hopefully someone has an idea on this.
I have a business with a private wired network, but want to provide a public wireless access point for the internet. Users on this AP should not be allowed to see anything on the private network.
I have tested this using 2 routers I have in my house, managed to get 2 networks up like so
Modem -> Router 1 -> Private Computers ^-> Router 2 -> Public computersHowever, router 2 should be acting as the public AP, but anything on it can still ping anything connected to the 1st router.
I don't have the ability to change the Modem to the public side, so the solution needs to just be able to plug into the private network and just provide a public LAN that is separated from the main (private) LAN.
Basically just looking for a product/router that will allow this. I have my eye on a Netgear fvs318 which I think will do the trick, but I'm unsure, so some advice/help/recommendations would be great.
Thanks!
5 Answers
The cheap solution looks like this:
modem >==< router1 >+----< router2 >==== private network | +----< router3 >==== public network Router 2 is the "Firewall" between the private network and the public. Unless you want something special like VPN, any cheap SOHO router will do.
You will need to change the routing table on the router or set up a VLAN to segregate the traffic between the networks.
It sounds like you may have a "small business" environment, if so then the most cost-effective solution (and possibly also the solution which is easiest to set up) might be to purchase a DD-WRT-compatible router, install DD-WRT and set up a VLAN to separate the public traffic from the intranet/internal traffic.
These are instructions on setting up DD-WRT and VLANs in what sounds like exactly the configuration that you will want.
More info here, here and on google.
2I agree with Cody and I've used DD-WRT for the past few years on a WRT54GL router. (Home use)
However, I just wanted to throw another potential idea out there.
Modem -> Switch -> Router1 -> Private Computers ^-> Router 2 -> Public ComputersI honestly don't know how well the above configuration would work, but it would effectively divide the different LANs. If you have the hardware lying around, you could throw it together and see if it works the way you want.
3The problem with your proposed network topology is that Router 2 (the "public" router) is within Router 1's LAN. Therefore, if any computer on the public network requests a computer on your private network, the request goes to Router 2, who then sends it to your private local network.
The other answers provided are all feasible under some conditions. If you have two IP addresses from your ISP, I suggest using Bandit's answer. If your modem is also a NAT router, then I suggest Turbo J's answer (with "modem" and "router1" as the same device).
If these don't apply, then simply switching your private and public routers will also do the trick:
INTERNET || MODEM || ---------------------------- | ROUTER A | ---------------------------- || || ------------- PUBLIC | ROUTER B | NETWORK ------------- || PRIVATE NETWORKWith this topology, Router B is protecting your private network from intrustions by the public network. Anything on the private network will be able to connect to a computer on the public network, but not vice versa.
The downside of this topology is that your private Internet connection depends on both Router A and Router B functioning. If either goes down, then the link between the private network and the Internet is broken.
2Get a router like the Draytek 2820n that supports multiple, isolated SSIDs and WLANs. Sorted.
"The Multiple SSID features enables you to have up to four distinct or common virtual wireless access points. For example, you could have one for company usage, with access to your company LAN and another for public access which allows internet surfing only."
