Slowly but surely, I’ve been moving our home network to an architecture that wouldn’t keep me up at night. Since we needed both wireless and wired access, my primary goal was to design a network that would allow wireless clients to access the internet but not the rest of our network — I expect that a determined user could get on our wireless network with or without the password, but our wired machines shouldn’t be exposed unless someone gains physical access to our hardware.
Click to enlarge
The diagram above shows how I ended up solving this. The solution relies heavily on having separate subnets for wired and wireless traffic… in this case, a ZyWALL 2 Plus lets me set up and control access between these networks.
The ZyWALL has the added benefit of SNMP support, which means one of my client machines can use mrtg to graph our network activity:
Click to view more statistics
Looking to the future, our router and switch give us fine-grained controls over the bandwidth used by each client on our wired network. I haven’t done much with this yet, but I anticipate putting it to use when we have a couple of kids accessing the internet.
8 Comments
I don’t entirely follow this post. Sorry to disappoint… but networking was always a mystery to me.
But I should add that your study of Tufte is paying off. Very smooth layout.
Glad you liked the layout! I think I can give you a two-minute intro that might shed some light on the networking details –
Go to your Mac OS X Network preference pane and you’ll notice three numbers (mine in parenthesis):
IP Address (192.168.0.100)
Subnet mask (255.255.255.0)
Gateway (192.168.0.1)
Gateway is the address of your router, IP address is your address, and your computer uses the subnet mask to figure out which addresses are on the local network and which ones are on “the other side” of the router — eg on the external network.
Pair up the parts of the IP address and the subnet mask:
192 -> 255
168 -> 255
0 -> 255
100 -> 0
Think about the subnet mask in binary — 255 is all 1s, right? When you send a packet to an address, the computer ANDs the bits of your IP address and the subnet mask, ANDs the destination IP address and the subnet mask, and compares the two results. For example, if you were going to send a packet to 192.168.0.50, do the two AND operations:
(mine with subnet mask)
192 && 255 = 192
168 && 255 = 168
0 && 255 = 0
100 && 0 = 0
result is 192.168.0.0
(dest with subnet mask)
192 && 255 = 192
168 && 255 = 168
0 && 255 = 0
50 && 0 = 0
result is 192.168.0.0
Since both results are the same, the computer knows it’s on the same physical network as the destination address. It puts the packet directly on the wire* and the other computer snaps it up — the router isn’t even involved.
What if we wanted to send a packet to 10.0.0.150? Our IP address is the same, but we need to re-calculate the destination address / subnet mask operation:
10 && 255 = 10
0 && 255 = 0
0 && 255 = 0
150 & 0 = 0
result is 10.0.0.0
Now the results don’t agree, so the computer has to send the packet to the router and ask it to forward it on to 10.0.0.0.
This is where the firewall capability of the router comes in… since 10.0.0.0 is my wireless network and 192.168.0.0 is my wired network, any communication between them has to go through the router. Thus, I can configure it to drop these packets to prevent the two networks from talking to each other.
Does that make a little more sense?
(* Yes, I’m skipping ARP entries here.)
But do the two of you get wireless access too, or only “guests”? If you connect wirelessly, are you then unable to connect to any “wired” systems??
We have one wired client that we use most of the time, but yeah we have a couple of laptops that we’ll use occasionally on the wireless network. From a network perspective, a wireless client is a wireless client regardless of who’s using it — so, like guests, we can’t access wired systems from the laptop.
One of the items on my to-do list is to configure VPN on the laptops so that they can tunnel into the wired LAN from the wireless network. That’s the authentication piece that would allow per-user access to the wired network from wireless clients.
Interesting idea…. subnetting your *ONLY* wireless from your wired clients. For the most part, the wireless and wired clients don’t need to share/swap information THAT often, so it really is a viable solution for some homes. Secure too!
We have wireless at home (WRT54GL running DD-WRT), but it’s locked down via WPA2, etc.. Between the “decent” wireless security AND the firewalls on each machine, I sleep pretty well at night too. I could always add a second wireless unit — subnetted off of our primary network — to create a “guest” wireless network too. More hardware to maintain, but the WRT54GL devices are only about $49!
I have a hard time trusting WPA2 — you’re basically trusting that Moore’s Law won’t catch up with the complexity of your algorithm before something new comes out, right? GPUs are the “next big thing” in terms of throwing processor cycles at this problem… Elcomsoft just put out a press release last week about software that’ll use your NVidia graphics card to attack WPA2, for example.
Realistically no one really wants to attack our network, so it’s kind of a moot point — but when I put on the security hat I only feel comfortable if I treat wireless as an unsecured public access point.
We also ran into problems where we’d want to let a friend use our wireless without giving them “the keys to the kingdom”, so to speak. Setting up a second “guest” network would certainly be another way to solve this problem, provided you do some bandwidth throttling (and content filtering?) at the router.
I certainly don’t rely upon my WPA2-secured wireless to be unhackable, but between that and the “who wants stuff from my small network” reasoning, I feel pretty ok about it all.
Setting up a DD-WRT “guest” wireless network with bandwidth throttling and *some* content filtering, via OpenDNS, isn’t too difficult.
http://www.dd-wrt.com/wiki/index.php/OpenDNS
Or we just stop using wireless altogether, which wouldn’t hurt my feelings (on most days) either… :)