Wireless: Separation of Church and State

[technobard]

I have long resisted wireless. I have Cat 6 connecting the basement to the 2nd floor, but I have recently revisited the idea of occasional wireless. I'd like to keep it on a separate network with a bridge and firewall between the two. This is what I'm thinking:

1. Wireless Access Point with integrated switch on 192.168.15.x (or whatever)
2. A Linux PC (possibly a virtual machine) with 2 NICs: 1 NIC plugged into WAP ethernet port; the 2nd NIC connected to a switch that is part of wired LAN (192.168.1.x)
3. PC is running firewall proxy server (something like Endian or Smoothwall??)

To top it off, I'd like to require a username / password to gain access to the proxy server, so some sort of authentication.

Does this sound like a reasonable approach? Any particular recommendations? I thought about using IPSEC, but that sounds like too much configuration on the connecting PC end. I'd like the flexibility of allowing visitors to use the wireless LAN without a lot of work on their part.

Thanks for any suggestions.

[technobard]

Well, for those on a similar journey, I came across something called "ZoneCD". It's free, wifi hotspot software that boots from a LiveCD. I even found instructions on getting it to work with VMWare. If you don't need vpn passthru, it sounds like the way to go. It turns out I do need vpn passthru (for connecting to work), so I may have to try Endian.

[Belisarius]

Pickup a WRT54GL router, install DD-WRT, plugin to your current router. Simplest, cheapest solution and gives you pretty much all the features you could want.

[technobard]

Thanks for the suggestion. I came across OpenWRT which seems to be a variant of the same thing. I wasn't sure if vpn passthru would work though. It won't work with NoCat, which is one of the packages that can be used as part of Open or DD-WRT. I'm not sure about Chillispot.

As it turns out, I just ordered the WRT54GL from Newegg. I figured if I couldn't get Endian to work, I'd try OpenWRT (or now DD-WRT). The Endian solution doesn't require any additional hardware (for me) since I already have an over-powered Linux box sitting there with VMWare running on it.

[Belisarius]

OpenWRT whould be fine - I'm just familiar with DD-WRT, as it's what I use. But it would provide for you the kind of seperation you're looking for, with the minimum of fuss. And it wouldn't suck down the power of a whole machine to achieve it.

[technobard]

Cool. Any experience using it with a VPN client (i.e. vpn pass thru)?

[technobard]

Also, I've been reading the threads on DD-WRT. It looks like the RADIUS server has to be on a separate device. There is some reference to a package available for OpenWRT, but no one seems to have gotten that to work on DD-WRT (at least what I saw). Are you using a RADIUS server?

It's not the end of the world if I have to run it on a separate device, but I was starting to warm up to the idea of having it all self-contained and DD-WRT seems to be the better choice otherwise.

Thx.

[Belisarius]

Nope - I'm not doing anything particularly esoteric with it - it's just running a pretty plain home network.

If you need more advanced help, you could buy the Sveasoft firmware for the WRT. Their forums are pretty extensive.

[technobard]

Just a quick update. I finally got around to this. I had to educate myself on a few things. I went with Coova which includes Chilispot and at least one other hotspot option that I haven't tried. They put a nicer, friendler wrapper around OpenWRT and added some other customizations. I like it so far. I'm looking at my options for WPA(2). I want the RADIUS server, but I'm not sure I really want to run one. Apparently, this would give me enterprise grade wireless security. I feel like I would be close, but not quite there if I settled for PSK (pre-shared keys).