How to connect wireless router to work network with NAT?

networking router dhcp nat
22,304

Solution 1

You've got the wrong router.

Yours has a DSL WAN port, and you want one with an Ethernet WAN port.

It's clear from your WAN Connection types list that your router has a built-in DSL modem as its WAN port, and you need something that has an Ethernet WAN port to connect to your office LAN.

Yes, you connect the router's WAN port to your office's LAN. In this context, just think of the WAN port as the "upstream internet connection" port. In your case, your office LAN is how your router gets its upstream internet connection, so plug your router's upstream (WAN) port into your office LAN.

If you had a router with an Ethernet WAN port, you'd have an option for DHCP, and everything would probably just work. Your network admins probably aren't restricting DHCP leases to known MAC addresses or custom DHCP Client IDs, but if they are, many wireless routers have the ability to do "MAC address cloning" so the router uses the MAC address of your machine that the network already allows on.

Solution 2

I don't know how I feel about helping with this, but here goes...

Number one: assume you're getting caught. Don't even try to be sneaky it's only going to make you look bad. I would expect IT to come down the day you plug it in. IT is probably worried about introducing security risks to the network, and rightfully so. Wireless access points are a pain to secure.

If you plan on using the Belkin N1 Vision for your WAP, its WiFi Protected Setup feature is vulnerable to attack, and very easily cracked by anyone with literacy, a keyboard, and interest. Turn that feature off. Unfortunately, plenty of routers are vulnerable even after shutting the feature off.

You also don't want to give access to the entire network over WiFi. I can't imagine your mobile devices need much access, and I'd hope you're not trying to access the email server from your mobile devices. As nice and tempting as it would be to have work email on your phone, stick with external access if you have it. You don't need to open vulnerabilities to the email server.

I'm not a security pro at all, but I imagine setting a firewall rule that blocks any and all traffic that isn't HTTP (port 80) might appease IT's imminent frustration. If you have access to any intranet sites (anything on the internal network that's run in a web browser. Does anyone use a 'program' in the office that's run in Internet Explorer?) then this rule won't be enough. You'd have to figure out a firewall rule to block all traffic that isn't port 80 and isn't headed to the Internet.

You'll also need to use WPA2 to secure the connection. Don't even bother with WEP it's, again, useless against anyone with half a brain, a Backtrack CD, and their older brother's laptop. Use the most absurdly long and complicated password possible. Think 63 (or 64? I'm not sure) characters of utterly random gibberish including special characters, numbers, and upper + lower case letters. Maybe use a generator. Now either sear that password in to your mind or write it down once and hand it to the guy who's going to take the fall for this debacle and have him keep it safe.

If you do anything less than this, the Men in Black have every right to neuralize you. They might even be mad anyway, I don't know how security paranoid your company is. The goal here is to not be the source of a massive security breach. They probably wouldn't set it up this secure, but they have the authority to make that decision. You do not.

Now to focus on not screwing up the network itself... I think NAT should protect you from IP address conflicts, but I'm not going to say for sure. Try to pick a range that IT wouldn't ever use anyway, just in case your router derps and turns off NAT for no reason (I've seen home routers do worse.) Try something in the 172.16.0.0 – 172.31.255.255 range. I've personally never run across a class B private network before, but it could happen.

As far as setup goes, the manual is your best friend. Try dynamic mode and see if you can connect, but I think this might disable NAT? Most of these protocols are meant to connect to an ISP. The real problem is finding a mode that works with the router but doesn't disable NAT. Someone with more knowledge could clear this up, but honestly I don't think they're interested in helping. It's going to be trial and error.

Personally I would forget about the WAN port and just plug in to the LAN port. Put your access point's clients straight on the network. This might seem counter intuitive for security, but the clients are getting access either way.

Which brings us to the DHCP server. If it's filtering clients by MAC address your company is at least somewhat concerned about security. You'll have to get dynamic/DHCP mode to work and use a MAC address accepted by the server. I recommend the NIC on the department head's computer. Copy that to the router and connect him directly to one of the LAN ports on the router. If you leave him on the network like normal you'll get a MAC address conflict.

If any of this doesn't make sense, Google it. If you can't handle that, you run the risk of really screwing something up. A colleague of mine once made a typo setting a static IP address and brought down payroll's SQL server. It was a dark, dark weekend. This could be you.

Your best course of action would probably be to continually bug your IT guys to get it done, and if after a few days you're still getting blown off, try plugging in your home router and see if you set off any alarms on their intrusion detection system. That'll get them going for sure, but probably not very happily. If you fail to set off any alarms, try opening up a packet sniffer on the network and then 'accidentally' create an IP address conflict with your own PC in an attempt to set off... anything that'll get their attention and make them pay attention to their frustrated users.

