)(3)) organization
> Wood River, NE
>

From: Mike in Nebraska on 29 Mar 2008 17:14
I sort a knew that, but my budget (non-profit) is (very) tight, so I thought
I'd give it a shot. Your link to Network Segregation is very helpful. I
saw it mentioned on another post the other day and printed it. It's what
got me going again to see if I can solve this. I have an idea, but hoped
that some of the experts on this NG would be able to help me with most/all
of it of the top of their head - my thinking (could be naive) is that this
is not that hard -- IF you've had experience.

Mike

"Jack (MVP-Networking)." <jack(a)discussiongroup.com> wrote in message
news:upzy89dkIHA.980(a)TK2MSFTNGP06.phx.gbl...
> Hi
> It not really possible to engineer such project via newsgroup.
> This page can provide you with an idea of Network segregation.
> http://www.ezlan.net/shield.html
> As for multi APs. If you would like to create roaming areas, use the same
> SSID but different channels.
> Otherwise, give every node it own SSID and channel.
> Jack (MVP-Networking).
>
> "Mike in Nebraska" <Miike_Webb(a)whoopingcrane.org> wrote in message
> news:eCK5qLbkIHA.3512(a)TK2MSFTNGP03.phx.gbl...
>> Here's my situation, and I welcome any and all comments:
>>
>> Goal: Provide wireless access to the LAN for authenticated users (am
>> leaning toward MAC-filtering to do this), and Guest/Visitor access to the
>> internet only without compromising the LAN or posing a security risk.
>>
>> Equipment: Server - SBS 2003 Premium SP2, unmanaged switch (D-Link DES
>> 1024D), L2/L3 managed switch (D-Link DES 3828), 5-port router, firewall -
>> ISA 2004 SP2 (software-based), wireless router - D-Link DIR-524, wireless
>> AP's - 7 D-Link DWL-2200AP's and 3 DWL-2100AP's.
>>
>> IP's: 5 static IP's from the ISP. One is assigned to the 5-port router,
>> leaving 4 available.
>>
>> Buildings to connect: 5 - Admin, Lab, Bunk House, and 2 long-term houses.
>>
>> Desired Encryption: WPA2 - Personal ( didn't want Enterprise as I'd have
>> to introduce IAS and a RADIUS server)
>>
>> Deployment: One AP each in the houses and LAB, 2 in the Bunk House, and
>> the rest in the admin building
>>
>> General Concept: Run the CAT5 from the ISP to the DES-1024D, then CAT 5
>> to my 5-port router and another to the wireless router (DIR-524). Assign
>> each a static IP. The server handles DHCP for the LAN and the DIR-524
>> will handle guests/visitors. Three AP's wired to the DIR-524 via patch
>> panel and house wiring in the Admin bldg.; the rest connected via
>> directional antennas aimed at the omni-directional antenna on the admin
>> bldg roof.
>> The guest/visitor WLAN is flexible on how it is actually setup -
>> physically and network-wise. The wireless WLAN to tie into the LAN I'd
>> like to run into the DES-3828 so I can setup a VLAN for them.
>>
>> Needs: What mode(s) do I use for each? Same SSID for each WLAN, or
>> separate for each AP? Channel selection? How do I set up the VLAN's?
>> (The DES-3828 is a 24-port switch.)
>>
>> Problems Noted: I tried the general concept above and couldn't get IP's
>> from the DIR-3828, despite good signal strength. Tried a laptop cabled
>> to the DIR-524 and it got an IP fine, so the DHCP component works. As
>> for the DES-3828, I tried for about 7 months, off and on, with D-Link
>> tech support to get VLAN's set up and working - no luck. At that time we
>> tried using the same AP's in multiple SSID mode so a user could connect
>> to either "side" dependent on access rights.
>>
>> As I mentioned, I am flexible on setup and configuration.
>>
>> Mike
>> Platte River Whooping Crane Maintenance Trust, Inc.
>> a conservation non-profit (501(c)(3)) organization
>> Wood River, NE
>>
>


From: Jack (MVP-Networking). on 29 Mar 2008 20:15
Hi
It is not so hard it is just a lot of details that would take long pages to
describe and explain.
Have a good luck.
Jack (MVP-Networking).

