2 networks with 2 routers and 1 ADSL connection

S

ScaryFast

[H]ard|Gawd
Joined
Apr 26, 2001
Messages
1,317
Hello all. I'm attempting to create 2 separate networks using 2 Linksys WRT54G routers, both using DD-WRT v23 firmware, and having a heck of a time with it. Let me explain why I want to do this.

I want to set up one router as a hot-spot to provide unsecured wi-fi to anyone that pulls up and wants to use it at my mothers campground. Wireless and wired access to the Internet is all this router needs to be capable of providing.

The second router on the other hand needs to provide wireless and wired access to the Internet, as well as file and printer sharing to only those on this particular network.

If I lump the campers together with my mother and brother on 1 unsecured network I run into a few little issues. #1, I'd like my moms wifi to be secure since she's the one who lives there and will always have a laptop sitting around. #2 right now any campers can log into the unsecured wifi and attempt to browse file shares. While they can't actually access shared folders due to permissions, they can see the share names, and that's more than I'd like them to be able to see.

It wouldn't be too big a deal except that I have a 17 year old brother there and I can't spend all my time keeping tabs on what sort of folders he's sharing so he can watch stuff on the laptop or htpc. It would be much better if I could just separate them all into 2 networks that share an Internet connection.

Now, how do I go about doing this? I've been playing around with very little luck. the best I can get is a connection that works for about 5 seconds before dropping on the second router connected via WAN port to the main routers LAN port. The internet on the main router however is as speedy as ever with near instant reaction times.

something is amiss, and I don't have a clue what it is. Can anyone maybe direct me to a guide or write up some quick instructions on the steps I need to take to get 2 separate networks to run through the same ADSL modem? If I can get the wired portion up and running the wireless part will be simple as pie so you can pretty much pretend wi-fi isn't even involved at this point. I'd really appreciate it and perhaps some other people stuck in my shoes might find some help as well.

Thanks a lot guys.
 
Edit:
Just read the rest of your post. Try upgrading the firmware, double nat should work fine.
 
I'm generally not a fan of double NAT'ing for long term heavy use..but if your mothers computer use is pretty much just basic internet surfing, e-mail, etc...it's OK.

I can think of 2x ways to set this up...the first being the double NAT setup, the second...taking your 2nd wrt54..turning it around and using it in access point mode...with a different SSID, uplinking one of it's LAN ports to a LAN port on the first router...and making that LAN port it uses on the first router a separate VLAN.

When cascading two routers doing NAT....you want the network that you want to be secured...to the behind the inside router...this network will be the one that gets stuck with the double NAT.

The network you wish to be the more public one..you want behind the outside router...basically in front of the inside router.

The logic in this...is computers behind the inside router can still get to computers in front of them..behind the outside router...using IP addresses...since NAT allows traffic initiated from the inside to return. However..with a default setup, visa versa is not true.

So, your outside network....take the first WRT54G (we'll call it Router 1)...and set it to 192.168.0.1......leave this wireless running open..on it's own unique SSID....and note the channel. Since this is open...change that default admin password.

Take your second WRT54G (we'll call it Router 2)...set it to 192.168.1.1.....connect it's WAN port to one of the LAN ports of Router 1...having that WAN interface set to "obtain auto". It should pickup a 192.168.0.100something address. If you use the wireless on this..make it also its own unique SSID, may need a separate channel like 1 or 11 so you don't mix too much with the first one...naturally change your default admin password to the router, and buckle down the wireless security.


Now...that second option...I'm curious if this would work....haven't tried this myself, but it'd get rid of the double NAT setup. Use one of the routers as the main router...that'll be yours. May as well keep it at the default Linksys 192.168.1.1. Your own unique SSID, wireless key, admin password of course, and built a VLAN with ports 1-3 for yourself. Create a second VLAN. Now take the second router, change it's LAN IP 192.168.1.2....disable DHCP, flip it to AP mode. Set it's wireless as a toally different SSID, different channel than the above, open security. Uplink that router using one of its LAN ports...to LAN port 4 of your main router...which is the second VLAN. It should not be able to see your personal network.
 
DSL -> Free Wifi Router -> Private Network Router

you can go upstream but not down so you'll have access to everything on the private side and the free wifi people will only have access to each ohter and the internet.

is this what you where looking for? it sounds like your trying to make things a bit more complicated than needed.
 
Thanks for the suggestions. I'll try some of these later on tonight since I got this second WRT54G unbricked (pin shorting ahoy!). I just got my new Dell Inspiron e1505 (6400 up here in Canada) so once I flatten and re-install Windows and get it all set up I'll give these suggestions a shot and then come back with my trip report.
 
Also, you could get a switch to put between the DSL modem and the routers.
 
This might work:
1) Use the 2nd WRT54G as an AP only, leaving wireless wide open
2) Enable WPA/WPA2/WEP/whatever on the 1st WRT54G
3) Turn on "AP Isolation" on the 2nd WRT54G. It's under the Advanced Settings for Wireless

That should put each wireless client on the 2nd AP in it's own little virtual network, so it can't see anything else on the network.
 
JBark said:
This might work:
1) Use the 2nd WRT54G as an AP only, leaving wireless wide open
2) Enable WPA/WPA2/WEP/whatever on the 1st WRT54G
3) Turn on "AP Isolation" on the 2nd WRT54G. It's under the Advanced Settings for Wireless

That should put each wireless client on the 2nd AP in it's own little virtual network, so it can't see anything else on the network.
Click to expand...

I turned on AP Isolation, and went to browse the network and all the shares are there. this is connecting the second wrt54g to the first via lan ports. I haven't tried wan port.
 
Progress! Apparently I'm an idiot.

When I was trying the AP isolation bit I was plugged into router2 with a network cable, and thus was able to see the shares. Once I realized this little mistake I unplugged and hopped onto the unsecure wireless.

I couldn't see "Entire Network" when I hit F5 like usual but since I had the shares listed below from before I just had to go click on one of them, which brought me into the share, which opened up "Entire Network" and "Microsoft Windows Network" and "Workgroup" and eventually the share itself.

It occurred to me that it was behaving differently than usual, so I deleted the, I don't know what you want to call them...cached shares, rebooted, and tried again on the laptop. Sure enough, when I go to Network Places I see nothing. I hit F5 and I don't get "Entire Network". Awesome.

So I guess what this means is that the shares are being hidden from the wireless client, but I notice that if I manually enter the name of the other computer or the IP address in the address bar I can see the computer and shares anyway. This effectively prevents noone that says "okay, I have an IP of 192.168.1.102. This means that someone probably already has 192.168.1.101. I can't see any shares now, but I bet if I try to go to \\192.168.1.101 I will be able to see any shares there." and they would be correct.

I'd like to try the VLAN stuff but heck if I know how that all works to keep things separate.

/edit of course it's not TOO big a deal I suppose. at most, someone will be able to see the names of shares, but without having privileges, they won't be able to see into those shares. This AP isolation just makes seeing the share names a little more difficult. no grandma's will be accidentally clicking their way to them, they would have to manually enter the IP. I suppose that would be acceptable. I'll just focus on perhaps getting my brothers shares set up differently and tell him not to change anything ever without my approval.
 
ScaryFast said:
I'd like to try the VLAN stuff but heck if I know how that all works to keep things separate.
Click to expand...

It literally keeps traffic from going between machines plugged into those ports which are memberes of separate VLANs.

If you can still access machines via IP now...you're not secure.
 
You must log in or register to reply here.
Back
Top