Network Support Question

[tharbert]

I just came from a meeting with my wireless network support guy. He was saying something about SOHO wireless routers that I'm not sure actually happens and wanted a second opinion...here goes.

In a Ethernet wired network with static addresses, I plug in a generic SOHO wireless access point (AP) to provide a wireless network. I assign it network settings so it has access to the WAN.

Now, most all these SOHO AP's come with DHCP scope enabled (192.168.1.0/24 or some such) so any connection that asks gets a dynamic address inside the AP's routed network, it's LAN side? It's not a big deal. The AP manages the internal addressing and routes traffic between the LAN and WAN as needed.

What this network engineer was saying is that the SOHO AP router could/would also respond to DHCP requests on the wired WAN network side, possibly assigning an address out of the 192.168.1.0 subnet to a component plugged in and set to use DHCP on the WAN side.

True?

[sammyg2]

That's so you can connect to Obie, he's your only hope.

[stomachmonkey]

Sounds like he is saying the AP is on a DMZ.

But we really don't know enough about your network.

What is providing routing / WAN access for your statically assigned devices?

Access to WAN from the AP should be going through that and it, or something else, should be the master DHCP server on the LAN side.

You want the AP to be a bridge and not assign DHCP but rather pass DHCP requests to the master DHCP server.

What you posted sounds like you would have multiple DHCP servers on the same subnet which is a bad idea.

[Paul_Heery]

192.168.1.0 is a private network that is non routable. Your home devices on that subnet appear to the Internet behind the NAT that is your public IP. I don't see what point he is trying to make.

[tharbert]

I believe there is fiber into the building then a router connected to switches serving the ports. In this case, the building has two occupants, each on their own VLAN. Each VLAN supports half a class C subnet. I'm not talking about a DMZ or any special network architecture on the building side. There are no DHCP scopes defined for these VLANs. This is just me buying a simple SOHO access point and configuring it with a static IP address so that it gets access to the building network. This is a temporary measure until they can extend the campus wireless network into the building. At that point, I shutter the SOHO AP.

The surprise coming from the conversation was that the AP would respond to a DHCP request coming from within the subnet on the VLAN. I'm unsure about the point he was trying to make too. He seemed to think it was a big deal. I wasn't aware that your standard little Linksys or DLink wireless access points acted in the way he described.

[winders]

Quote:

Originally Posted by tharbert

What this network engineer was saying is that the SOHO AP router could/would also respond to DHCP requests on the wired WAN network side, possibly assigning an address out of the 192.168.1.0 subnet to a component plugged in and set to use DHCP on the WAN side.

True?

No, he is wrong......

If you look at the manual for the router, you will that the only WAN options are those for setting the address for the WAN port. The NAT settings allow one to configure the IP addresses (typically from the private IP address space) used on the LAN. To the rest of the world, all the devices on the LAN side have the same IP address and that address is the one assigned to the WAN port on the router. NAT handles the routing of the packets to the appropriate devices.

How did this guy get to be a network engineer?

[masraum]

Most soho style APs have a "WAN" side and a LAN side. The WAN is usually just another ethernet, but not in the same VLAN / broadcast domain as the LAN side and any associated wired ports.

I wouldn't expect a SOHO device to respond on the WAN side with IP addressing for the LAN side. How would anything route if both sides of the AP/router had the same address scheme?

Many/most SOHO APs have a few wired LAN ports. If you used one of those wired ports then yes, the thing will respond with addresses from the DHCP pool.

I would think that there would be 2 ways to set this up. AP setup the same as a home AP/router so that it has a static address from your class C and then NATs all of the wireless hosts on the way through which will then be NATed again on their way to the 'Net. Or, slightly more complicated but better, turn NAT off on the AP, still, of course, use a static IP from the LAN subnet on the WAN side. The thing about this method is that you'll also need to make changes to the primary router. The primary router would have to be told to NAT the subnet that is behind the AP (not a big deal), and a route to the wireless subnet will have to be added to the primary router.

I suppose it's possible that your guy is right depending upon what sort of AP he's talking about, but my gut tells me that he either doesn't understand what's going on or isn't that knowledgeable.

The dashed red line indicates what should be a separation between the WAN and LAN/WLAN. Essentially, the WAN port should be in a separate VLAN from the LAN/WLAN and should therefore not provide an address on that side.

[masraum]

Quote:

Originally Posted by winders

How did this guy get to be a network engineer?

All it takes is telling someone that you are.

I used to work on the Cisco TAC. We had a guy call in one day - "I am at a clients site, and I need to get them on the Internet, what do I do?" So we started in with questions to try to figure out what sort of setup he needed, static or dynamic addressing, pool from the ISP or private with NAT, Frame relay or something else, etc... He couldn't answer any of them. Well, how do you have the router configured? The router was still new in the box, he hadn't consoled into the thing and didn't know how to console in. "Well, I'm usually a Windows NT guy, but they wanted me to do some network stuff..."

You'd be amazed at some of the stories and situations that I've seen.

[flipper35]

Is this a wireless access point or a wireless router?

[stealthn]

What others have said, typically it will not provide DHCP to it's wired side.


Easy enough to test, plug in your PC to same switch and set your PC to DHCP, check the IP it gets. If you have DHCP on your Router/firewall just connect your PC to AP with crossover cable and try DHCP again.

Why do you ask?

[red-beard]

Quote:

Originally Posted by flipper35

Is this a wireless access point or a wireless router?

