Provide public hotspot keeping private network secure

Hello Experts,

A small office wants to provide internet for visitors without exposing their computers.  They have DSL intenet service.  Will this work?

Use the DMZ port to put a wireless router on the internet.  Both routers use NAT.

           DSL Modem / Router
              |DMZ               |
       Wireless             Office
       Router              Network

I think it should be okay to put a second router in the DMZ of the first router.  Here is the big question ... Will this keep the  public hotspot visitors out of the office network?


Who is Participating?
ECNSSMTConnect With a Mentor Commented:
253 devices per this subnet. with being reserved for network, being reserved for broadcast and an ip address 192.168.16.X being reserved for the inside NATed address used as the default gateway.

Also, there is a big difference between the SOHO/consumer routers and the Enterprise models.  On the SOHO side, you have the theoretical limit of a class C subnet (255 ip addresses, with 252 IP addresses usable for devices).  Depending on the amount of traffic you have, you may quickly run out of usable bandwidth before you get to that 253 device limit.  So per the SOHO router with the added assistance of a switch; I can definitely say that it can easily handle 10 office users casually accessing the internet; at some point when you get to 30 user you may begin to see latency.  You may want to start to look into higher end devices like a L3 Switch from Netgear that can provide the segregation on one box.  Its going to be $$$ though.

If you use a subnet mask of /20 (255.255.240)
starting at,, you can get your 4095 ip addresses (or 4092 usable; with e.g. being the network, being the broadcast for this subnet and an ip address as the default gateway).  But this implies that you get a router that can do better than a /24 SM (

Using 3 SOHO routers will be a bit of a pain, but its do-able.  And with the SOHO router you are only have the capability of allocating a subnet with a max number of 255 IPs per subnet.  In almost all small businesses; this is ample space, when though the outgoing traffic will reach the max capacity way before you hit 253 devices.

>The wireless router for the hotspot will be NAT.  This keeps the office people out of the public network.  But the office will not be using NAT.  
All the SOHO routers will be using NAT to translate between the "inside" private address and the "outside" public address.  NAT was one of the methodologies used to resolve the IP V4 -  IP address shortage that was looming back in 1994;  now sharing 1 public IP address between many devices with private IP addresses is a common place practice.

>I'm assuming that because of the different subnets that it will not be possible for a computer on the hotspot to be able to connect to a computer in the office.  Correct?

The subnets in general are just a means to segregate your layer 2 frame traffic; if it needs to go outside your subnet, Layer 3 headers are provided per frame traffic and the packet is then routed towards its correct destination; but just think of it as segregating the traffic.  

If the user on the NATed wireless hotspot knows the IP address of the not-NATed office PC and there was a means enabled for logging into that PC; it could be done.  However conversely, the non-NATed office PC will not be able specifically see or readily access a user on the wireless hot spot because that user is behind a NATed Router.  Again a NATed device takes an IP address & port assignment on one side and associates it with an IP address on the otherside; there is no way for any device to look at a router's NAT table to determine what is what.  So, not correct.  But the slight consolation is that users are usually interested in getting to the internet to do their thing and hacking are left to the hackers....

The VPN part will be interesting to say the least and a well plan infrastructure especially in this case will be needed.

if both networks are behind NATed Routers, the only thing that either networks will see would possibly be traffic with only the IP address of the other NATed router's WAN interface.  So if you were (able to) to stick a sniffer somewhere between the two NATed routers going egressing to the internet; you would think that there are two really chatty IP addresses only; you will not be able to even guess as to what is behind the IP address.

testbenchdudeAuthor Commented:

I've been reading that the DMZ feature of consumer routers is only intended for routing to a single PC and does not necessarily provide isolation from other sytems.  I am now thinking about a three router solution.  Also, NAT is not an option for the office because I'm told we'll need to provide VPN access.  So I'm kicking this up a notch.

          DSL Modem / Router  
            |                        |
     Wireless                   Wireless
     Router                      Router
     (192.168.16.x)          (192.168.32.x)
      DHCP                      DHCP
          |                          |
     Public                       Office
    Hotspot                     Network

This makes 3 subnets at 192.168.0.x, 192.168.16.x, 192.168.32.x

I believe this would allow for the future addition of many more subnets at:

If I did my math correct this gives me 16 subnets with 4096 devices per subnet.  I can't imagine ever needing that many addresses.

I'm thinking a subnet mask of would be proper for all subnets???

The wireless router for the hotspot will be NAT.  This keeps the office people out of the public network.  But the office will not be using NAT.  I'm assuming that because of the different subnets that it will not be possible for a computer on the hotspot to be able to connect to a computer in the office.  Correct?

I'll post more info about VPN routing when I have it.
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

testbenchdudeAuthor Commented:

After further reflection on the public hotspot I've decided it causes too many headaches to keep a public wi-fi and a secure office network on the same DSL modem.

I've recommended my client to subscribe for a second DSL service.  In our area a basic 256K DSL package costs about $25 per month.  This second DSL circuit will be set up as a dedicated service to provide the public hot spot.  (The office next door may be willing to split the cost so we may only be looking at around $12.50 per month)

Now with the hotspot headache out of the way I can look into the VPN issue for the office network.  This office has 4 employees.  Two of these employees want the ability to map shares on the office file server (Linux) as a drive on their home PC.  This is necessary to be able to use a certain accounting software program that allows multiple accountants to share the same up-to-date client information.  

All of the desktop computers are running Windows XP Home and there is a single Linux based NAS device being used for file sharing.

For VPN I've started reading up on some popular SOHO VPN routers (Linksys BEFVP41, SnapGear Lite+, ZyWall 10).  So far the SnapGear looks attractive.  

Besides the two simultaneous home users it would be good to plan for a roaming system to connect from any clients office using IPSec software.  I've read that Microsofts ipseccmd utility can be difficult and annoying to use so I've got much learning to do here as well.

testbenchdudeAuthor Commented:
I have closed this question.  "Provide public hotspot keeping private network secure"

For this situation my recommended solution is two DSL circuits.  One DSL circuit for a secure office network.  The other DSL circuit for a public hotspot.

... monthly cost
... duplicate hardware

... very simple implementation
... public visitors do not degrade office bandwidth
... no hacker risk from public hotspot

Once I learn more about the VPN issues I will post a new question.

Thanks for the points.

Just a heads up though with the SOHO router based VPNs, it will utilize the internet connection and anyone expecting to use the internet during its operation may be sadly disappointed.  For SOHO classs stuff, you may be looking at a server based solution, or RDP.  But if you don't mind seeing for yourself you can get at second hand Netgear from <$50

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.