"Mike in Nebraska" <Miike_Webb(a)whoopingcrane.org> wrote in message
news:eo$LdHekIHA.6092(a)TK2MSFTNGP06.phx.gbl...
>I sort a knew that, but my budget (non-profit) is (very) tight, so I
>thought I'd give it a shot. Your link to Network Segregation is very
>helpful. I saw it mentioned on another post the other day and printed it.
>It's what got me going again to see if I can solve this. I have an idea,
>but hoped that some of the experts on this NG would be able to help me with
>most/all of it of the top of their head - my thinking (could be naive) is
>that this is not that hard -- IF you've had experience.
>
> Mike
>
> "Jack (MVP-Networking)." <jack(a)discussiongroup.com> wrote in message
> news:upzy89dkIHA.980(a)TK2MSFTNGP06.phx.gbl...
>> Hi
>> It not really possible to engineer such project via newsgroup.
>> This page can provide you with an idea of Network segregation.
>> http://www.ezlan.net/shield.html
>> As for multi APs. If you would like to create roaming areas, use the
>> same SSID but different channels.
>> Otherwise, give every node it own SSID and channel.
>> Jack (MVP-Networking).
>>
>> "Mike in Nebraska" <Miike_Webb(a)whoopingcrane.org> wrote in message
>> news:eCK5qLbkIHA.3512(a)TK2MSFTNGP03.phx.gbl...
>>> Here's my situation, and I welcome any and all comments:
>>>
>>> Goal: Provide wireless access to the LAN for authenticated users (am
>>> leaning toward MAC-filtering to do this), and Guest/Visitor access to
>>> the internet only without compromising the LAN or posing a security
>>> risk.
>>>
>>> Equipment: Server - SBS 2003 Premium SP2, unmanaged switch (D-Link DES
>>> 1024D), L2/L3 managed switch (D-Link DES 3828), 5-port router,
>>> firewall - ISA 2004 SP2 (software-based), wireless router - D-Link
>>> DIR-524, wireless AP's - 7 D-Link DWL-2200AP's and 3 DWL-2100AP's.
>>>
>>> IP's: 5 static IP's from the ISP. One is assigned to the 5-port router,
>>> leaving 4 available.
>>>
>>> Buildings to connect: 5 - Admin, Lab, Bunk House, and 2 long-term
>>> houses.
>>>
>>> Desired Encryption: WPA2 - Personal ( didn't want Enterprise as I'd have
>>> to introduce IAS and a RADIUS server)
>>>
>>> Deployment: One AP each in the houses and LAB, 2 in the Bunk House, and
>>> the rest in the admin building
>>>
>>> General Concept: Run the CAT5 from the ISP to the DES-1024D, then CAT 5
>>> to my 5-port router and another to the wireless router (DIR-524). Assign
>>> each a static IP. The server handles DHCP for the LAN and the DIR-524
>>> will handle guests/visitors. Three AP's wired to the DIR-524 via patch
>>> panel and house wiring in the Admin bldg.; the rest connected via
>>> directional antennas aimed at the omni-directional antenna on the admin
>>> bldg roof.
>>> The guest/visitor WLAN is flexible on how it is actually setup -
>>> physically and network-wise. The wireless WLAN to tie into the LAN I'd
>>> like to run into the DES-3828 so I can setup a VLAN for them.
>>>
>>> Needs: What mode(s) do I use for each? Same SSID for each WLAN, or
>>> separate for each AP? Channel selection? How do I set up the VLAN's?
>>> (The DES-3828 is a 24-port switch.)
>>>
>>> Problems Noted: I tried the general concept above and couldn't get IP's
>>> from the DIR-3828, despite good signal strength. Tried a laptop cabled
>>> to the DIR-524 and it got an IP fine, so the DHCP component works. As
>>> for the DES-3828, I tried for about 7 months, off and on, with D-Link
>>> tech support to get VLAN's set up and working - no luck. At that time
>>> we tried using the same AP's in multiple SSID mode so a user could
>>> connect to either "side" dependent on access rights.
>>>
>>> As I mentioned, I am flexible on setup and configuration.
>>>
>>> Mike
>>> Platte River Whooping Crane Maintenance Trust, Inc.
>>> a conservation non-profit (501(c)(3)) organization
>>> Wood River, NE
>>>
>>
>
>

From: Mike in Nebraska on 29 Mar 2008 21:39
OK, thanks.

