Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Add Public WiFi to private network

Status
Not open for further replies.
Oct 7, 2007
6,597
US
Currently, customer has an AT&T modem with both wired and wireless clients and they want to add public wifi for customers.

[/b]Which one of the following seems best to provide public access but restrict the public wifi users from accessing the private computers?[/b]

1. Use the 2wire as the PUBLIC access point and make that the public/guest router/AP. Connect another router (WRT54G) behind it and put all the LAN PCs and other devices on its LAN interface and use that for the private LAN.

DSL Router/Public Wifi Router (192.168.1.X) >>> Private Network Router (firewalled and 192.168.2.X)

(WAN port of the Private router to a LAN port on the Public router.)


2. 2Wire used for PRIVATE network (wired and wireless) with second router (WRT54G) connected to port on the 2Wire switch (that is designated as a DMZ-Plus host and on a different subnet) as the PUBLIC segment.

2Wire LAN port >>> 2nd Router WAN port

I don't know what the pros/cons are for each of these.



 
My 2 cents....I wouldn't do a double nat (router behind router) at all. You didn't state what model 2wire router you have. I'm assuming it's not a model that will do a dual ssid. If you haven't checked your model you might already have the ability to do 2 wireless networks with one box. Otherwise I probably would either get one device that will do everything or just create a dmz off of one of the 2wire router ports and connect an AP. Make sure your channels don't overlap. Just create a new range of ip's for your dmz and have dhcp issue them out on that port. Connect the ap and it should work. Then you don't have the double routers/nat to worry about. That said I have no clue as to the capability of your router being I don't know the model, so just make sure you can create the dmz, ip's, etc before you purchase anything.

CCNA, BCNE, Security+, Network +
 
I don't know what the model is either - YET. Trying to get options for the person. These are the two setups I find mentioned when I search. Of course there are professional hot spot setups, but this is to be a redneck version (cheap).

When I tried hanging the 2nd linksys router as the DMZ host in Access Point mode (ROUTER not GATEWAY setting), nothing seemed to work - no internet. What's the scoop with that?

More comments/suggestions welcome.

I've tried the router behind router setup at home with a linksys router connected to another linksys router as the DMZ host and everything works. I just had to add a static route to prevent access from the public router to the private network.

A routing rule like this shut down access to my private comptuers
192.168.1.0
255.255.255.0
gateway: 192.168.10.254 (non-existent host)
applies to: LAN & Wireless interfaces.
 
The router behind router will work...I just wouldn't recommend. If your not going to do any port forwarding it probably will be fine. If that's what you have to work with then you can put the public network first and then put the private behind it. That would be easiest. Then your public side has no access to private by default.

Internet >> Public >> private
Modem >> Linksys>> 2wire
Modem's lan port to linksys wan.....
2wire wan to linksys lan.........

Probably have to change the lan ip scheme on one of the devices if they both default to 192.168.1.0/24. Then just make sure you set up the wireless on 2 non overlapping channels. (1,6,11) The rest should be just the normal setup. (ssid, security, etc.)



CCNA, BCNE, Security+, Network +
 
When using the Linksys in WAP mode, you do NOT connect to its WAN! You use one of its LAN ports, and you assign an IP address to the Linksys, then disable DHCP, and use the DHCP of the 2-Wire unit.

....JIM....
 
SYQUEST - I figured that out after I had posted my comment. I have done that before, but I just didn't think about it before posting. Trying lots of things clouds the brain.

If I'm going to do a router behind a router, then I want the private LAN to be first because, otherwise, there is a dependency that BOTH routers are working or else you will have a problem on your private network.

With the private LAN first, you only have to worry about one router working. I could live with the public side having less theoretical reliability

You know that for every added device in a chain, the reliability of the whole system goes down.
 
I'm probably in over my head here. Here's what happened. I hooked everything up as a Linksys behind the 2Wire and set it as the DMZPlus host. That worked.

The problem - their Opticard system (gift card) would "see" the open wireless and not allow funds to be added to cards. It's a security measure on the Opticard side of things.

So, now I need to be thinking about a VLAN and hanging an access point/router off that. Not sure the best way to approach creating a VLAN off the 2Wire.
 
Any better place to post this to get a good response??? I think I'm in need of a firewall and/or something that does a VLAN, but if that's the case, most likely it's over my head to actually make this happen.
 
Can you explain the opticard issue a bit more? That doesn't seem logical to me. The dmz function on the 2wire allows the public ip address to be shared with the linksys...the network behind the linksys should be a different range of ip addresses than behind the 2 wire...(if not do that) if the card system is on the 2wire lan side (wired) and the linksys is for the public users and a different lan ip network I don't see what the issue is. If any open wireless network disables the system then anyone could perform a dos on any opticard system just by turning on a open wireless network. I would call them and ask them for a solution. Surely they have support???

CCNA, BCNE, Security+, Network +
 
That's what I'm going to do, but the preliminary evaluation is this:

The open Wifi can be detected by the Opticard system even though it's on a different subnet because it IS reachable.

It doesn't matter that the wifi subnet is blocked from reaching the private network apparently. They still consider it a risk. I'll investigate once I have a contact for them and see if they have a recommendation or work around. Will post results.

I hate to think that you would HAVE to have a separate internet connection for WiFi OR purchase a Firewall box to segregate things.

I guess if it must be, putting the 2Wire in bridged mode and using a firewall box with two interfaces (LANs) to control all access is the "professional" way of doing it. Better to purchase equipment one time vs. paying monthly fees for an extra internet connection.
 
Your Internet connection can never be to secure, with all the malware stuff going on out there! Employing a decent firewall, like Forinet/Fortigate or Juniper Networks is good insurance, and can provide the type of LAN capabilities you need...

....JIM....
 
Right, that's what I figured is needed, but that's over my head. I'm looking to get a partner to help with deciding on the right product.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top