Wireless Hotspot - Have I used the correct hardware & IP configuration for good security?

Hi all

I  have been asked to implement a (low cost!) Free wifi hotspot for the bar area of a small local hotel. The options of a managed hotspot (ongoing fee) and hotspot router (@£400) were not feasible, so after some investigation I added a second router to the existing modem router setup, put them on separate subnets (IPs are and and used the DSL router as the hotspot and the LAN attached cable router as the private LAN router/access point.

Please see diagram for detailed setup information.

This is working ok but I need to move the hotspot router to a better location, and this means extending both the LAN and the DSL phone cable by 10-20 metres. It would be simpler to swap the routers around and use the DSL router as the private (in the office) and relocate the second router to the better location.

My problem is that if I swap the routers, and set up the downstream (LAN attached) router as the public hotspot - on, and the DSL router as the private network (, I can still connect from the public side ( to the private side ( and access private resources despite them being on different subnets ( and

I have assumed that this is because the public router on is 'bridged' to the Internet IP address ( supplied by the DSL router ( and can therefore see all of the private side too.

My question is: Can I re-arrange the routers (see preferred) to route the 'public' traffic through to the 'private' DSL router's internet connection without compromising the security of the private network?
Adrian BowdenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adrian BowdenAuthor Commented:
Help - Can't seem to attach any files??
Adrian BowdenAuthor Commented:
Ok - IE8 doesn't seem to like the add files dialog. Switched to 'Compatibility View' mode and all ok.
Q: "Can I re-arrange the routers (see preferred) to route the 'public' traffic through to the 'private' DSL router's internet connection without compromising the security of the private network?"

A: Yes if you can set VLANs on that Office Router, one for public interface where is public router connected and another VLAN on interfaces where are office clients connected.

And you can set some routing on the office router. You can set routing from "public" interface ( interface where is public router connected) only to WAN interface (where is DSL connected).
So that clients connected to public router will be routed directly to internet ( this can be set as static route on office router)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

Adrian BowdenAuthor Commented:

VLANs and static routes ?

I'm not sure that these Netgear devices support VLANs, but I will investigate further on both issues.
Could you possibly explain a little more, or give me examples of router settings for each option you have mentioned?  

I also have the option of adding a WG102 Wireless AP to the 'current' set up which does support VLAN, but would it need to be configured on both routers for it to operate correctly?  

Adrian BowdenAuthor Commented:
Very unimpressed with the complete lack of response to this question.

I eventually added a WG102 access point in the bar, connected to the DSL router, then added a WPN824 (wired) router from the DSL router to provide the back end (private access).

Points awarded to MiamiCo for just for replying with a possible solution.

Adrian BowdenAuthor Commented:
Thank you for your response.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.