How do I separate two wireless home computers that are a security risk to the rest of my home network, using two routers?

We have a basic Linksys wireless router using a cable modem for home internet access, and want to isolate two of the hosts on our home network from dangerous traffic coming from the other three devices (two computers & a wireless I-Pad).  I was going to use another router to accomplish this, but most of what I am reading about this is confusing.  Do I need three routers, or two routers to accomplish this.  I need two distinct networks using basic routers if possible.  And how do I configure them generally speaking.  Thank you.
Who is Participating?
Actually in Handoo's diagram, If you put the kids computers as attached to Router 1's network, then they are not on the same LAN.  Router 2 sees Router 1's Network in the same way as Router 1 sees the internet (modem). You would be able to see your kid's computers but they could not see yours unless you initiated a connection, much the same way you would with a web page.

   | Cable | ======== | Router 1 |====== | Router 2 | =====| Comp 1
                                                  \======| Comp 3    \          | === Comp 2
                                                    \=====| iPad  
  This would give you the same protection between the networks as 3 routers.

JamesSenior Cloud Infrastructure EngineerCommented:
You can accomplish this if you have a Router that supports DMZ. You will only need one Router for this.
lextecAuthor Commented:
Traffic must be completely separated from each other yet remain NATed behind the firewalls.  As of now there is a single IP address for the cable modem.  How, using your suggestion of DMZ, can we isolate traffic.  We are fighting an intruder who is extremely adept at penetrating.  Thank you.
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

Kris MontgomeryCommented:
I agree with JBond2010

My suggestion for a router.  Lots of features for $100. :)

lextecAuthor Commented:
Ok, I must use two routers for this reason, and I appreciate your suggestion to use a DMZ but, two computers are used by children and the attacker is gaining access through various means including emails, Facebook links, etc., but the childrens computers ARE the weakspot.  If the attacker compromises these systems he/she can damage and cause great harm to the two adult computers which carry many important docmuments, etc.  The attacker is one of the best, so based on my reseach, it seems two distinctly separate networks is the way to go.  I am am mistaken, please explain and perhaps we can go the DMZ route.   The DMZ allows for connections from the hosts on the same network right?
JamesSenior Cloud Infrastructure EngineerCommented:
With DMZ this will give you the option to create two seperate networks, via subnets. As security is a concern you should look into intrusion software.
Hi Lextec,

My first suggestion (in case you are fighting an intruder) would be NOT TO ENABLE DMZ. It would allow complete access to the intrude into your Network. Now, There would be two ways of getting into your network :

1). Via the Router
2). Via Internet

I would be explaining both the ways for you.

In Way 1 - The Intruder needs a direct/remote connection to the router. this can be done by simply plugging a laptop to one of the Ethernet ports of your Router (If you are fighting an intruder, I think you would have already taken care of this), or connecting wireless with your router and getting into your LAN. This can be taken care of by Securing your Wireless network with a WEP or WPA key and keep constantly changing them.
Also, you can bind your Laprop's / desktop's / iPad's MAC Addresses with your router, and so, the router will only provide an access to only your devices. This would be the best way to ensure that no other person/device can log into your network.

In Way 2 - Via the Internet.
Your IP can be traced once you are trying to access the web by packet sniffing. I would give you a wonderful Idea ! Change the DHCP configuration of the router : i.e if the router has got the DHCP range of, change this to, and then Install "IP Changer" software on your computer.

With this application, you can surf the internet and no one need to know your original address!! The Ip Changer 0.2 in this way allows you to keep changing your Ip settings, save them for future use and then apply them.


This way, you will secure your entire network, and will not spend for purchasing any other Router.

Or in case you want, you can Always buy another Router and connect it the way shown below :

   | Cable | ======== | Router 1 |========== | Router 2 | =====|==== Comp 1
                                                                                                    | === Comp 2
                                                                                                    |=== Comp 3 / iPAD
In this case, you will get an IP Address of (for E.g) on the cable Modem, that it will pass on to Router 1. Router 1 would then Generate an IP Address of the Series of (for E.g) which it will give as an input to Router 2, which will convert it into (for E.g) and give the three computers IP Addresses accordingly.

