Adding a Guest Wifi to my house with a second router.

[Ninety-9 SE-L]

I've been trying to figure out a good hierarchy for getting everything hooked up and working, so far, I haven't come up with any good solutions.

I have Cox internet and I'm pretty sure that getting two IPs is not a free option. I have 2 wireless routers and I want to turn one of them into a WPA Guest network. Since I always have people hanging around my house, it makes it easier to share a different password with them and not grant them access to my network files. I'd like to put them on a separate network than the one my devices share.

I don't necessarily want to double NAT either network, but especially not my personal network. I tried simply plugging the guest router's WAN side into my personal router's LAN, but I'm unable to resolve an internet connection through the guest network. I also wonder that since the guest router is plugged into the LAN side of my personal router, it's really not doing much to keep people from accessing my networked files.

Any good solutions?

 

[WarWolf]

Smoothwall is one option. If you have an old computer lying around it's perfect (Will need 3 NICs). It will act as the firewall and router, and has a purpose built feature for this. You'd connect your personal wireless router on one NIC. (I believe if you disable DHCP on the router it can work as just an access point.) The connection to the internet on a second. And then in the configuration on Smoothwall you can enable a third network interface which has full access to the internet, but is completely separate from your network. Great thing about Smoothwall is that it's open source and has a community that is actively adding functionality that you can add to it. Opens a whole new door for tweaking and playing with computers.

What models are your routers? Might be possible to play with VLANs (Virtual LANs) which are together on one network, but are kept separate.

Do you know if you have a dynamic or static IP through Cox? If they provide DHCP, you might be able to just plug a small switch into the gateway and then both routers into that.

 

[trekky]

im not 100% sure but you not just subnet the Wifi and your normal home differently?

 

[Ninety-9 SE-L]

Smoothwall is one option. If you have an old computer lying around it's perfect (Will need 3 NICs). It will act as the firewall and router, and has a purpose built feature for this. You'd connect your personal wireless router on one NIC. (I believe if you disable DHCP on the router it can work as just an access point.) The connection to the internet on a second. And then in the configuration on Smoothwall you can enable a third network interface which has full access to the internet, but is completely separate from your network. Great thing about Smoothwall is that it's open source and has a community that is actively adding functionality that you can add to it. Opens a whole new door for tweaking and playing with computers.

What models are your routers? Might be possible to play with VLANs (Virtual LANs) which are together on one network, but are kept separate.

Do you know if you have a dynamic or static IP through Cox? If they provide DHCP, you might be able to just plug a small switch into the gateway and then both routers into that.

Although I probably have a ton of older NICs in the garage, I don't really have the time or money to build another rig, for now, so smoothwall is not a good option for me.

As far as my routers go, let's see here. The main router coming off the modem is a Linksys RV082 (V1 or 2). Very solid router, but starting to show its age with a NAT throughput of about 20MBPS and 10/100 LAN. Because it's not wireless, I have a Linksys WRT54G2 wired in as my wireless access point.

The second router, which I would like to use for Guest internet access, is a Linksys WRT54GL. I'd like to set it up in a way that guests can't access network resources on the RV082's network.

Few other things. I have a dynamic IP with my ISP, I was considering trying a switch off of the cable modem, but I wasn't sure if that would actually work. I would have to go out and buy a new switch because I can't remember what happened to my old one (and I mean OLD). Also, I did fix the problem where I wasn't getting internet access through the Dual NAT setup, I plugged in the wrong MAC addy. Currently, the Guest router's WAN is plugged into the RV082's LAN and working, however, as I expected, the guest network can access resources on the parent network.

 

[Janus67]

Plugging a switch into your modem won't work as the modem itself is only given a single IP.

There are already routers on the market that have this functionality (my Asus 660 can).

I would look into dd-wrt or tomato firmwares and see if that will work or they have that option for your wrt54g/l

 

[Ninety-9 SE-L]

As much as I like DDWRT, and I have run it in the past on my WRT54GL, using DDWRT would force me to change my primary router from my RV082 to the WRT54. I personally love my RV082.

Here something I might try, but I'm not sure what settings to use. All computers/devices on my personal LAN are assigned a Static IP. That means that my WRT54GL's WAN port is being assigned a static IP of, say, 192.168.3.8. Could I access restrict 192.168.3.8 from accessing other devices (192.168.3.1 - 7) or would that be ineffective?

 

[WarWolf]

How about this:
Internet to WAN port on Guest router, DHCP (192.168.1.XX) to guest wireless and WAN port on your router, static/DHCP (192.168.2.XX) to your equipment.

Your router will see the guest network as the outside world and (assuming it has some sort of protection) will not allow them to find you. Given IP's are examples, anything should work as long as they are different.

Hopefully I described it alright. If not, I can put together a diagram.

 

[Ninety-9 SE-L]

I think what you're describing is the opposite of how I have it hooked, now.

Right now, the modem is hooked to my personal router (first NAT), then the guest router is hooked to that (second NAT). Technically, all of my guests are double NAT'd, meaning their internet connection has to go through two LANs before it reaches the modem. Not a huge problem for my needs, but, as mentioned before, anyone on the guest network has full access to my personal network.

I believe what you're suggesting is to have the Guest router first and the personal network hooked in after that. Yes, that will solve my problem of keeping guests off my personal network, but that Double-NAT's my personal network. Ordinarily, that wouldn't be too big of a deal, but that means that I have to forward ports twice and it will probably cause issues with my VPN.

 

[WarWolf]

Hmm. That is what I was suggesting. Dang.

Are you willing to spend any money on this? Or do you want to do this only with what you have.

 

[noxqzs]

Unless the router that is connected to the gateway can isolate separate LANs, then you are forced to use multiple routers. I personally have a similar setup but use a Zyxell router/firewall to do this, but the hardware cost a little over $300. Before that, I used 3 routers. Router 1 between cable modem and Router 2 and 3. Router 1 isolated the two networks and provided gateway on the WAN port of Router 2 and 3. Port forwarding as you described it, required redundant steps.

 

[Solder]

I haven't had an opportunity to do this in a home environment yet but I believe what noxqzs did is the way to do it.
This might Help with the subnet addressing. It's a good learning tool for why and how to subnet a network.

 

[awktane]

As a heads-up just giving the guests a different subnet will not actually stop them from accessing your private subnet without a fancy switch.

I've seen folk get this done without much effort by doing the following:

Modem -> Guest router -> (DMZ zone) -> Private router -> Private network.

This will help mitigate most of the double nat issues and allow you to firewall off your private network.

 

[Solder]

Wouldn't having different subnets with different SSID's/Passphrase work? If they're different networks, I wouldn't think they'd be able to communicate by default.
A different subnet is a different network since the machines are part of a separate address pool, aren't they? To allow them to communicate, you'd need enterprise class
routers and switches to be able to configure routing and permissions between networks. Hence the DDWRT firmware for home routers.

 

[aftermath]

I know this is a bit late in the day, look for OpenMesh/OM2P on your search engine of choice.
They can be configured to provide 2 Wi-Fi networks, Private and Public and create a PAT/NAT route to t'interweb ('t' is silent in t'north) that prevents access to your personal network.

 

[ThorV2]

I'm going to have to second smoothwall. Very secure and easy/cheap.