A while ago I got as a gift a wireless router – a ZoneAlarm Z100G. When I got it at first I defaulted to securing the wireless network from public access (by following this article). Then I thought about it a little and decided to be nice to my neighbors who want to access a wireless network. I mean – why not? Sometimes I try to find a wireless connection with my laptop and it’s very frustrating when I realize that all networks are secured.
Still, I only wanted to enable web access to outsiders using my connection. I don’t want them to use file-sharing on the account of my very limited upload bandwidth.
The “trick” to configuring such a setup is using the rules system (select the “Rules” tab under the “Security” main menu item.) On my network I have a desktop connected to the router with a network cable and a laptop that I occasionally connect through WiFi. Both computers are defined as known network objects and are named “desktop” and “laptop”. See how that is done in the documentation on how to add a network object in the Z100G (hopefully the link is still valid when you’re reading this) or simply click “Help” in your router’s main menu.
The rules I use are as follows (the order of the rules matters):
- Allow, source WLAN, destination WAN (Internet):Web Server
This allows the public web access to all.
- Allow, source desktop, destination ANY:Any Service
This allows my desktop computer access anything.
- Allow, source laptop, destination ANY:Any Service
This allows my laptop computer access anything.
- Now there are a bunch of forwarding rules I use for file-sharing and SSH access to the desktop. They are not related to this topic, but it’s important that they will come before the next rule.
- Block, source ANY, destination ANY:Any Service
This blocks all other traffic.
Note that this configuration is very restrictive – with my current rule configuration, if I try to connect another computer with a network cable to the router it will not get any access and I will have to define it as a network object and specifically add a rule for it like I did for my desktop (rule #2). You can be less restrictive with the rules, for example by replacing the last rule with 2 less strict rules just for WLAN (blocking all access to and from the WLAN) and an additional rule to allow anyone who is connected with a cable to access the internet (after all, you probably trust that computer if it’s physically connected to your router.)
A nice feature in the Z100G router is that the wired and wireless LAN are separate. You have to bridge them to allow them to access one another. For security reasons, I bridge the networks only when I have to. When I’m done with the bridge I remove it.
Another important setting is to not allow different wireless stations access one another. Unfortunately here the default is to allow such access. The setting to disable this is in Network->My Network->Click Edit next to WLAN->Click “Show Advanced Settings”->Change “Station-to-Station traffic” from “Allow” to “Block”.
Hopefully I correctly configured my router to allow public web access only. If you think I made a mistake, please let me know in the comments.