Any WIFI AP which can block blocks of port numbers?

Toggle sidebar Toggle sidebar
P

peterh337

Honorable
May 5, 2016
155
0
10,690
Ref this thread http://www.tomshardware.co.uk/answers/id-3203614/wrt54gc-config-access-restrictions.html

I am 99.9% sure I had this working with the WRT54GC that I had at the time (and I verified the port blocks) but the one I have now has the port block option mysteriously greyed out, and as others point out in the above thread this should not be possible anyway, between the WIFI and the four ethernet sockets!

I just need a WIFI AP which connects to my ethernet LAN at home and can be configured to block

- ports used by windows networking (137-139 IIRC)
- ports used by Mac networking (??)
- high ports used for P2P, games, etc

The reason for this blocking is that we give the password to visitors and I don't want them browsing our network attached storage.

Yes... one could password protect the NAS drives but that creates hassle. The PCs on the LAN are pwd protected anyway but every bit helps...

Thank you all in advance for any tips.

I would prefer not Cisco IOS gear (despite some of it being fairly cheap on Ebay) because I have had them in the past (800 series) and they were an absolute pig to configure. Also Cisco WIFI APs are generally complicated; I have had a few and found they didn't do what I wanted, due to some tiny version difference. You need to be a real networking expert to use these. I am just a humble hardware/software developer and a serial PC builder :)
 
Solution
N
Surely your children won't have mapped drives on your NAS from their telephones? Sorry but you are trying to cobble together a solution backwards. I thought this was a corporate environment? If your old router has an ethernet WAN port not an rj11 port you can hook it up and run it as a gateway device on a different subnet off your existing network and will not see any part of your existing network. Which is what you are trying to achieve.
Sort by date Sort by votes
I have done a lot of googling and it always takes me to complete ADSL routers which have a guest facility.

Admittedly 99%+ of people use just that one box for everything including their wifi, but I have a more "corporate" setup, with an ADSL modem, a proper router (no WIFI), and just want a box which has ethernet one end and wifi on the other.

The firewall needs to be *between* these two interfaces.

I found one solution that uses DD-WRT and lots of hacking...
 
Upvote 0 Downvote
Well no. An AP which is what you are looking for is in fact just a layer 2 wireless switch, it doesnt have any firewall capabilities. If you have done this before it was on the routing side of a wireless gateway device. An AP such as Ruckus or Ubiquity has the connection you are looking for ie "ethernet one end and wifi on the other" but this will not give you any other function than wireless access to the network. You can have multiple SSIDs on these AP and route different subnets per SSID. You would be better off changing your router to something like a Pfsense box with multiple interfaces and restricting access that way, especially if you are in a corporate setting. Now you can purchase a gateway device which has a "Guest network" function and run that as an AP and that will isolate users from your main network but ideally any restrictions should be on the firewall router such as Pfsense.
 
Upvote 0 Downvote
OK; thanks.

There are some boxes which can do this. I found some Cisco Meraki stuff.

Ruckus seem very pricey - over $1000.

Ubiquity look good. Which of their many products do you think might do it?

https://www.amazon.co.uk/s/ref=nb_sb_noss_2?url=search-alias%3Daps&field-keywords=Ubiquity++wifi&rh=i%3Aaps%2Ck%3AUbiquity++wifi

Yes I just want wifi access to the LAN but I need to allow only ports 53, 80 and 443 to pass through. It will block all networking and will block POP SMTP etc but most people don't need that nowadays.

I wonder if this one would do
https://www.amazon.co.uk/Ubiquiti-Networks-airRouter-Wi-Fi-Ethernet/dp/B00HXT85KI
There is no tech support on any of these products...

I can't change the router. The config on it is really complicated, with subnets, VPNs, etc and I don't want to get back into all that. It is a Draytek 2955.

A lot of wifi access points have "user isolation" but I can't find out what that actually does. I think it just stops broadcast packets being passed across, because anybody with access to the LAN can see all packets on it.