As per my suggestion. In case you have anything else in mind / an Add On, please let me know and I shall assist you further.

Till then,

Happy Surfing.
I believe your wireless access is your greatest weakness.  
I had one system that was being hacked, I started by changed the WEP key and it only took less that 2 minutes and he was back in.  
For any hint of wireless security, you must use MAC address filtering, and even that can be overcome.

The only truly secure wireless is no wireless.  I know it is extremely convenient, but also convenient to the hackers.

To start your security:
First update your anti-virus software, then download malwarebytes and install.  Once Malwarebytes has updated, disconnect the computer from the internet.  Run full malwarebytes scan, remove problems, then run your anti-virus full scan, remove problems, then run malwarebytes again.  Repeat this process (back & forth) until both are come up clean.  Each product helps uncover files / settings hidden from the other.  I have not discovered a single product that can find everything.

Put one computer (wired) back on to the network (with internet access) and log in to your modem and change all the passwords.  Do not use correctly spelled words and include capitals, numbers & symbols.  

You can use the double router system handoo_shuchit shows above but I suggest that your kids computers be connected to router 1as long as they are accessing pages / sites that are not secure.

A real boost for you would be to use a router (for router 1) like a Sonicwall tz200, or comparable, that has a better proactive firewall.  It's more expensive and there is a paid yearly agreement, but you won't believe the difference (if you can swing it).
Let us know.  :-)

lextecAuthor Commented:
Thanks for you comments.  Physical security is not an issue (yet!).  But all steps have been taken to secure the current wireless router from outside interference.  Again, the threat comes from our children's systems from a known stalker and expert programmer.  We must have ours kids computer's up on the wireless network as well as mine and my wifes.  I am fairly well trained in this area but want to ensure that Zero network packets including ARPs get to my wired and wife's wireless systems.  The attacker in the past has used the children's lack of judgement skills to plant rookkits etc into their machines to compromise the adult's machines.  For reasons I won't go into here, the attacker has access to an IPAD that wirelessly connects to our home network.  I want to continue to give the children their access but separate all those devices COMPLETELY, from ours.  I want the parents personal business to continue without fear of intrusion.  It seems to me the only way to accomplish this is thru the use of a second router.  I am thinking: three routers, maybe.  The first would be attached to the Cable Modem, then two more attached to the LAN ports on the first router.  The kids would have access to one of the wireless routers and we adults to the other wireless router (understanding that the first router is simply there as an interface to the modem).  The IP software suggested doesnt' address the internal danger we have.  It seems we must have two physical networks.  Where am I wrong, and can you suggest the best way to set this up.  Thanks so much for helping us with a very dangerous situation.
lextecAuthor Commented:
As a minor footnote I should mention we are giving up securing the kid's computers beyond the standard AV and softward firewall, and MAC filtering.  We have cleaned them and he attacks them again, exposing the rest of the computers to the worms, and trojans.  But we must have 4 devices wirelessly and one wired.  There is no changing this and we don't want the added expense of another internet subscription.  Many thanks again.
lextecAuthor Commented:
Thank you Handoo, but the computers in your diagram are all on the same LAN which doesn't implement protection for the two adult computers who are participating in the unsecure LAN.  The two adult systems have been certified threat free and have NIS.  MAC filtering has been implemented and passwords to administer the router have been changed to extremely strong passwords, as has the encrpytion WPA2 AES scheme.
Problem #1, the attacker has access to a device which logs on to the wireless network.

--Remove this access.

Problem #2: the attacker tricks the children into doing XYZ

--Monitor the usage. Shut it down when you aren't there.

If you truly have a stalker harassing your family, you _don't _ continue to provide access to the network.  Furthermore, if the stalker is using email, chat, and social networks to harass your children, you _don't_ continue unfettered and unmonitored access for your children.