I have several wireless routers with the DHCP turned off. They act as wireless access points, but you usually need to wire the hardwired network to the LAN ports. My newer routers don't care if you use WAN or LAN ports DHCP is off.

[mikester]

Ah...the mystical realm of 'Shadow IT' - those that do what IT hasn't done yet because they can't wait or IT costs too much.

I suspect either your network engineer coworker misspoke what he meant or you misunderstood but - it is not unheard of for something on the network to start behaving badly and do what he described. In fact, I've actually seen just that happen more than a few times. Some user has plugged in a rogue access point because they want wireless where they are in the building and for some reason it isn't there. There can be many reasons but that's another story. Then that SOHO AP/Router starts doing bad things and brings that entire VLAN down because it is handing out IP addresses for it's internal network on the external side. Now, normally this wouldn't be a problem if that AP was connected at home because on the WAN side is the service provider and they aren't listening for DHCP requests so it won't hurt them. In your office though all the clients are and it can cause real problems.

Oh, I forgot to mention. I am a Systems Engineer for a leading networking manufacture that has already been mentioned in this thread by someone who used to work for them. I also specialize in enterprise security which includes wireless technologies.

I don't know all the details of your network or your organization but if I were that network engineer and you told me you were going to do that I would ask you to let me configure it at least so that I had control over it if something went wrong. I would run it past my boss so he knew about it and if he wasn't okay with it I would not do it of course and explain to you why. I would also make sure I had the right security features in place on the network so that I either didn't care about you doing this or knew it wouldn't work.

There could be many reasons why and it really depends on the size and type of organization you have but those SOHO devices simply don't have what larger businesses need to cope with the security requirements they have. They also present significant support and security risks.

If they are planning to put wireless in your building and it is just a matter of time - I would say to talk to your management about putting your area higher on the priority list for whatever business reasons you can muster up. Otherwise, putting a rogue access point in place is likely against your companies security policy and could expose problems down the line.

That said, if your network is based on Cisco switching your network engineer should have DHCP snooping turned on so that only trusted ports can have DHCP servers behind them and your rogue access point would not be able to hand out dhcp ip addresses to other clients from the WAN side.

[masraum]

Quote:

Originally Posted by mikester

Ah...the mystical realm of 'Shadow IT' - those that do what IT hasn't done yet because they can't wait or IT costs too much.

I suspect either your network engineer coworker misspoke what he meant or you misunderstood but - it is not unheard of for something on the network to start behaving badly and do what he described. In fact, I've actually seen just that happen more than a few times. Some user has plugged in a rogue access point because they want wireless where they are in the building and for some reason it isn't there.

Blah, blah, blah

What do you know, you're just an expert!!

Mike is absolutely correct. If the situation is a rogue AP, that's very bad juju. If you are talking about a device that was bought, configured and installed for the purpose, and it's not a $50 home-style unit, I would hope it shouldn't be a problem.

[Icemaster]

Quote:

Originally Posted by masraum

I used to work on the Cisco TAC.

Sorry to hijack - but were you there in the Nacho days?

[Icemaster]

Quote:

Originally Posted by mikester

That said, if your network is based on Cisco switching your network engineer should have DHCP snooping turned on so that only trusted ports can have DHCP servers behind them and your rogue access point would not be able to hand out dhcp ip addresses to other clients from the WAN side.

Probably one of the most important points here.

[sammyg2]

[mikester]

Quote:

Originally Posted by masraum

What do you know, you're just an expert!!

Mike is absolutely correct. If the situation is a rogue AP, that's very bad juju. If you are talking about a device that was bought, configured and installed for the purpose, and it's not a $50 home-style unit, I would hope it shouldn't be a problem.

something something Holiday Inn or something...

[Head416]

A couple people pointed out, there are different devices that function differently. If I plugged my router from into your network on its WAN port it would NAT any wireless traffic on an additional subnet, and would not function as a DHCP server for your wired network (barring some crazy device malfunction).

Then there are access points that are designed to plug into your network and merely extend the existing subnet to wireless devices.

Two very different scenarios. If I had a non-IT manager talking about stuff like this, I would say, we aren't doing that, then describe some hypothetical scenario that somehow justifies the objection and ends the discussion. At first I thought he was an idiot, but now I'm thinking he was just handling the situation in a politically correct manner. There are thousands of ideas that could technically work, but they're not happening on my network, the health of which I am responsible for.

[stomachmonkey]

Quote:

Originally Posted by Head416

Two very different scenarios. If I had a non-IT manager talking about stuff like this, I would say, we aren't doing that, then describe some hypothetical scenario that somehow justifies the objection and ends the discussion. At first I thought he was an idiot, but now I'm thinking he was just handling the situation in a politically correct manner. There are thousands of ideas that could technically work, but they're not happening on my network, the health of which I am responsible for.

Then why not just say "I am responsible for the health of this network so that is not happening. If you would like to submit a formal request that makes the business case for why we should do that I will review / consider it."

Giving him some BS answer is BS and apparently OP knew enough to know to get his answer verified. If it turns out he got a line of BS IT guy now looks like an idiot who does not know his poo. Situations like that have a way of making people go rogue and do secretly exactly what you don't want done.

If you make him submit the request and deny it for valid reasons you have documentation in case he does go rogue.

[red-beard]

The best rogue access-point I ever setup was Bluetooth. No one knew it was there! And most cell phones at that time were Bluetooth but not Wi-Fi. Beautiful speeds on my Treo-650 and my Palm Lifedrive.