[spam]

I'm trying to add wireless access to my existing home network. I use Starband for internet access, so I have to have a Windows PC connected directly to the satellite modem, and use WinProxy to share the internet connection with the rest of the network.

The Windows PC is at 192.168.0.1, and I have a couple of Macs on the LAN. I added a Netgear MR314 wireless router and subnetted my LAN by changing the the netmask to 255.255.255.128, with the goal of having my original, wired LAN on the 192.168.0.0 network, and my wireless machines on the 192.168.0.128 network.

I've almost got everything working the way I want now. The router is getting an IP address of 192.168.0.5 from WinProxy, and I've assigned it an IP address of 192.168.0.129 on the wireless subnet. My TiBook is getting an IP address of 192.168.0.130 from the router's DHCP server and I'm able to browse the Internet from it.

The only problem is that I can't see the machines on the wired LAN from machines on the wireless LAN. I assume that the router's static routes are the key, but I can't figure out what routes I need to specify.

Anybody have a suggestion or pointers to good tutorials on the Internet?

[thesearcher]

You probably know more about this than I do, but aren't all the ips you've specified on the same subnet?

[spam]

Originally posted by thesearcher:
aren't all the ips you've specified on the same subnet?

I'm just learning this stuff, but the subnetworks are working properly. The 192.168.0.0 network is 192.168.0.1 through 192.168.0.127 and the 192.168.0.128 network is 192.168.0.129 through 192.168.0.255. I'm starting to think I need TWO routers, and I only have one.

[ghporter]

Two things occur to me in reading your post.

First, why use WinProxy when you can use Internet Connection Sharing and a free firewall like ZoneAlarm? (Of course how you deal with ICS depends on which version of Windows you're running, but they all run pretty much the same.)

Secondly, why have a separate subnet? The typical purpose of a subnet is to share some root resource, such as Internet access, while running separate networks that can't see each other.

The subnet mask is very flexible, but it will do what you tell it to: divide up the last octet of your address space into two separate networks. If you want to share files and printers among your wired and wireless computers, you'll have to have them all on the same subnet.

[aaanorton]

As always, you could try PracticallyNetworked.

[tooki]

I think I understand here. I believe it's not working because of the nature of internal ("non-routable") addresses. They can't be routed (a router that does route requests to an internal IP address to its WAN is considered to be malfunctioning), so they're getting lost. What you are trying to do (as far as the router is concerned) is request a connection to an internal address via its WAN port, and it's correctly not allowing you to do that.

You don't need another router; you need one LESS. In other words, don't use the Netgear's NAT. Turn off the Netgear's DHCP, and connect a cable from your LAN to one of the LAN ports (not the WAN port!!!!) of the Netgear.

That is then using the Netgear as strictly a wireless bridge, so that your wireless and wired clients are all on the same subnet, all using the WinProxy's DHCP.

tooki

[spam]

First, thanks for the help. The link to Practically Networked has been helpful.

GHPorter said:

Secondly, why have a separate subnet? The typical purpose of a subnet is to share some root resource, such as Internet access, while running separate networks that can't see each other.

That's really the root of the problem, isn't it? I kind of forgot that I had decided to split the network to increase security by keeping wireless clients off my LAN. So the system is working like it should, isn't it?

Only problem is that it's not quite working like I thought it was supposed to. I thought, as "tooki" said:

I believe it's not working because of the nature of internal ("non-routable") addresses. They can't be routed (a router that does route requests to an internal IP address to its WAN is considered to be malfunctioning), so they're getting lost.

Problem is that some things don't work, or don't work well, but the wireless router is definitely routing packets between the 192.168.0.0 and 192.168.0.128 networks. For example, I can manually type afp://192.168.0.4 to connect to a Mac running file sharing at that IP address from a Mac on the wireless network. I just can't browse to it.

So the subnetting doesn't really seem to be gaining me anything, and is making my life more difficult. I think I'll try "tooki's" suggestion and see if I can get the thing working without the router functions.

[ghporter]

I think that following tooki's advice is a good idea. The thought that you can increase security by isolating a wireless network from a wired network is appealing, but the logic is faulty.

Firstly, isolating the wireless network doesn't do anything for the security of your laptop-if the wireless network is compromised then so is any computer on it.

