How to provide some extra excitement to anonymous people that use your wireless network1. DisclaimerFirst of all, have a look here: http://www.kismetwireless.net/.Then read this. If you still want to let other people use your internet connection and access your computers go ahead and read the stuff. This document is provided "as is", there is no warranty or other stuff, use it at your own risk. You can copy, reproduce, do whatever you want with the info from this document, I'm still not responsible for anything :-) 2. ScopeTo provide some excitement to those anonymous people that will use your internet connection.The router configuration for the internet connection is beyound the scope of this document, make sure that you can connect to the Internet with a workstation behind your external router. 3. Requirements- basic knowledege of tcp/ip and windows- manuals for router configuration - able to connect network cables - able to follow directions 4. Hardware/software inventory list- internet connection (cable or dsl)- cable or dsl modem (usually supplied by your ISP) - three routers with 4 internal ports each, one of them wireless enabled - network cables - one computer that runs Windows XP - laptop with wireless card that can connect to the wireless router 5. ConceptThe idea is to implement a second layer of authentication before allowing a wireless laptop to go on the internet.To achieve this we will create a Demilitarized Zone (also known as DMZ). Sounds scary but in fact is not. 6. Setup diagramRouting tables for each router: The external router: Destination LAN IP Subnet Mask Default Gateway Interface 0.0.0.0 0.0.0.0 abc.def.ghi.jkl WAN abc.def.ghi.0 255.255.255.0 0.0.0.0 WAN 10.10.1.0 255.255.255.0 0.0.0.0 LAN The internal wired router: Destination LAN IP Subnet Mask Default Gateway Interface 0.0.0.0 0.0.0.0 10.10.10.1 WAN 10.10.1.0 255.255.255.0 0.0.0.0 WAN 10.10.3.0 255.255.255.0 0.0.0.0 LAN The internal wireless router: Destination LAN IP Subnet Mask Default Gateway Interface 0.0.0.0 0.0.0.0 10.10.10.10 WAN 10.10.1.0 255.255.255.0 0.0.0.0 WAN 10.10.2.0 255.255.255.0 0.0.0.0 LAN 7. Router configurationThe external router without wireless:- take one of the wired routers, connect it to the DSL/Cable modem; the WAN interface (external) will get a routable IP address assigned by your ISP (using different protocols like PPPoE, PPPoA, DHCP etc): abc.def.ghi.jkl (and the external subnet will be abc.def.ghi.0/mn - for LAN use the 10.10.1.0/24 range (netmask 255.255.255.0) - assign a static IP address to the internal interface (LAN): 10.10.1.1 - disable the dhcp server that usually runs on the router The internal router without wireless: - connect the WAN interface to a LAN port on the extenal router - assign a static IP to the WAN interface: 10.10.1.3 netmask 255.255.255.0 - as default gateway use the internal interface of the external router: 10.10.1.1 - for DNS servers use the IP addresses of your IPS DNS servers - for LAN use the 10.10.3.0/24 range (netmask 255.255.255.0) - enable the DHCP server to provide IP addresses from 10.10.3.100 to 10.10.3.150 - forward WAN port 1723 to port 1723 of 10.10.3.3 - enable "PPTP pass through" and "IPSec pass through" - if the router has the option "PPPoE pass through" make sure is disabled - firewall configuration: allow wan request (so it will respond to ping) The internal wireless router: - connect the WAN interface to a LAN port on the external router - use static IP for the WAN interface: 10.10.1.2 netmask 255.255.255.0 - do not provide a default gateway (of if you have a linksys wireless router provide an IP from 10.10.1.0/24 range that is not assinged, let's say 10.10.1.10) - for LAN use the 10.10.2.0/24 range (netmask 255.255.255.0) - enable the DHCP server to provide IP addresses from 10.10.2.100 to 10.10.2.150 - enable "PPTP pass through" and "IPSec pass through" - if the router has the option "PPPoE pass through" make sure is disabled - firewall configuration: allow wan request (so it will respond to ping) 8. TCP/IP configuration for the Windows XP machineThe Windows XP machine will be connected with a network cable to the internal router that does not have wireless feature.Asign it a static IP: 10.10.3.3 and subnetmask 255.255.255.0 As default gateway will use the internal interface of the internal router: 10.10.3.1 For DNS servers use the IP addresses of your IPS DNS servers. At this point, using this machine you should be able to: - ping the internal interface of the internal router (10.10.3.1) - ping the external interface of the internal router (10.10.1.3) - ping the internal interface of the external router (10.10.1.1) - ping the external interface of the wireless router (10.10.1.2) - ping www.google.com - browse the Internet If one of the above things doesn't work then stop here, go back and review the settings. 9. VPN configuration for the Windows XP machineYou might be surprised but Windows XP Professional (I don't know about the other versions - Home, Media Center and Embedded) can function as a VPN server allowing PPTP connections to it.Here is how you enable this feature. First of all create a user that will be used ONLY for VPN connections. Go to Computer Management -> Local Users and Groups -> Users and create a new user. Name it as you wish, I named mine "vpnuser". Give it a strong password, at least 8 digits, letters (lower/upper case) numbers and special characters. Then in Control Panel double-click on "Network Connections" then double-click on "New Connection Wizard" This should show up: Now your Windows XP machine is ready to accept incoming vpn connections. 10. VPN Configuration for the wireless laptopFirst of all make sure you can connect with your laptop to the wireless router. Do anything you can to make this connection as secure as possible (lock down the router, use 128-bit wep key, enable wireless connection only for the MAC address of your laptop's wireless card etc).Once you are connected then do this: - ping the internal interface of the wireless router (10.10.2.1) - ping the external interface of the wireless router (10.10.1.2) - ping the internal interface of the external router (10.10.1.1) - ping the external interface of the other internal router (10.10.1.3) - do not try to browse the Internet, the wireless router does not have a valid default gateway, do you remember ? (See paragraph 7 - Wireless router configuration) If one of the above things doesn't work then stop here, go back and review the settings. Create a VPN connection using the following details: - vpn server: 10.10.1.3 - login: vpnuser - password: ********** - domain: [the name of the Windows XP computer] Now connect to the Windows XP machine. There you go, the world is yours ! 11. ConclusionComments, suggestions to: zsirbu at gmail dot com |