 
Upvote 0 Downvote
Why are you not putting Guest Wifi access on its on VLAN if your router has that capability? You would then just plug your access point into a port carrying that VLAN plus your mgm VLAN. User isolation would generally mean they have access to the network but cannot see any other users or services. This is not fool proof so again a better solution is for access to be on its own VLAN then you can be slightly less picky about the price of an AP. Why would you block email ports on a guest network??
 
Upvote 0 Downvote
Unfortunately I am right at my limits of understanding networking, if I am to set up a VLAN on the Draytek 2955...

The original reason I installed the old WRT54GC was because my two sons had perpetually virus-infected laptops and they absolutely refused to let me do anything about it. They live with my ex wife so I had very few options on doing anything about that if I still wanted them to come round to my house :) Probably not the answer you expected but life is like that sometimes...

Today, the virus issue is much less (both live on phones now, IOS and Android) so I just want guests to not be able to browse the stuff on the two NAS drives. Maybe I can add a pwd to these, which Windows will store, but unfortunately I need them accessible to some other devices which don't have that capability (a long story).

So I need to block *definitely* Windows and Mac networking packets, on the guest wifi. I don't need to block email etc but the WRT had the option of just 3 blocks of port numbers...

And the WRT54GC I have now has that feature defunct...

OTOH I might have used the original WRT54 in a different mode: it has a "WAN" ethernet port, which is intended for an ADSL model. I think setting it to PPPOE activates that mode. I am certain that the port blocking feature will work in that mode, but PPPOE is no good for connecting to my LAN, AFAICS.

 
Upvote 0 Downvote
Surely your children won't have mapped drives on your NAS from their telephones? Sorry but you are trying to cobble together a solution backwards. I thought this was a corporate environment? If your old router has an ethernet WAN port not an rj11 port you can hook it up and run it as a gateway device on a different subnet off your existing network and will not see any part of your existing network. Which is what you are trying to achieve.
 
Upvote 0 Downvote
Solution
Yes; the kids virus laptop is no longer an issue. However, FWIW, you can get samba networking on android (and probably on ios) - I have it on my Samsung phone - and you can browse NAS drives with it.

The setup is "corporate" to the extent that I have some gear at home which is an offsite backup for my business setup. Hence the fancy router with the complicated config.

It does sound like I should connect the WAN port of the WRT54 to my LAN. But what should the WRT54 config be for that? It offers the four modes, shown in the screenshot at the URL (the other thread on TH) in the first post in this thread. DHCP, Static IP, PPPOE, PPTP. I am sure it won't be PPTP because that is for VPNs; I use that too.
 
Upvote 0 Downvote


So you want it to have a static IP on the WAN port outside the DHCP range of your main router but on the same subnet. The LAN side can be anything you want (private ip space ie 10.x.x.x/24 or 192.168.x.x/24 etc etc) DHCP turned on firewall on. The only issue you will have is NAT on the new router but unless they are gaming it shouldn't make any difference. You have just created another independent network where your WAN connection is the original network.
 
Upvote 0 Downvote
OK, I am doing this

2016-10-12_190136.jpg


The subnet here is 192.168.3.x and the mask everywhere inside is 255.255.255.0.

But there is no functionality, with the LAN connected to the WAN port. One should get the admin screen on 192.168.3.197:8080 (the admin port config). And the WIFI works but connects to nothing.

I can get back into it on 192.168.3.197, and via one of the four ethernet ports.

However there is also this config

2016-10-12_191308.jpg


and the bottom pulldown menu is this

2016-10-12_191350.jpg


Should I use Gateway or Router, and what should be the destination IP?
 