Secondly, as you've found out, many of the reasons we want to set up a network are either hard to do or impossible, such as file and print sharing.

There's also the problem that if you depend on this tactic, you may ignore proven strategies that make your wireless machines more vulnerable, and expose them (and your Internet connection) to the risk of being hijacked.

The best security for a homogeneous network is to apply all the security precautions you can to all parts of it. Use a good firewall (like that built into Jaguar), install and update a good antivirus program (yes, even on a Mac) on EVERY computer, and especially be proactive in securing the wireless segment of your network.

Make sure you've changed all the default settings, like the admin password, the network name (be creative here ), and the channel. Use the MAC address filtering facility (I think Netgear supports this), so that only YOUR computers can connect to the network. Use 128-bit WEP and change the password regularly (I suggest basing it on a monthly bill, like your ISP's or your power company's bill).

And finally, do please let us all know how things work out and what your final network configuration looks like.

[spam]

Well, I abandoned my subnetting idea, and everything is working smoothly now. In case it's useful to anyone, here are some things I learned.

First, ascii art didn't work at all, so let me describe my network. My Internet gateway is a Windows 98 machine with two network cards. One is connected to the satellite modem and gets an IP address via DHCP from the modem. The other network card is manually assiged 192.168.0.1. WinProxy running on the machine provides NAT and DHCP, so clients, like my main Mac G4, get IP addresses in the 192.168.0.2-15 range. (All of my netmasks are back to 255.255.255.0.) The Windows machine is in the barn, I've run 10baseT from it to an 8-port 10/100 switch under my desk. My main Mac G4, an HP laser printer and the Negtgear router are all connected to the switch.

The Netgear MR314 has a "WAN" port, which is intended to be connected to a cable modem or DSL box. It also has four 10/100 "LAN" ports. I simply connected one of those ports to my existing switch, instead of using the "WAN" port. I used the router's web client configuration to set the "LAN" IP address of the router to 192.168.0.16 and turned of the router's DHCP server.

Now either my TiBook, with an Apple Airport card, or my work Dell with a Netgear MA401 gets an IP address from the WinProxy server. All of my computers are on the same subnet and can see each other. Rendevous works between my Macs, the Windows machine can access shares from the G4, and they can all print to the laser printer.

I originally planned to subnet my network to ensure that wireless clients couldn't access my main machines. (Of course, I realize that doesn't do anything to protect the machines on the wireless LAN, but that's a different problem.) I was successfull in configuring my LAN as a separate subnetwork (192.168.0.0, giving an IP address range of 192.168.0.1-127) by using a netmask of 255.255.255.128. Then I connected the WAN port on the router to my switch, set its address to 192.168.0.129 (netmask 255.255.255.128) and set its DHCP server to provide addresses in the 192.168.0.129-255 range. This did work to separate my networks, so that I was able to access the internet both from machines on my LAN and from my laptops via wireless. But now I couldn't access my main G4 from my TiBook, which, of course, was why I had split the networks in the first place!

Then I used the router's static routes function to route any requests to the 192.168.0.0 network through the LAN gateway at 192.168.0.1. It kind of worked--I could use AFP and SMB, but not browse for servers, and traceroutes were really weird. But I eventually realized that I now had a complex solution that didn't provide any extra security, since now I was back to being able to access machines on the LAN from machines on the wireless LAN. I also realized that the rule about some addresses not being routeable depends on who is doing the routing, since my router was routing them.

One more thing I should explain about my unique network. I live on a ranch, which is an inholding into National Forrest. My nearest neighbor is several miles away, and until I notice the bears carrying laptops, I don't really need to worry about the security of my wireless LAN. I just went through all of this for the fun of it.

So what did I get out of all of this? First, I think the MR314 router is actually quite easy to set up and is very flexible. I'm quite happy with the router. Secondly, subnetting my network did work to allow internet access to wireless clients without letting them see other machines on my LAN. If I lived in the city, I'd definitely subnet so that I could allow visitors, neighbors, or whomever to "borrow" my internet access. Of course I'd set the router not to allow access to the configuration via wireless, so that no one would be able to set up a static route like the one I created. But I think that with that precaution I would probably not turn on WEP.