Have you tried bringing them coffee instead? I've written programs for a cup of coffee...

Share:
22,304

Related videos on Youtube

localhost
Author by

localhost

Updated on September 18, 2022

Comments

  • localhost
    localhost over 1 year

    I want to connect a wireless router to my work network, but I want all the wireless clients connected to the router to appear as a single IP address to the "men in black" network admins. So I believe the router will need to acquire an IP address from the office DHCP server using the hostname (and perhaps MAC address) of a computer that already exists.

    The router is a Belkin N1 Vision, BTW.

    I believe what I need to do is have the router do NAT for the wireless clients, assigning IP addresses for them on its own private subnet with its own DHCP server, but I can't work out how to get the router to get its own IP address from the office DHCP server.

    The WAN Connection types it has in its setup page are: "PPPoE", "PPPoA", "Dynamic/Fixed IP (1483 Bridged)", "Static IP (IPoA)", "Modem Only (Disable Internet Sharing)". Which one would I need to choose?

    Also, which port of the router should I connect to the office LAN socket?

    • rtf
      rtf almost 12 years
      What are you trying to accomplish by hooking up this router? It's probably not worth the risk whatever it is.
    • JoshP
      JoshP almost 12 years
      Your router would have to hand out IPs on a different subnet and route to your work's network, or your wireless clients would give themselves away with their unique MAC addresses. I'm with @r.tanner.f, more trouble than it's worth, and it'll probably get you in trouble.
    • localhost
      localhost almost 12 years
      @r.tanner.f - I am not worried about getting into trouble. It is the head of department that is asking me to do this for him (with his own router), so he will take responsibility for it. I am just trying to get this done without having to wait forever for our network people to finally get around to it.
    • localhost
      localhost almost 12 years
      @Josh, isn't that what NAT does? Reroutes the packets substituting the MAC?
    • localhost
      localhost almost 12 years
      @r.tanner.f - I am trying to accomplish wireless access to our network for ipads/laptops.
    • jjlin
      jjlin almost 12 years
      It sounds like you have the ADSL modem/router combo. It's not clear to me if this unit can act as a standalone router, but you might try the "Dynamic/Fixed IP (1483 Bridged)" option and plug into any of the Ethernet ports. Ordinarily, the NAT provided by a typical wifi router would do what you want as far as hiding the wifi clients. You would probably do better with a standalone router unit, though.
    • David Schwartz
      David Schwartz almost 12 years
      @jjlin: The N1 vision is a standalone router.
    • localhost
      localhost almost 12 years
      @David Schwartz actually it is has a ADSL modem built in. I'm sure.
    • MaQleod
      MaQleod almost 12 years
      Most of those modem/router combos can't take Ethernet as the WAN, they are designed for ATM input from a DSLAM.
    • VBwhatnow
      VBwhatnow almost 12 years
      Your head of department will lie and say they had nothing to do with your attempts to damage network resources. Thats why they asked you to do it and not the IT staff, you're the fall guy. Don't mess with the sysadmins network. You can potentially lose your job over this if the IT department takes offence to you tampering with their network.
    • JoshP
      JoshP almost 12 years
      NAT doesn't touch MAC addresses. MAC addresses are how things are addressed within a network. Only when crossing networks (via a router) do IP addresses become the go to form of addressing.
  • Everett
    Everett almost 12 years
    Obligatory "they stopped using classes in networks in 1993," reminder. Just kidding. Talk about hitting fly with a sledgehammer. +1
  • localhost
    localhost almost 12 years
    Thanks for replying. I had already looked at the manual but didn't know 100% what I was looking for. Our IT is useless. "if after a few days you're still getting blown off"... You don't know my company. Could be years, I'd have to fill out a bible's worth of paperwork, and after 6 months I would call and they would say "we've lost it, can you send it all again?" The router has been plugged in now for 4 months, & no IT Men in Black knocking on the door yet. I doubt they can get it together enough to do MAC filtering, but I know the hostname is important to them when installing new machines.
  • localhost
    localhost almost 12 years
    Thanks for the explanation. So basically, it can't be done with this router. That's kind of what I thought when I saw the WAN options list.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting up DHCP and NAT on apple extreme with Virgin Media SH (APPLE)
How to properly nest a wireless router behind a wired router?
What's the difference between DHCP and NAT? Are they mutually exclusive?
Do I need a managed switch for my home network?
TP-Link router sometimes fails to negotiate proper IP address
Two network-ranges, one gateway - Double NAT issue
Cannot open any web page, but MSN Messenger works
A switch and router between the printer and PC that want to print but cannot
How can I fix this conflict between my wired and wireless network connections?
Running a DHCP Server on DD-WRT in "Repeater Bridge" mode?