Upvote 0 Downvote
In the top picture you have the WAN address as static, is the 192.168.3.x /24 part of your existing network??
You can not in the bottom of the first capture have the LAN as the same segment!!
If your existing network is 192.168.3.0 /24 you need to move the LAN to something else such as 192.168.4.0 /24 (192.168.4.1 255.255.255.0) you can access the second router on the old network via 192.168.3.x (what ever static address you give it) if remote management is allowed say on port 8080 or on the new lan side (new router ethernet lan ports) on the 192.168.4.1 address if thats what you give it. The dhcp range should be 192.168.4.x to 192.168.4.x+5 if you only want 5 addresses. It should be in routing mode and the gateway is the WAN port.
 
Upvote 0 Downvote
Thanks Nigel.

I now have

2016-10-13_081408.jpg


but not sure what (if anything) is supposed to go here:

2016-10-13_081238.jpg


And coming back to the original issue, the access restrictions screen still doesn't do anything

2016-10-13_081440.jpg


There is still no way I can see of activating any of those port blocks.

I went through this some years ago but failed to document it :)

WIFI works fine now, with 192.168.4.10 allocated to the first device.

I can enter admin on 192.168.3.197:8080.
 
Upvote 0 Downvote
Interesting...

There must be NAT going on between 192.168.3.x and the 192.168.4.x (which also has DHCP on it, for any clients) but surely if a wifi client can connect to the internet (the connection to which is provided by the 192.168.3.x Draytek router, which is also doing NAT...) then it must be able to inspect packets on the 192.168.3.X LAN also?

AIUI, a client device, going to say google.co.uk, will send out a UDP packet on port 53 (DNS) to get the IP of google.co.uk. The upstream kit (the WRT and the Draytek) will then open a duplex NAT channel (which auto-closes 180 seconds from the last activity; I measured this when trying to get incoming VOIP to work 😉). The client will start an HTTP/S session on that IP, and so on it goes.

Similarly if a client (which runs windows networking, perhaps via samba) wants to access a NAS drive called \\HS-ABCD, it does a name lookup on that. But it can also auto detect that, using broadcasts I guess.

That is the limit of my understanding of networking...
 
Upvote 0 Downvote
Broadcasts never leave the network segment so a broadcast on the 192.168.3.0 net will never be received by a host on the 192.168.4.0. net. For NAT outside to work on the properly on the 192.168.4.0 you would need static routes between the two routers.

I'm not really understanding your point. If you believe it is an issue disable NAT on the second router 192.168.4.0. You can no more inspect packets on the 192.168.3.0 than you can on any external network.

What have you set the DNS server to on the 192.168.4.0 router?? If you manually set them to google public how do you think it can resolve a FQDN on your 192.168.3.0 net?????
 
Upvote 0 Downvote
I would assume that is the "Static DNS 1" etc setting for which I used 8.8.8.8. Also 192.168.3.1 should work, on all routers I have used.

So if I read you right, nobody on the wifi can enumerate anything on the LAN unless they go directly to the IP. But let's say the NAS is on 192.168.3.155 can this be accessed at all from the wifi end?
 
Upvote 0 Downvote
Yes on the router with LAN 192.168.4.0 use public dns 8.8.8.8 and 8.8.4.4, 192.168.3.1 would also work. Hosts on the wifi network 192.168.4.0 will not be able to access the NAS on 192.168.3.155. Out of interest just try a ping from the 192.168.4.0 net (I think you can do it from the router) to the NAS, I'm pretty sure it will come back "host unreachable".
 
Upvote 0 Downvote
I can ping anything on 192.168.3.x

I cannot map a network drive using the name e.g. \\NASname\share but I sure can do it with \\192.168.3.155\share !! So there is no security here at all. Anybody on 192.168.4.x wifi cannot browse anything but can connect to anything by guessing the IP.

I am doing this from a wifi connected winXP laptop.

I need something stronger :)

Maybe something can be done using this feature, and directing the relevant port number ranges to an IP on which nothing is listening?

2016-10-13_193136.jpg
 
Upvote 0 Downvote


We'll I'll refer you to the original advice I gave. Stop trying to cobble a solution together working back to front. If security is you main concern (from your children?) Invest in a proper firewall appliance or a WAP with the correct functionality for your needs or create a VLAN for the purpose.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom