2700HGV VLAN Support ??

EvilPC · Aug 28, 2009, 15:33:40

Does the 2700HGV support VLAN's ?

I'd like to restrict one of the LAN ports to Internet Access Only, NO Access to my network !
or could I do this with the second wireless ??

My son has a DSi that works for internet browsing using WPA-PSK TKIP, but the games only use WEP !!
Could the second wireless be used for WEP only allowing access to the Internet, not the LAN ??

Any other ideas ?

Thanks

Rik · Aug 28, 2009, 15:39:00

I really have no idea, so hopefully a real expert will be along shortly.

Sebby · Aug 28, 2009, 15:39:24

That's the same as a DMZ, right? If so, I think it can. I'm not sure about the second wireless, though. I can't believe Nintendo still haven't implemented WPA on the DSi. I thought they were behind the times on the DS!

EvilPC · Aug 28, 2009, 15:43:49

I think the DMZ and VLAN are completely different..

DMZ:
http://en.wikipedia.org/wiki/Dmz

VLAN:
http://en.wikipedia.org/wiki/Vlan

Any other ideas ??

Sebby · Aug 28, 2009, 15:55:14

Ah. I think a DMZ would achieve what you want, but not 100%.

Steve · Aug 28, 2009, 17:19:15

Not the answer I know but on an Apple Time capsule/Air Extreme you can enable guest networking see here

Quote from page

Share the Internet securely with guest networking.
Now it's easier than ever to allow guests to use your Internet connection without sharing your password or giving them access to the rest of your network. Simply enable the new guest networking feature using the AirPort Utility application and create a separate Wi-Fi network just for your friends. You can set up this guest network with a different password or with none at all. Your primary network — including your printer, attached drives or other devices — remains secure

So whether you can restrict the second wireless normally used for the phone to internet access only I am unsure

MisterW · Aug 28, 2009, 18:40:56

QuoteDoes the 2700HGV support VLAN's ?

'fraid not.

QuoteI'd like to restrict one of the LAN ports to Internet Access Only, NO Access to my network !
or could I do this with the second wireless ??

You can't restrict the LAN ports but the second wireless ( Fusion ) operates on a different subnet and DHCP pool to the LAN and primary wireless and therefore has no access to your network.

QuoteMy son has a DSi that works for internet browsing using WPA-PSK TKIP, but the games only use WEP !!
Could the second wireless be used for WEP only allowing access to the Internet, not the LAN ??

Sorry, that doesn't make sense, the encryption mode, WPA-PSK or WEP, is purely related to the wireless connection between the DSI and your router. How can the games use a different mode?
Unfortunately AFAIK the second wireless ( Fusion ) facility of the 2700 can ONLY be set for WPA-TKIP encryption.
Hope that helps.

Rik · Aug 28, 2009, 18:43:47

Thanks for that.

EvilPC · Aug 28, 2009, 19:07:34

QuoteMy son has a DSi that works for internet browsing using WPA-PSK TKIP, but the games only use WEP !!
Could the second wireless be used for WEP only allowing access to the Internet, not the LAN ??

QuoteSorry, that doesn't make sense, the encryption mode, WPA-PSK or WEP, is purely related to the wireless connection between the DSI and your router. How can the games use a different mode?
Unfortunately AFAIK the second wireless ( Fusion ) facility of the 2700 can ONLY be set for WPA-TKIP encryption.
Hope that helps.

Thanks for the replies.

I agree this is stupid, but Google has confirmed that the DSi will work with WPA-PSK etc for Internet Access etc, but the current games only support WEP.
This is something to do with the original DS only suppporting WEP within it's Internal networks profiles..

The new DSi has the 'internal' profiles and 3 more that use other encryption methods.

These 'internal' profiles are what the current games use and there is no current way to map an 'internal' profile to the extra profile on the DSi.
Hopefully that makes sense...

OK.. another idea !!
Is there any way to plug a wireless AP into my router, but put it on another IP Range so it can't access my network, but the internet

QuoteNot the answer I know but on an Apple Time capsule/Air Extreme you can enable guest networking see here

We've bought a Nintendo USB Wifi Connector which does seem to work. But I use an Internal Proxy server..
Does any one know of any way to get this (which works with Internet Connection Sharing) to work via my local proxy !! ?

MisterW · Aug 28, 2009, 20:37:09

QuoteThese 'internal' profiles are what the current games use and there is no current way to map an 'internal' profile to the extra profile on the DSi.
Hopefully that makes sense...

Ah, I understand now, crazy isnt it...

QuoteIs there any way to plug a wireless AP into my router, but put it on another IP Range so it can't access my network, but the internet

Well I suppose so , but you'd need an AP that will provide DHCP and NAT ( i.e a router ) and you'd then need to put it into the DMZ of the 2700.
If the DSI is the only wireless client to the 2700 and you're happy with the level of security provided by WEP, then you could just set the main 2700 wireless network to WEP and put the DSI into the DMZ as suggested by previous posts. That would prevent the DSI from seeing your normal network BUT would open the DSI to the internet ( probably not an issue , are there viruses for DSi's ? ).

EvilPC · Aug 28, 2009, 21:09:00

Thanks.. Looking at the fusion wireless that is only WPA-PSK TKIP with no access control..

The Nintendo USB Connector is working fine, just a pain to have to keep adding sites to the access control list.
Is there anyway to use the "Teen" screening group and block all sites except any with 'nintendowifi' in the URL ??
I could then assign this to the PC that shares the internet via the USB Connector.

Thanks

MisterW · Aug 29, 2009, 11:53:19

QuoteIs there anyway to use the "Teen" screening group and block all sites except any with 'nintendowifi' in the URL ??
I could then assign this to the PC that shares the internet via the USB Connector.

I'm not sure that the Parental Controls on the 2700 work too well. I've never used them, kids long since grown up and left home!!. You could look at using OpenDNS on that PC, it has some content filtering options. http://www.opendns.com/solutions/homenetwork/

Dangerjunkie · Aug 29, 2009, 12:06:12

Hi,

If you can find an old PC and some network cards you can make a dedicated firewall with PFSense (http://www.pfsense.com). Set your 2700 to bridge mode, tell PFSense that your WAN interface is PPP and put in your IDNet login credentials into it. The 2700 will then become a dumb modem and all the smart stuff will happen in PFSense.

PFSense is VLAN-aware and should interface well to a managed switch. Buy a dedicated wireless access point for WEP devices like the DS and create a special VLAN for it. That way you can have different firewall and switch rules for that subnet and you can allow anything on that access point to talk to the public Internet but prevent it from communicating with your other VLANS. Have a second, WPA, access point on your regular LAN for devices you want to be able to see the rest of the network. To be doubly safe don't define a management IP address for your switch on the WEP AP's VLAN.

I believe PFSense will let you implement meaningful access control. If you want a serious solution I think there's probably a Dansguardian (or similar) plugin for it that will give realtime blocklists and real content filtering and support huge blocklists (possibly autoupdating). If that doesn't meet your needs you could always put in your own DNS for that VLAN that will only resolve the addresses you want.

Cheers,
Paul.