I cannot see why any sane person would continue in this manner.
Another note - I agree with aleghart.  
Your kids are much important that their access to the internet?

re:  "as has the encrpytion WPA2 AES scheme."

It doesn't really matter what encryption scheme is implemented.  If the Perp is monitoring your wireless, all he has to do is capture the initial handshake packets and those have all the information he needs for him to clone the MAC address and encryption keys.  That packet is not encrypted yet because the encrypted link has not yet been established.  Every packet - even after the encryption, contains the MAC address or the level 2 devices (switch) wouldn't know where the packet is going.  

Getting a second internet connection won't solve the problem.  It exacerbates it, because (given the current behavior) you are likely to abandon the children to their own devices and ignore the new network.

The most effective method to segregate the traffic would be to have a router with an integrated wireless access point that can handle VLANs.  You can do the same with a separate access point, but you need the ability to handle VLANs.  SonicWall is a good source for that.  Netgear can get you a router plus WAP with VLANs.

If you aren't willing to spend that kind of money, then you can accomplish a cheap solution with three routers.

R1 connects to the internet.  Turn off wireless. Admin via wired only.
R2 connects "safe" network.  Turn off wireless. Admin via wired only.
R3 connects "dangerous" network.  Turn on wireless with WPA2 encryption.  Admin via wired only.

R1 LAN -> R2 WAN.  R2 WAN IP address is
R1 LAN -> R3 WAN.  R3 WAN IP address is

This segregates "safe" from "dangerous".  At any time, you can pull the plug between R1 & R3, disconnecting internet access, but not affecting R2 "safe" network.

This can be done with cheap $40 Linksys routers.

lextecAuthor Commented:
Thank you Aleghart and Dosdet2.  Very helpful information.  I think Aleghart that you have confirmed what I had believed to be the only "sure" solution.   I will wait for additional comments before awarding points.  Any further information on how to tweak the two inside routers will be appreciated. Otherwise, we will move to set this baby up and call it a victory for the good guys.

I am curious that the encrypted keys are at level 2 decipherable as WPA2 AES.  If it was that easy why have encryption at all.  Capturing packets is one thing, decryption is much more difficult if not impossible using AES and WPA2.  I am sure he monitor and sniffs but the real danger is the perps physical access to the IPAD.  This will not be a problem under algeharts scenario.

Excllent input thank you everyone!!
Suffice it to say that it's not sane to operate a network in this fashion.  But...that doesn't mean that there isn't a way to keep your personal network safe.

It's similar to an apartment situation where there are multiple units sharing one internet connection.  In addition to R2 & R3, you'd have R4, for each private network.  At some point the bandwidth sharing falls apart, but you get the idea.  Keeps your network safe from direct access.
I'm sorry.  I really didn't intend my comments to sound harsh, I'm not so good with words sometimes.

But to answer encryption question:

It's not that it is easy, but it's very doable for someone who is motivated enough.  Encryption is very good once it is established. There is a handshake that happens when the connection is established.  This handshake initiates the connection and encryption. A person monitoring this handshake can extrapolate the information needed to clone the handshake.   The MAC address (layer 2 - sorry - I mistyped this as `level') always has to be correct (cannot be encrypted) for the packets to know where to go.  The MAC address CAN be easily cloned once you know what it is.  Also you can't use it if the original MAC address is already on line.  That's where it's main security comes from.

The handshake only takes place at the point where the computer first initiates the connection to the AP.  The person must be capturing at the time of the handshake and be able to identify the correct packets. If they live outside your broadcast range, then they have to somehow "camp-out' within your broadcast range until a connection is made or reset.  Otherwise the encryption must be broken, and that is very hard.  IE: The motivation factor.
The real problem is that instructions for doing this can be found on-line.
lextecAuthor Commented:
Two ways to skin a cat; both solutions helped.  I will go with multiple routers (3) just because I feel safer under that model.  Thanks for all of your help.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.