Re: Using DHCP to separate activity?

Good catch Joe. I missed that he might not be using SBS.

--
Merv Porter [SBS-MVP]
============================

"J. M. De Moor" <papajoe.nospam@xxxxxxxxxx> wrote in message
news:%23a8erW4jIHA.6092@xxxxxxxxxxxxxxxxxxxxxxx
This is a Small Business Server NG. Are you running SBS? If so, is it
Standard or Premium?

One of my clients is branch office for a national company. When home
office visitors come in with their laptops, we let them have guest access
to the Internet. This is how (using SBS 2003 Premium):

1. The wireless access point does not provide IP addresses.

2. DHCP has address reservations matched to the MAC addresses on the
visitors' laptops and assigns these to a specific range of IPs. (This is
the maintenance part. When a new laptop is introduced, we have to add a
reservation for its MAC address.)

3. The address range used by the reservation is set up as a Computer Set
in ISA Server. Then we add a rule for that computer set that allows HTTP
and HTTPS traffic. We give this rule a weekday daytime only schedule.
Oh, and we leave this rule disabled when no visitors are in town.

I have another client that allows limited wireless access to visitors, but
the wireless access point is between the firewall appliance and external
interface of the SBS box. So in that scenario, wireless clients must use
VPN access if they want into the internal network. Visitors have easy
access to the Internet.

BTW in both cases, the clients are using G only WPA2 encryption.

Personally, I am more comfortable with the 2nd scenario's security than
the first.

Joe

Bazooka-Joe wrote:
Is it possible, within Windows DHCP (Windows Server 2003 R2 SP2), to
specify a range for wired clients and a separate range for wireless
clients?

Background: a small organization, two servers (both domain
controllers), one running DHCP. Client systems connected to this
network fall in three categories:


1. Permanently wired desktop systems for office workers, members of
the domain.
2. Wireless notebook systems for office workers, members of the
domain.
3. Guest laptops needing Internet connectivity only, not members of
the domain, wirelessly connected.


All three client types will be getting their addresses from DHCP. I
was thinking of disabling DHCP services on the wireless router
(Linksys) altogether. I wanted to specify a range of IP's, perhaps
even on a different subnet for the wireless clients to keep them as
separated as possible from the domain. Then create reservations for
the couple of laptops that are domain members, assuming that would
supercede whatever rules could be established to force wireless
guests
to a different range/subnet.


I'm supporting a VERY small, non-profit organization with not much of
a budget for this kind of work.
Most of the equipment I have at my disposal is either old, borrowed,
or was obtained cheaply/free. Labor to design and implement whatever
I come up with will be donated. Sparing me the "you get what you pay
for"
anecdotes...what's the most efficient way to accomplish separating
guest wireless connections that need Internet access only, from
legitimate office workers on both wired desktops and wireless
laptops? I cringe at the idea of trusting the Linksys router for
network security, but perhaps I'll need to do that if I can't
separate
things out a little via DHCP.

Perhaps DHCP is not the tool to attempt isolation/segregation with.
But GPO's/IPsec will only apply to members of the domain and guests
will only interact with resources on the LAN at the level of the
router and DHCP server. I don't have too many other options right
now. The only networking equipment I have at my disposal is A) a DSL
modem, B) a wireless Linksys router, and C) a small 6-8 port switch
with little to no onboard intelligence (doubtful any VLAN
capabilities). No DMZ, no ISA, no proxy, no dedicated firewalls,
etc.

Ideas? Suggestions? I'm open to anything at this point. I'm just
beginning the design phase.

Thanks in advance.


.

Relevant Pages

  • Re: Wireless Routers and Access Points
    ... coverage test results from a number of mainstream commodity wireless routers ... Are there any similar, more recent, reports? ... The big problem with the channel hopping scheme ... wireless clients do this very well. ...
    (alt.internet.wireless)
  • Using DHCP to separate activity?
    ... specify a range for wired clients and a separate range for wireless ... Wireless notebook systems for office workers, ... All three client types will be getting their addresses from DHCP. ...
    (microsoft.public.windows.server.sbs)
  • Re: Specifying a DHCP Range for Wireless Clients?
    ... The Linksys box should never be allowed to run DHCP on the LAN. ... WINS get properly updated with the IP Specs of the Clients when the IP specs ... wireless capable is up to you. ... emergency backup of your main internet connection if it goes down by moving ...
    (microsoft.public.windows.server.networking)
  • Wireless and Broadcast packets problem
    ... I am having a problem with my wireless network. ... clients connected to the wireless LAN cannot _see_ other clients. ... I have run tcpdump on both AlbertAP and Sneaky and seem some interesting ...
    (freebsd-questions)
  • Wireless and Broadcast packets problem
    ... The Issue is that clients connected to the wireless LAN cannot _see_ other clients. ... When running TCPDump on AlbertAP I can see plenty of wireless traffic going around the place. ... I have run tcpdump on both AlbertAP and Sneaky and seem some interesting omissions. ...
    (freebsd-net)