Provide public hotspot keeping private network secure

Posted on 2006-06-23
Last Modified: 2013-12-14
Hello Experts,

A small office wants to provide internet for visitors without exposing their computers.  They have DSL intenet service.  Will this work?

Use the DMZ port to put a wireless router on the internet.  Both routers use NAT.

           DSL Modem / Router
              |DMZ               |
       Wireless             Office
       Router              Network

I think it should be okay to put a second router in the DMZ of the first router.  Here is the big question ... Will this keep the  public hotspot visitors out of the office network?


Question by:testbenchdude
  • 3
  • 3
LVL 14

Expert Comment

ID: 16973378
if both networks are behind NATed Routers, the only thing that either networks will see would possibly be traffic with only the IP address of the other NATed router's WAN interface.  So if you were (able to) to stick a sniffer somewhere between the two NATed routers going egressing to the internet; you would think that there are two really chatty IP addresses only; you will not be able to even guess as to what is behind the IP address.


Author Comment

ID: 16973584

I've been reading that the DMZ feature of consumer routers is only intended for routing to a single PC and does not necessarily provide isolation from other sytems.  I am now thinking about a three router solution.  Also, NAT is not an option for the office because I'm told we'll need to provide VPN access.  So I'm kicking this up a notch.

          DSL Modem / Router  
            |                        |
     Wireless                   Wireless
     Router                      Router
     (192.168.16.x)          (192.168.32.x)
      DHCP                      DHCP
          |                          |
     Public                       Office
    Hotspot                     Network

This makes 3 subnets at 192.168.0.x, 192.168.16.x, 192.168.32.x

I believe this would allow for the future addition of many more subnets at:

If I did my math correct this gives me 16 subnets with 4096 devices per subnet.  I can't imagine ever needing that many addresses.

I'm thinking a subnet mask of would be proper for all subnets???

The wireless router for the hotspot will be NAT.  This keeps the office people out of the public network.  But the office will not be using NAT.  I'm assuming that because of the different subnets that it will not be possible for a computer on the hotspot to be able to connect to a computer in the office.  Correct?

I'll post more info about VPN routing when I have it.
LVL 14

Accepted Solution

ECNSSMT earned 250 total points
ID: 16975984
253 devices per this subnet. with being reserved for network, being reserved for broadcast and an ip address 192.168.16.X being reserved for the inside NATed address used as the default gateway.

Also, there is a big difference between the SOHO/consumer routers and the Enterprise models.  On the SOHO side, you have the theoretical limit of a class C subnet (255 ip addresses, with 252 IP addresses usable for devices).  Depending on the amount of traffic you have, you may quickly run out of usable bandwidth before you get to that 253 device limit.  So per the SOHO router with the added assistance of a switch; I can definitely say that it can easily handle 10 office users casually accessing the internet; at some point when you get to 30 user you may begin to see latency.  You may want to start to look into higher end devices like a L3 Switch from Netgear that can provide the segregation on one box.  Its going to be $$$ though.

If you use a subnet mask of /20 (255.255.240)
starting at,, you can get your 4095 ip addresses (or 4092 usable; with e.g. being the network, being the broadcast for this subnet and an ip address as the default gateway).  But this implies that you get a router that can do better than a /24 SM (

Using 3 SOHO routers will be a bit of a pain, but its do-able.  And with the SOHO router you are only have the capability of allocating a subnet with a max number of 255 IPs per subnet.  In almost all small businesses; this is ample space, when though the outgoing traffic will reach the max capacity way before you hit 253 devices.

>The wireless router for the hotspot will be NAT.  This keeps the office people out of the public network.  But the office will not be using NAT.  
All the SOHO routers will be using NAT to translate between the "inside" private address and the "outside" public address.  NAT was one of the methodologies used to resolve the IP V4 -  IP address shortage that was looming back in 1994;  now sharing 1 public IP address between many devices with private IP addresses is a common place practice.

>I'm assuming that because of the different subnets that it will not be possible for a computer on the hotspot to be able to connect to a computer in the office.  Correct?

The subnets in general are just a means to segregate your layer 2 frame traffic; if it needs to go outside your subnet, Layer 3 headers are provided per frame traffic and the packet is then routed towards its correct destination; but just think of it as segregating the traffic.  

If the user on the NATed wireless hotspot knows the IP address of the not-NATed office PC and there was a means enabled for logging into that PC; it could be done.  However conversely, the non-NATed office PC will not be able specifically see or readily access a user on the wireless hot spot because that user is behind a NATed Router.  Again a NATed device takes an IP address & port assignment on one side and associates it with an IP address on the otherside; there is no way for any device to look at a router's NAT table to determine what is what.  So, not correct.  But the slight consolation is that users are usually interested in getting to the internet to do their thing and hacking are left to the hackers....

The VPN part will be interesting to say the least and a well plan infrastructure especially in this case will be needed.

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.


Author Comment

ID: 17012543

After further reflection on the public hotspot I've decided it causes too many headaches to keep a public wi-fi and a secure office network on the same DSL modem.

I've recommended my client to subscribe for a second DSL service.  In our area a basic 256K DSL package costs about $25 per month.  This second DSL circuit will be set up as a dedicated service to provide the public hot spot.  (The office next door may be willing to split the cost so we may only be looking at around $12.50 per month)

Now with the hotspot headache out of the way I can look into the VPN issue for the office network.  This office has 4 employees.  Two of these employees want the ability to map shares on the office file server (Linux) as a drive on their home PC.  This is necessary to be able to use a certain accounting software program that allows multiple accountants to share the same up-to-date client information.  

All of the desktop computers are running Windows XP Home and there is a single Linux based NAS device being used for file sharing.

For VPN I've started reading up on some popular SOHO VPN routers (Linksys BEFVP41, SnapGear Lite+, ZyWall 10).  So far the SnapGear looks attractive.  

Besides the two simultaneous home users it would be good to plan for a roaming system to connect from any clients office using IPSec software.  I've read that Microsofts ipseccmd utility can be difficult and annoying to use so I've got much learning to do here as well.


Author Comment

ID: 17012620
I have closed this question.  "Provide public hotspot keeping private network secure"

For this situation my recommended solution is two DSL circuits.  One DSL circuit for a secure office network.  The other DSL circuit for a public hotspot.

... monthly cost
... duplicate hardware

... very simple implementation
... public visitors do not degrade office bandwidth
... no hacker risk from public hotspot

Once I learn more about the VPN issues I will post a new question.

LVL 14

Expert Comment

ID: 17031249
Thanks for the points.

Just a heads up though with the SOHO router based VPNs, it will utilize the internet connection and anyone expecting to use the internet during its operation may be sadly disappointed.  For SOHO classs stuff, you may be looking at a server based solution, or RDP.  But if you don't mind seeing for yourself you can get at second hand Netgear from <$50


Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to merge 4 ADSL lines 4 135
Wifi speeds 83 122
Geolocation 2 64
Setup ADSL modem with Router 7 88
    Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question