Quantcast

Maximum PC

It is currently Wed Oct 01, 2014 6:36 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Conecting to 2 networks
PostPosted: Fri Dec 03, 2010 3:25 pm 
Team Member Top 250
Team Member Top 250
User avatar

Joined: Tue Apr 15, 2008 8:01 pm
Posts: 1260
Got client where we have a PoS (Point of Sale) system and our office internet. Because PCI is rather....anal...about having internet access on a POS system we currently have our network set up like this.

Modem -> Wired Router WAN (8 LAN ports, for all PoS systems) -> Ethernet Switch from Router LAN port to add more ports -> Switch LAN to Wireless Router WAN (it has 4 free LAN ports but is pretty much just broadcasting)

The PoS systems can connect online and have a seperate IP range then the wireless making them PCI compliant becuase their "network" isn't "broadcasting" on the Wifi.

The other pcs in the office use the Wifi and work fine but here is where the problem comes in.

We want to print remotly betwenn the 2 offices but the Wifi computers can't "see" the wired networks to share printers and vice versa, by the same token we want to have a centerlized backup for both offices via a networked drive but again the 2 networks can't see each other.

So how can i keep the internet on 2 seperate networks (wifi and wired) but still have a wifi Local Network?


Top
  Profile  
 
 Post subject: Re: Conecting to 2 networks
PostPosted: Fri Dec 03, 2010 9:33 pm 
8086
8086

Joined: Tue Feb 16, 2010 10:04 am
Posts: 90
To be honest, I'm not all that familiar w/ PCI compliance standards. But based solely on your own description, I assume at least part of that compliance requires keeping the POS system(s) inaccessible over wireless.

I'll make some reasonable assumptions, but please correct me if those assumptions are wrong.

[modem](lan)<-- wire -->(wan)[wired router (192.168.1.x network)](lan)<-- wire -->(wan)[wireless router (192.168.2.x network)]

Let's assume as well that the wireless router has a LAN IP of 192.168.2.1, and a WAN IP of 192.168.1.2 (from the wired network). So clients of the wireless network receive IP addresses in the 192.168.2.x range, and have a default gateway of 192.168.2.1.

Given the above, there's no reason that wireless clients shouldn't be able to access the wired clients/devices of the wired network. The wireless router is aware of the location of the 192.168.1.x network (since it exists on its WAN port), therefore any network requests by clients of the wireless network should be directed to their gateway (192.168.2.1) and forwarded to the wired network. In fact, it’s so easy, I have to wonder whether this actually meets PCI compliance standards!

If this isn't working, then perhaps my assumptions are incorrect. Sometimes ppl make the mistake of not using different subnets when connecting to adjoining networks. That's a mistake and should be corrected.

Looking at it from the other direction, the wireless router is doing its job by making its network inaccessible thanks to its firewall. In this case, I'm not sure you need the firewall on the wireless router since I don't know exactly what you're trying to accomplish w/ this network configuration. As it stands, both the wired and wireless networks are already protected from Internet threats by the wired router's firewall. Only you can decide if the second firewall between your local networks is necessary. If you drop that firewall, or at least open the necessary ports for the services you need, then you can add routing information to the clients of the wired network so they can locate clients/devices of the wireless network.

route add 192.168.2.0 mask 255.255.255.0 192.168.1.2

The above says "you can locate any 192.168.2.x address by using the gateway at 192.168.1.2".

You can either add the route to the individual clients, or if your router supports it, add a static route to the router's routing table so that wired clients are automatically rerouted by the wired router to the wireless router.

All that said, realize we’re only talking about explicit IP addressing here. You will still have problems using *named* resources since they exist on different ethernet networks, and therefore don’t broadcast between them. I suppose to some extent this meets your PCI compliance standards. But that’s not really any sort of meaningful protection since all clients/devices are addressable via explicit IP addressing.

If you want to add *named* resource capabilities between the networks, then you either have to use a commonly shared WINS server, or else a per-client hosts file, that maps IP addresses to named resources.


Top
  Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

© 2014 Future US, Inc. All rights reserved.