Configure public AP via private Network.

rdlockrey · 10-24-2009, 09:08 PM

I am having a problem configuring an access point thats on a public network , via the private network.

I know the firewall prevents public users from accessing the private network, (serigation) but its also seems to prevent private users from accessing the public network, thus I cant access the access points IP web control panel.

The only way for me to configure the AP is to plug it into the private, which is a huge security risk , as anyone who logs in would then be on private side.

Anyways, how can I create a firewall rule that will allow me to reach the access points IP from private, but not unprotect it from public?

**johnwill** · 10-25-2009, 10:57 AM

I think you want your cake and eat it too! If you have a rule that allows you through, what stops other people from doing the same thing?

Of course, with the limited network information provided, we may be barking up the wrong tree...

rdlockrey · 10-25-2009, 03:19 PM

yeah I see your point...

I think what I was saying on my original post is how do administrators manage access points on the private network? I am a tech, however advanced networking is not speciality.

I wonder if the problem might actually be caused by how the DHCP issues IP's. The gateway issues private IPs in a different range then public, however the Access points default (static) IP is not within the range of public IPs but is within range of private which could explain the problem

Anywho..the gateway is pretty well using default settings, and the only active firewall rules are one that blocks public (auth) from accessing Private (local) then another that blocks WAN.

So I guess the question is..

1) should the access point have a static IP in the publics IP range?

2) Are firewall rules stop traffic in both directions or can they be configured to apply to only the originating source?

example:
Well use the rule that blocks all public traffic from accessing private network.

Lets say a client from the private network pings a public client (assuming it responds) is the response is actually blocked since the direction of the response is going to private, or does the gateway permit the traffic since the originating request came from the private network.

I suppose I need to get a good book on advanced networking management, before this I never used access points or gateways, and I fear leaving the wrong port open could be like christmas to a bored hacker.

Anyways thanks for your help,

**johnwill** · 10-26-2009, 08:57 AM

An WAP should have an address in the subnet that your network runs on, it certainly shouldn't have a public IP address.

Normally, outgoing traffic is not blocked unless you specifically configure it, otherwise you'd never be able to do anything on your network!

The WAP receives wireless traffic and passes it without comment on to the network, since any connections to the WAP are considered to be on the private network. The security of the WAP is the encryption, that should be WPA or better. Also, in a network with a server, you'd likely want to run a RADIOS server and use 802.1X Authentication for any connections. Your WAN gateway is your router or firewall appliance, depending on the network.

To get more specific would require knowing a lot more about the network topology.

rdlockrey · 10-27-2009, 05:46 PM

Well unless im confused more then I thought, I dont think WPA security is the problem, since the admin machine is on LAN, and the entire network works fine the only thing I cant do is access the WAPs control panel.

I am using local authentication for the public network. Heres the equipment and scheme I have (attached).

In fact I even tried to disable the serigation rule and that didnt work, which puzzles me. I then gave the wap a static IP within range, and that didnt work either, yet If I unplug either WAP from public, then plug it into private all problems are resolved, and I can access them fine.

I then logged in via wireless connection directly to each wap (public) then tried its IP, and the same thing, nothing, like the gatway is redirecting me to no-no land, yet authentication and internet works fine from both WAPs.

I just dont get it, whats going on here?

10-24-2009, 09:08 PM	#1 (permalink)
rdlockrey Registered User Join Date: Oct 2009 Posts: 4 OS: WinXP-PRO/SP3	Configure public AP via private Network. I am having a problem configuring an access point thats on a public network , via the private network. I know the firewall prevents public users from accessing the private network, (serigation) but its also seems to prevent private users from accessing the public network, thus I cant access the access points IP web control panel. The only way for me to configure the AP is to plug it into the private, which is a huge security risk , as anyone who logs in would then be on private side. Anyways, how can I create a firewall rule that will allow me to reach the access points IP from private, but not unprotect it from public? Last edited by rdlockrey; 10-24-2009 at 09:11 PM.

10-25-2009, 10:57 AM	#2 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 41,572 OS: Windows 7, XP-Pro, Vista, Linux Blog Entries: 1	Re: Configure public AP via private Network. I think you want your cake and eat it too! If you have a rule that allows you through, what stops other people from doing the same thing? Of course, with the limited network information provided, we may be barking up the wrong tree... __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

10-25-2009, 03:19 PM	#3 (permalink)
rdlockrey Registered User Join Date: Oct 2009 Posts: 4 OS: WinXP-PRO/SP3	Re: Configure public AP via private Network. yeah I see your point... I think what I was saying on my original post is how do administrators manage access points on the private network? I am a tech, however advanced networking is not speciality. I wonder if the problem might actually be caused by how the DHCP issues IP's. The gateway issues private IPs in a different range then public, however the Access points default (static) IP is not within the range of public IPs but is within range of private which could explain the problem Anywho..the gateway is pretty well using default settings, and the only active firewall rules are one that blocks public (auth) from accessing Private (local) then another that blocks WAN. So I guess the question is.. 1) should the access point have a static IP in the publics IP range? 2) Are firewall rules stop traffic in both directions or can they be configured to apply to only the originating source? example: Well use the rule that blocks all public traffic from accessing private network. Lets say a client from the private network pings a public client (assuming it responds) is the response is actually blocked since the direction of the response is going to private, or does the gateway permit the traffic since the originating request came from the private network. I suppose I need to get a good book on advanced networking management, before this I never used access points or gateways, and I fear leaving the wrong port open could be like christmas to a bored hacker. Anyways thanks for your help, Last edited by rdlockrey; 10-25-2009 at 03:22 PM.

10-26-2009, 08:57 AM	#4 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 41,572 OS: Windows 7, XP-Pro, Vista, Linux Blog Entries: 1	Re: Configure public AP via private Network. An WAP should have an address in the subnet that your network runs on, it certainly shouldn't have a public IP address. Normally, outgoing traffic is not blocked unless you specifically configure it, otherwise you'd never be able to do anything on your network! The WAP receives wireless traffic and passes it without comment on to the network, since any connections to the WAP are considered to be on the private network. The security of the WAP is the encryption, that should be WPA or better. Also, in a network with a server, you'd likely want to run a RADIOS server and use 802.1X Authentication for any connections. Your WAN gateway is your router or firewall appliance, depending on the network. To get more specific would require knowing a lot more about the network topology. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience