Public wireless access point on a private network

hopefully someone has an idea on this.

I have a business with a private wired network, but want to provide a public wireless access point for the internet. Users on this AP should not be allowed to see anything on the private network.

I have tested this using 2 routers I have in my house, managed to get 2 networks up like so

Modem -> Router 1 -> Private Computers

            ^-> Router 2 -> Public computers

However, router 2 should be acting as the public AP, but anything on it can still ping anything connected to the 1st router.

I don't have the ability to change the Modem to the public side, so the solution needs to just be able to plug into the private network and just provide a public LAN that is separated from the main (private) LAN.

Basically just looking for a product/router that will allow this. I have my eye on a Netgear fvs318 which I think will do the trick, but I'm unsure, so some advice/help/recommendations would be great.

Thanks!

Graeme

Posted 2011-05-21T14:36:58.263

Reputation: 11

Answers

The cheap solution looks like this:

modem >==< router1 >+----< router2 >==== private network
                    |
                    +----< router3 >==== public network

Router 2 is the "Firewall" between the private network and the public. Unless you want something special like VPN, any cheap SOHO router will do.

Turbo J

Posted 2011-05-21T14:36:58.263

Reputation: 1 919

You will need to change the routing table on the router or set up a VLAN to segregate the traffic between the networks.

It sounds like you may have a "small business" environment, if so then the most cost-effective solution (and possibly also the solution which is easiest to set up) might be to purchase a DD-WRT-compatible router, install DD-WRT and set up a VLAN to separate the public traffic from the intranet/internal traffic.

These are instructions on setting up DD-WRT and VLANs in what sounds like exactly the configuration that you will want.

More info here, here and on google.

Codebling

Posted 2011-05-21T14:36:58.263

Reputation: 631

If I was to buy a Netgear FVG318, which supports vLAN, and i assume dd-wrt since these rubbish routers do - should I be ok? I don't quite get vLANs but i'm guessing the set up they provide should be like having your own private lan and not being able to connect outside it? I'm fine with testing the device to make it work, i just want to make sure i get one that has a good chance of working! – Graeme – 2011-05-21T17:12:31.810

I had a quick look - it doesn't look like that router supports DD-WRT, nor does it support VLANs. Looks like the Draytek devices mentioned by @Linker3000 are the only ones that support VLANs out of the box. Looks like they cost about 150$, I'm not sure how hard they are to set up. If you have a few spare routers lying around, go with @Turbo-J's solution. If you have a router handy that's already DD-WRT-compatible, go with this solution. Check if your routers are compatible here or here.

– Codebling – 2011-05-21T22:32:47.300

I agree with Cody and I've used DD-WRT for the past few years on a WRT54GL router. (Home use)

However, I just wanted to throw another potential idea out there.

Modem -> Switch -> Router1 -> Private Computers
            ^-> Router 2 -> Public Computers

I honestly don't know how well the above configuration would work, but it would effectively divide the different LANs. If you have the hardware lying around, you could throw it together and see if it works the way you want.

Bandit

Posted 2011-05-21T14:36:58.263

Reputation: 790

You would need a managed switch though, wouldn't you? Fairly pricy if it's a small business setup. – Codebling – 2011-05-21T16:36:37.597

If your modem is not also a NAT router, then this will require two IP addresses from your ISP. The WAN of each router would need its own public address in this configuration. – Stephen Jennings – 2011-05-21T16:39:09.547

@Stephen Good point, didn't think about the fact that it would require two IP addresses from the ISP. Therefore, Turbo J's method is the way to go if you want a hardware solution. If I personally had to setup a private and public network, I would use Turbo J's solution with cheap routers (I like the WRT54GL personally) that are DD-WRT capable. My DD-WRT router has never locked up on me, and it will auto-restart when a critical error occurs (unlike most routers which will just hang.) No user-intervention required. – Bandit – 2011-05-21T22:17:37.123

The problem with your proposed network topology is that Router 2 (the "public" router) is within Router 1's LAN. Therefore, if any computer on the public network requests a computer on your private network, the request goes to Router 2, who then sends it to your private local network.

The other answers provided are all feasible under some conditions. If you have two IP addresses from your ISP, I suggest using Bandit's answer. If your modem is also a NAT router, then I suggest Turbo J's answer (with "modem" and "router1" as the same device).

If these don't apply, then simply switching your private and public routers will also do the trick:

          INTERNET
             ||
            MODEM
             ||
 ----------------------------
 |         ROUTER A         |
 ----------------------------
      ||               ||
 -------------       PUBLIC
 |  ROUTER B |       NETWORK
 -------------
      ||
    PRIVATE
    NETWORK

With this topology, Router B is protecting your private network from intrustions by the public network. Anything on the private network will be able to connect to a computer on the public network, but not vice versa.

The downside of this topology is that your private Internet connection depends on both Router A and Router B functioning. If either goes down, then the link between the private network and the Internet is broken.

Stephen Jennings

Posted 2011-05-21T14:36:58.263

Reputation: 21 788

The problem is I don't want to go and mess about with the existing network. Is it not possible to restrict the routing so PCs on node 2 can't get to the other nodes (that aren't the router) on the main network? – Graeme – 2011-05-21T17:04:43.860

@Graeme: It's not impossible, but your particular router may not allow it. This is what Code Bling is suggesting in his answer. If you can put DD-WRT on the router, then you could create the VLAN. But, it seems much easier to just switch the routers. – Stephen Jennings – 2011-05-22T18:25:16.610

Get a router like the Draytek 2820n that supports multiple, isolated SSIDs and WLANs. Sorted.

http://www.draytek.co.uk/products/vigor2820.html

"The Multiple SSID features enables you to have up to four distinct or common virtual wireless access points. For example, you could have one for company usage, with access to your company LAN and another for public access which allows internet surfing only."

enter image description here

Linker3000

Posted 2011-05-21T14:36:58.263

Reputation: 25 670