Well, congratulate me. I've finally made it to the new century and installed 802.11b wireless on our home office LAN.

I got a new old Belkin AP from Radio Shack for CAD$50, and plugged it into the LAN side of one of Rob's $5 routers from Frys.

The router forces (via NAT) all of the wireless clients to show up with a fixed IP on it's "WAN" side regardless of any tricks that WAR driving script kiddies may try. It also has some routing rules to drop any packets with addresses that would otherwise be "valid" on the real internal LAN that lies beyond this router.

The WAN side then connects to the local LAN switch, where it is completely ignored (invalid IP) by all of the machines on the LAN except for my specially configured firewall router (running Linux), which allows SSH and VTUN connections only, and drops everything else.

From the 802.11b equipped laptops, we run a script to establish a BlowFish encrypted VTUN (virtual tunnel) connection over the already WEP encrypted restricted wireless segment, through the cheap router to the real router on the internal LAN. VTUN creates dummy network interfaces on each end of it's encrypted tunnel, which are then used to route ordinary packets securely to/from the local LAN, and from there to/from anywhere.

Maybe I'll write this up for a mag or something..

Cheers
(and thanks again for the cheap router tip, Rob!)