Public WiFi separation from the local private network

Millard

You can approach this a few different ways but I would recommend you use vlans.  Essentially, your wireless APs and clients are all configured by the managed switch on one VLAN and your internal network is on a seperate VLAN.  Inter-vlan communication is only possible by using a layer 3 device, like a router or a layer 3 switch for example.  Vlans are secure and easy to manage and work on a principle that each port on the switch can be assigned to a certain VLAN.  
Your internet router can then be configured - connecting to this switch and route all outbound traffic.

                                                            Internet
                                                                 |
                                                              router
                                                                 |
                                                        Managed Switch
                                                       |                      |
                                            VLAN 10                 VLAN 20
                                          (Wireless)                (Internal)

As regards brands for both, you probably already have an internet router in place but I would go with Cisco on all equipment.  Depending on how many ports you require, a 2950 switch is a good model.  Dell have began selling switches and their managed Powerconnect 3324 and 3348 switches are great value and their operating system is very similar to Cisco IOS.

cheers

Thanks
This is very helpful.  I understand the managed switch. That will work.

This is a small resturant and doesn't need 24 ports.
I was hoping to find a ROUTER with built in VLAN(s).
Do they make such a thing?

Millard

No - routers will pass VLAN traffic but vlans are not configurable on them.  Considering port density, it would not even be practical to have them there.  You could link the 2 networks up with a router and configure access-lists to segregate traffic.  

do you currently have a router for your outbound internet traffic?  If so  - what model is it?

If you do, then a managed switch with vlans with be the ideal solution - VLANS are much easier to chop and change/manage than access-lists unless you are v comfortable with network OS's.

Post any further queries

They do make routers with for instance, 2 LAN ports that you can configure an ACL on to keep the networks seperate, I use a Cisco 2600 at a high school I admin to accomplish this to seperate the admin and student networks.  However, that's about $2000.  Alternatively, what are you worried about customers accessing? You could just buy a wireless router and plug that straight into your network connection, and put the restaraunt's computers behind another router.  That way the customers would only have access to the Internet.  Now, they'd still be able to sniff traffic coming from the router with your comps on it, but anything that gets there should be on its way to the Internet and if you're concerned about that data, it should be encrypted anyway.

          Internet
               |
     Wireless Router
        |             |||
    Router      Customers
       |
Private Comps


-Bernie

As for brands of routers, I'm a big fan of Linksys.  Never had good experiences with D-Link.  Netgear is OK.

As for reading about network security... Any book that covers the CompTIA Security+ exam would be a good place to start.  

http://www.amazon.com/exec/obidos/tg/detail/-/0782143504/qid=1110552246/sr=8-4/ref=pd_csp_4/102-8996821-7502518?v=glance&s=books&n=507846

I would do it with a multiport firewall.  If you had a two ethernet port firewall, you could have the WAP on one, and your internal network on the other.  Then, in the firewall, you don't allow the two net's to communicate - no rule allowing, so denied.  Both nets can talk to the Internet connection.

      Internet
           !
      Firewall
     !          !
WAP    Internal Net

These answere are great!
I am evaluating and learning.
I can try the 2 router Linksys option this weekend.

Question for pseudocyber:
Can you recommend a brand of firewall?
Is this something Linksys makes or Symantec or Cisco?

Thanks
Millard

Cisco makes excellent firewalls - the Pix is a recognized leader.  I'm more familiar with Checkpoint Firewall - ours runs on Nokia.

The symantec stuff looks interesting, but I've never used it.

If you have Linux expertise, you could get a PC with multiple NICs and run IPTables - and have your own firewall.  Or there are Linux based appliance alternatives, depending on your budget.

HTH

To follow the above post, a Cisco PIX 515E with 3 LAN ports would do the job.  Your inside interface would be your internal network, your DMZ interface would connect to your wireless network and both of these can go out through the outside interface to the internet.

Here's a lower-cost product from D-LINK
http://www.dlink.com/products/?sec=0&pid=349

You can take a Linksys WRV54G and make it a Boingo Hotspot. This makes all the wireless a DMZ that cannot access your internal LAN..and reap recurring profit from Boingo..

lrmoore
We werent planning to spend $3000+ on this project unless we had to. Tell me if this would work?
What are the negatives?

          Internet
                  |
                Router
            |              |
 Local Network      Wireless router on another subnet
   |   |    |                  Wi-Fi
 local users


We are considering the Boingo idea
Thanks
Millard