Redesigning my parents LAN

[Lilrich]

Hello Guys,

I would like to gather some advice, my parents still have my sister living at home along with her boyfriend in a technological world they have lots of gadgets, iPads, iPod Touches, iPhones, Laptops, Kindles and more this is putting more and more of a strain on the network and i think it is time to re-build there network.

The internet

For the internet they are using AOL and have been for the past 15 years i don't know why but they are i am working on getting this changed but that doesn't matter right now.

To connect to the internet they are using a Netgear DG834G wireless router which has a TP-Link Wireless access point connected to it to extend the range upstairs.

The clients

In the house at the moment there are a number of clients here is a breakdown

Computers: 3x Laptops 1x Guest Laptop and 1x Desktop Computer - All Internet connected

Phones: 2x iPhones, 1x Nokia, 1x Unknown Make - All internet connected

Kindles: 3x Kindles - All Internet Connected

Other: 1x iPad, 1x Nintendo Wii, 1x Internet Ready TV, 1x iPod Touch

Guests: A number of guests come onto the network every now and again

Wireless = Green

Wired = Blue

How it is setup

All clients are added to an Access list on the router, this holds the MAC address of the client and once they are allowed through the gates they are given a address from the DHCP pool

What i am looking for is some ideas as to how to make this better, i was thinking of dropping a PfSense box into the network to see if this would give me better control over who has and who hasn't got access to the network as i don't think the Access List on the router is working due to the number of clients currently sitting on the network.

Any way i look forward to your thoughts

Rich

[typu]

any modern router should easily be able to handle all the clients. why would you need more control? you seem to look to make things more complicated that necessary.

[linsook]

any modern router should easily be able to handle all the clients. why would you need more control? you seem to look to make things more complicated that necessary.

agreed.

[exotoxic]

What i am looking for is some ideas as to how to make this better, i was thinking of dropping a PfSense box into the network to see if this would give me better control over who has and who hasn't got access to the network as i don't think the Access List on the router is working due to the number of clients currently sitting on the network.

Any way i look forward to your thoughts

Rich

Seems like your trying to over complicate it, the router has access controls to allow/disallow so why do you need "better" control?? If your getting random people connecting then maybe its not setup correctly??

[+BudMan MVC]

Mac filtering is not security, and its a PITA to manage. So do you also have security running? WPA/WPA2 tkip/aes ?

Don't get me wrong you can't go wrong with pfsense - would allow you to setup a captive portal for your guests if you wanted. While at the same time sure you could isolate guest traffic from the rest of your network.

But as stated pretty much any off the shelf router these days can do guest networks.

Are you looking to run any sort of proxy with reporting and filtering, or ips (snort)? You pretty much have no wired devices - you improve performance with more APs so you have less clients on each, etc.

But you really have stated anything you would like to do that would scream pfsense to me? But I would suggest is move away from mac filtering, what do you think its buying you other than overhead in administration when a guest comes over or you add a new device?

Would it be easier to just have guess network with a different PSK you give your guests than your normal private network? As stated any soho wireless router can do that.

[Gerowen]

I agree with Budman. Either do away with MAC filtering altogether, or set up a second, guest network that doesn't require it and is segregated from the rest of the devices on the network. This will keep you from having to manually add a MAC address every time somebody comes over to visit, and having them on their own network will help prevent the spread of any nasty malware. I run MAC filtering, but I have a very small list of devices that connect wirelessly, and rarely have any new visitors that I haven't already added and recorded in the spreadsheet I use to keep track of who I have allowed.

If you decide to keep MAC filtering on the primary network, I also recommend enabling some sort of security (WPA, WPA2), because even with MAC filtering enabled, your traffic is still being broadcast unencrypted, so anybody hanging around your house with a laptop can begin to capture packets and gather information from them, such as a MAC address for them to spoof and gain access with.

Additionally I would consider hard-wiring the desktop. Generally I would reserve the wireless connection for devices that cannot use an ethernet wire, or for devices that are moved around so often that using a wire would be inconvenient. For things like desktop computers that remain fairly stationary, I recommend using an ethernet cable. This will minimize the amount of traffic you have flying around through the air. Since you have identified one of your own laptops as a designated guest computer, you may want to hard-wire it as well.

[remixedcat]

I would roll PFSense and have the wireless router that has the best range in AP mode. PFsense has some awesome management.

I also would do away with filtering and just use a guest network or use VLANs if the router supports it.

I might eventually go this route, however I use my netgear router with an Amped Wireless AP20000G access point and the range is awesome.

If you pair PFSense with this AP it would rock your socks. LOL. Amped Wireless routers are very good as well with a good bit of management too! Thier routers have both hardcore coverage and throughput!

[+BudMan MVC]

"I run MAC filtering"

"I haven't already added and recorded in the spreadsheet"

Why do you add this overhead to your management? What does it buy you? You clearly understand that without encryption traffic is in the clear - I could not tell if your running encryption or not.

I fail to see the point of mac filtering if your using wpa/wpa2 and PSK to limit access and prevent sniffing. Mac filtering could be useful if its a known psk to users, but for example you want to only allow their laptops and not their phones to access network. This is a control method, which is what mac filtering is.

Say very small office or even home, and I want to allow laptops on the network but not all the ipads/iphones/smartphones/kindles/tablets/etc on the wireless network eating up limited shared bandwidth. So I use mac filtering to only allow the devices I want because the same users that I give the secure psk too also have these devices, etc. Now hopefully these devices are harder to change the mac on than normal pc/laptop - and again its a control method, not a security method. We all know mac filtering is quite easy to circumvent. But normal users are quite dumb - so many of them will not understand why their iphone can not get on the wireless network but their work laptop can, etc ;) And even if they knew it was mac filtering, they hopefully do not have the skill set to change the mac on their iphone - if they did they would prob be working in your IT dept ;) hehehe

Mac filtering can be used to control which devices can access network, but it is not a valid security option. So when you have a userbase than knows what your psk is, or has valid credentials to auth to wireless via enterprise setup and you want to control what "devices" access the wireless then sure mac filtering is primitive version of that. In enterprise you would prob use 802.1x with EAP-TLS so that devices have a cert to be able to get on network vs just mac address.