How to setup a guest wifi using 2 x DD-WRT routers?

Ok this is for a small business. We have one router running dd-wrt attached to that one are about 10 computers (wired). Then we also have office wifi to which one mobile tablet is connected to.

Now the goal is to add a secure separate guest wifi. I have another older router running dd-wrt which would be great for that. The dsl modem is connected to the office main router, then a cable would connect the guest wifi router to that main router.
This is for a doctor's office so the guest wifi must not be able to tap into the office wifi/network but just use the internet connection (ideally with priority given to the office networks).

Can anyone guide me through the settings what to enable, how to connect and setup those 2 routers. Some question I have specifically
1) Do I enable DHCP on the guest router as well, if so does the guest router need a diferent ip, and dhcp ip range?
2) Both routers use wpa2, one is channel 1, the other runs on channel 11 is that correct?
3) Then I have enabled access point isolation on the guest router, is that enough to prevent anyone from peering into the business network? or do I need to setup vlans on the main router (and if so how?). Or would that be redundant (vlans seem to add quite a bit of complexity)
4) Do I need to set the wireless mode of the guest router to client, or do I leave it as AP?
5)Then I enabled p2p blocking on both routers, then ideally (bonus) how can I give bandwith priority to the office networks (not the guest wifi).
Anyway some guidance in regards to how to setup this network would be appreciated.
mobile1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
I can offer the following:  

DD-WRT can support dual Wifi on some models of routers.   I happen to run a dual wifi on my Home's LinksysWRT.   1 wifi for WPA and 1 wifi for WEP (for the kid's Nintendo DS).     Each wifi has it's own DHCP and I use IPTables to keep traffic separated.      

If you want to keep only a single router, it might be possible but you need to check the HCL.   The main symptom of a router that doesn't support this feature is the the 2nd SSID will not be broadcast.    

So, if you want to keep 1 router, there is a step by step available here for creating the virtual Wifi, the DHCP scope, and the IPTables entries to separate the networks.
http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=415872&sid=5eec0959448edd2da692fd4f45d0a1a7

Now, if you want to use the 2nd router, then you need to create 2 vlans.  1 for your normal office traffic, and then 1 for the link to the downstream router.   DD-WRT calls this a "public HotSpot Setup" and is documented right here:
http://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_each_with_Wireless_and_Internet

FYI, DD-WRT How-to's are listed here.... great reference: http://www.dd-wrt.com/wiki/index.php/Configuration_HOWTOs
0
pand0ra_usaCommented:
"secure separate guest wifi" - contradiction. ;)
(my personal opinion is that wifi is nor will it ever be secure, at least not like a wired connection)


1) Do I enable DHCP on the guest router as well, if so does the guest router need a diferent ip, and dhcp ip range?
Yes, setup a range that does not conflict with any addresses in your network.

2) Both routers use wpa2, one is channel 1, the other runs on channel 11 is that correct?
Think of the channels as different phone lines. If you have several AP's close to each other on the same channel (phone line) there will be cross talk/interference. You want at least 1 channel separating your AP's from any other nearby AP (so channel 1 and 3 are ok but 1 and 2 slightly overlap).  


3) Then I have enabled access point isolation on the guest router, is that enough to prevent anyone from peering into the business network? or do I need to setup vlans on the main router (and if so how?). Or would that be redundant (vlans seem to add quite a bit of complexity)
I personally would skip VLANs and set it up to connect only to the outside of your firewall. Keep the guest completely off your internal network. Access point isolation will be a nightmare for you to manage and it will not prevent, only deter, someone from accessing the internal network.


4) Do I need to set the wireless mode of the guest router to client, or do I leave it as AP?
I would not set it to client, client mode will not accept wireless connections. Leave it as an AP and have a separate IP address range set aside for your guests. And preferably a connection that does not pass through your internal network.

5)Then I enabled p2p blocking on both routers, then ideally (bonus) how can I give bandwith priority to the office networks (not the guest wifi).
You would have to setup QoS on your managed switches (specifically the ports the AP's are connected to). Or limit the bandwidth allocated to that VLAN or port. Or
http://www.dd-wrt.com/wiki/index.php/Quality_of_Service

Anyway some guidance in regards to how to setup this network would be appreciated.

As a side note, I would not have used DD-WRT for a professional environment, it lacks in features specifically designed for things like this.

You need to know that HIPAA laws will apply to this setup since this is a DR's office. So be very careful.
0
Erik BjersPrincipal Systems AdministratorCommented:
If this is a doctor's office that has patient medical information you need to step back and look at your security because from your question it seems you may have some holes (IE the tablet PC on WiFi)

1) You need a proper firewall that also supports a DMZ (or more than one DMZ) for this you can go with a SonicWALL TZ series device (some even support WiFi), Cisco ASA5505 Sec+ (security plus license),  or a Cisco SA 500 series (again some support WiFi) I recommend either the SonicWALL TZ210 or the Cisco ASA5505 Sec+.

2) Set up your internal network as WIRED ONLY (we will get to the tablet in a moment)

3) Setup your DMZ as the WiFi network (this will separate the networks for you)

4) Configure the SonicWALL or Cisco device as a VPN server on the WiFi (DMZ) interface

5) Setup a VPN client on the tablet and any other WiFi computer that needs access to the internal network.

This is a more complicated solution but when you are dealing with medical records you need to be extremely careful and in most countries there are regulations controlling how you protect that information.

eb
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mobile1Author Commented:
different solution than expected but replies make sense.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.