"Jack (MVP-Networking)." <jack(a)discussiongroup.com> wrote in message
news:%23c$UesfkIHA.1208(a)TK2MSFTNGP03.phx.gbl...
> Hi
> It is not so hard it is just a lot of details that would take long pages
> to describe and explain.
> Have a good luck.
> Jack (MVP-Networking).
>
> "Mike in Nebraska" <Miike_Webb(a)whoopingcrane.org> wrote in message
> news:eo$LdHekIHA.6092(a)TK2MSFTNGP06.phx.gbl...
>>I sort a knew that, but my budget (non-profit) is (very) tight, so I
>>thought I'd give it a shot. Your link to Network Segregation is very
>>helpful. I saw it mentioned on another post the other day and printed it.
>>It's what got me going again to see if I can solve this. I have an idea,
>>but hoped that some of the experts on this NG would be able to help me
>>with most/all of it of the top of their head - my thinking (could be
>>naive) is that this is not that hard -- IF you've had experience.
>>
>> Mike
>>
>> "Jack (MVP-Networking)." <jack(a)discussiongroup.com> wrote in message
>> news:upzy89dkIHA.980(a)TK2MSFTNGP06.phx.gbl...
>>> Hi
>>> It not really possible to engineer such project via newsgroup.
>>> This page can provide you with an idea of Network segregation.
>>> http://www.ezlan.net/shield.html
>>> As for multi APs. If you would like to create roaming areas, use the
>>> same SSID but different channels.
>>> Otherwise, give every node it own SSID and channel.
>>> Jack (MVP-Networking).
>>>
>>> "Mike in Nebraska" <Miike_Webb(a)whoopingcrane.org> wrote in message
>>> news:eCK5qLbkIHA.3512(a)TK2MSFTNGP03.phx.gbl...
>>>> Here's my situation, and I welcome any and all comments:
>>>>
>>>> Goal: Provide wireless access to the LAN for authenticated users (am
>>>> leaning toward MAC-filtering to do this), and Guest/Visitor access to
>>>> the internet only without compromising the LAN or posing a security
>>>> risk.
>>>>
>>>> Equipment: Server - SBS 2003 Premium SP2, unmanaged switch (D-Link
>>>> DES 1024D), L2/L3 managed switch (D-Link DES 3828), 5-port router,
>>>> firewall - ISA 2004 SP2 (software-based), wireless router - D-Link
>>>> DIR-524, wireless AP's - 7 D-Link DWL-2200AP's and 3 DWL-2100AP's.
>>>>
>>>> IP's: 5 static IP's from the ISP. One is assigned to the 5-port
>>>> router, leaving 4 available.
>>>>
>>>> Buildings to connect: 5 - Admin, Lab, Bunk House, and 2 long-term
>>>> houses.
>>>>
>>>> Desired Encryption: WPA2 - Personal ( didn't want Enterprise as I'd
>>>> have to introduce IAS and a RADIUS server)
>>>>
>>>> Deployment: One AP each in the houses and LAB, 2 in the Bunk House, and
>>>> the rest in the admin building
>>>>
>>>> General Concept: Run the CAT5 from the ISP to the DES-1024D, then CAT 5
>>>> to my 5-port router and another to the wireless router (DIR-524).
>>>> Assign each a static IP. The server handles DHCP for the LAN and the
>>>> DIR-524 will handle guests/visitors. Three AP's wired to the DIR-524
>>>> via patch panel and house wiring in the Admin bldg.; the rest connected
>>>> via directional antennas aimed at the omni-directional antenna on the
>>>> admin bldg roof.
>>>> The guest/visitor WLAN is flexible on how it is actually setup -
>>>> physically and network-wise. The wireless WLAN to tie into the LAN I'd
>>>> like to run into the DES-3828 so I can setup a VLAN for them.
>>>>
>>>> Needs: What mode(s) do I use for each? Same SSID for each WLAN, or
>>>> separate for each AP? Channel selection? How do I set up the VLAN's?
>>>> (The DES-3828 is a 24-port switch.)
>>>>
>>>> Problems Noted: I tried the general concept above and couldn't get IP's
>>>> from the DIR-3828, despite good signal strength. Tried a laptop cabled
>>>> to the DIR-524 and it got an IP fine, so the DHCP component works. As
>>>> for the DES-3828, I tried for about 7 months, off and on, with D-Link
>>>> tech support to get VLAN's set up and working - no luck. At that time
>>>> we tried using the same AP's in multiple SSID mode so a user could
>>>> connect to either "side" dependent on access rights.
>>>>
>>>> As I mentioned, I am flexible on setup and configuration.
>>>>
>>>> Mike
>>>> Platte River Whooping Crane Maintenance Trust, Inc.
>>>> a conservation non-profit (501(c)(3)) organization
>>>> Wood River, NE
>>>>
>>>
>>
>>
>


 |  Next  |  Last
Pages: 1 2
Prev: Wireless zero configuration and VOIP
Next: Wireless Zero Configuration still not fixed in SP1