I have a cable modem connected to a Linksys WRV200 to provide internet access and file sharing to my small business. The business wireless is secured. I would like to add public wireless access to a lobby area some distance away from the WRV200. Due to the construction/layout of the building, a separate WAP would have to be installed near the Lobby area.

How can I add public wireless without allowing access to my network shares or otherwise compromising the security of my business LAN?

It is not really advisable to mix a business LAN with public access. Whilst it is possible to configure such setups for security you would always be at risk. Far better to install a separate internet service for your public users.

Agreed on all counts, but If I can avoid the additional monthly expense of a second cablemodem, I can live with a reasonable amount of risk.

How would you accomplish this task if it was not feasible to install a separate internet service?

It is problematic to achieve at a low cost with a single ISP since it requires more equipment. You should not mix business wireless users with public wireless users connecting to the same WRV200.

As an example in the configuration below the existing WRV200 could be used to provide the 'business firewall -> business wired/wireless AP'. The 'gateway (router/switch)' could be a 2nd WRV200 with the 'public AP' a Linksys WRE54G WirelessG Range Expander .
ISP -> gateway (router/switch) -> business firewall -> business wired/wireless AP.
ISP -> gateway (router/switch) -> public AP.

If I understand your example, I would install a new router(R#1) to the cablemodem, then connect the existing WVR200(R#2) to one port of R#1, and a new (public)WAP to another port of R#1.

ISP -> Router1 -> Router2 ->(business Wired/Wireless Lan)
ISP -> Router1 -> WAP (Public hotspot)


Does this require any special configuration on R#1?
Does this require any change to the configuration of R#2?
I guess I should assign a static IP to the R#2 WAN side, as I will have to forward some ports from R#1->R#2->Server
Would it enhance security between the LAN segments to set each Router's Lan side IP scope differently (R#1=192.168.xxx.xxx, R#2=10.xxx.xxx.xxx)?


An Afterthought...

Would this example work as well, and keep the business LAN safe without the added complexity and latency of being two routers deep?

ISP -> Router1 -> (business Wired/Wireless Lan using 10.xxx.xxx.xxx)
ISP -> Router1 -> Router2 ->WAP (Public hotspot using 192.168.xxx.xxx)

Thank you for your time.

Your alternative is not safe. It would allow public users to hack the business PCs.

A LAN port of R#1 goes to the WAN port of the business router R#2. This provides the basis of protection of the business lan by virtue of R#2 NAT.

Does this require any special configuration on R#1?
In principle no. Other than port forwarding to R#2.

Does this require any change to the configuration of R#2?
Use of static WAN IP and port forwarding. And disable the DHCP service.

I guess I should assign a static IP to the R#2 WAN side, as I will have to forward some ports from R#1->R#2->Server
Yes.

Would it enhance security between the LAN segments to set each Router's Lan side IP scope differently (R#1=192.168.xxx.xxx, R#2=10.xxx.xxx.xxx)?
I don't see it matters. The R#2 NAT prevents unsolicited intrusion.

A bit of clarification please,

Does this require any change to the configuration of R#2?
Use of static WAN IP and port forwarding. And disable the DHCP service.

I should disable the DHCP server on the LAN side of R#2, leaving R#1 to serve IPs for the entire network?:confused:

Hello again,

All is up&running except my forwarded ports

I created the network as follows:

ISP -> Router1 -> Router2 ->(business Wired/Wireless Lan)
ISP -> Router1 -> Router2 -> Server
ISP -> Router1 -> WAP (Public hotspot)


Router1 is a 3Com (3CR858-91) Wired.

Wan IP= DHCP from ISP
Lan IP=192.168.1.1 Serving IP range 192.168.1.30 thru 1.255
port 3389 forwarded to 192.168.1.2

Router2 is a D-Link (DI-624) Wired/Wireless.

Wan IP= 192.168.1.2
Lan IP= 192.168.0.1 Serving IP range 192.168.0.100 thru 0.199
Port 3389 forwarded to 192.168.0.20

Server is an XP Pro box
IP= 192.168.0.20

WAP is a Buffalo (WHR-HP-G54 running dd-wrt v.23 firmware)

IP= 192.168.1.3
forwarding DHCP from Router1 to Wireless clients



from a PC connected to Router2 I can ping Router1, Router2, and WAP.
from a PC connected to Router1 I can ping Router1, Router2 (Wan side only) and WAP.

From Lan side of Router2 I can connect to Server (Remote Desktop (3389))
From Lan side of Router1 I cannot connect to Server.
From Wan side of Router1 I cannot connect to Server.

It seems the D-Link is not forwarding the port for some reason. I used this same D-Link in a different location and forwarded the same port with no problems. Is it possible that I need to do something different because the server is 2 routers deep?