Will "cascading NAT" work?
I'm the (only, volunteer) tech-support person for a small non-profit. The boss wants to surf the Internet wirelessly.
Currently we provide Internet access to our wired network through a Linksys BEFSR81 cable/dsl router connected to a cable modem.
Can I just insert a wireless router between the current wired router and the cable modem and set up the DHCP address ranges differently? Has anybody done this? Does NAT still work when it is "cascaded" (if that's the term)?
We don't do any hosting or game playing or anything, but we do listen to streaming audio sometimes.
The LAN has a lot of sensitive data stored on it (credit card numbers, etc.) and I don't want to expose that data outside our wired network. And I don't want/need to access that data via a wireless connection.
Why not just get a wireless access point like a WAP11? If you use a wireless router I think you have to change it from gateway to router and disable DHCP.
I think you misunderstood me. I'll try to clarify:
I don't want any wireless access to the LAN because of the sensitive information stored/transmitted on the LAN. But I want both the LAN and wireless network to be able to access the Internet through a single cable modem.
The way I hope to do it is to use _two_ routers:
The wireless router will connect via it's WAN port to the cable modem, thus allowing wireless Internet access while blocking Internet attacks on the wireless network.
The wired router will connect via it's WAN port to one of the wireless router's LAN ports, while the wired routers' LAN ports are used for the LAN.This would protect the LAN from the wireless network the same way the wireless router protects the wireless network from the Internet.
It should allow access to the Internet to go from the LAN through the wired router, then through the wireless router, then through the cable modem to the Internet.
But I'm not sure cascading NAT this way will work, and I'm asking if anyone has tried it. (This all has nothing to do with DHCP, only NAT).
I have not tried cascading NAT in anger (i.e. in a business environment) but I have done it at home and it worked ok for the limited tests I did. I believe your proposed solution will work and technically prevent access from the wireless connection to the wired LAN - you might also make the wireless router a different subnet. (However, I am not an expert hacker).
Given the sensitive data you have on your wired LAN I would suggest two things to consider:
1. Wireless technology is hackable even with encryption enabled (as I guess you know) and even though your solution looks technically OK, I would not recommend wireless technology physically connected to the wired LAN in your environment. I would recommend a separate internet connection for the wireless LAN and not to connect the two LANs.
2. If you must add a wireless element to the wired LAN take professional advice before adding any wireless connection (i.e. pay for advice from a reputable consultant and get a written report on how to secure the wireless addition - a days consultancy would be money well spent).