Public Wifi on a private LAN

I'm sure this is simple, but so far I have not had success.  I have a WRT54G loaded with DD-WRT and a Netgear FVX538 router.  The Netgear (192.168.1.1) is connected to my internet and is a DHCP server.  I want to be able to provide wireless internet through the Linksys without the possibility of probing to the 1.1 network where my personal computers are.

What I have done: set up DD-WRT as 2.1 with a static IP on the WAN (1.17) and connected the Internet port to a LAN port on the Netgear.  It works; it is acting as a DHCP server on the 2.1 network and I can access the internet; however, I can also type in a 1.xx address and open a web page on one of those computers.  I can't have that.  The Linksys (clients will always be wireless) needs all traffic to go to-from the internet only.  I don't even want a ping to a 1.xx address to respond.

What am I missing here?
RareSeedsAsked:
Who is Participating?
 
Darr247Connect With a Mentor Commented:
Put 192.168.1.17 in the Netgear's DMZ.

According to the FVX538's manual, that router has advanced features for the DMZ, including being able to assign port 8 as the DMZ port, so you should study the manual carefully when configuring the DMZ.
0
 
Fred MarshallPrincipalCommented:
You have them backwards.  The one closest to the ISP connection should be the public one.  I have attached a paper that describes.
Multiple-Subnets.pdf
0
 
meverestConnect With a Mentor Commented:
Hi,

you need a firewall filter rule on the DD-WRT that blocks traffic between 192.168.1.0/24 and 192.168.2.0/24:

iptables -I FORWARD 1 -p tcp -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP

if you have NAT on for the 192.168.2.0 subnet, you may also need to add a rule to block traffic also from the dd-wrt router itself:

iptables -I FORWARD 1 -p tcp -s 192.168.1.0/24 -d 192.168.1.17 -j DR

cheers!
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
RareSeedsAuthor Commented:
Thanks for the suggestions.  Let me answer each one of you in order...

@fmarshall: The Netgear FVX538 has two WAN ports; I have two internet connections set up as a balanced load.  As a result, I must to use the Netgear as the primary router.  But there's more as described in the next answer:

@Darr247: The routers are in separate buildings connected by fiber.  It is not possible to connect the Linksys exclusively to a particular LAN port on the Netgear.  The Linksys building also needs private LAN access in addition to hosting the public wifi.  Also, both internet connections go to the Netgear building.

@meverest: You can't block all traffic to 192.168.1.1 since it is the primary router supplying internet to the rest of the network as described above.  I am a complete novice at the iptables commands, so if there's a modification you can make to allow 1.1 while blocking 1.2-1.254, please post it.  Or this may not be a good idea; I don't know.
0
 
Darr247Commented:
In DD-WRT, on the Administration tab, Commands sub tab, paste in the iptables commands meverset gave you, and click Run Commands after pasting in each one.

After you've pasted both in and ran them, test that the DD-WRT firewall is blocking 192.168.2.0 from talking to 192.168.1.0 - if it is, then click Save Firewall.

Those setting will be saved until you do a hard reset (holding the reset button in, plugging in the power, then continuing to hold the reset button in for 30 seconds, should clear the NVRAM where the iptables settings are stored... those settings should not be cleared by holding in the reset button for 30 seconds withOUT removing the power).

Here's a link to the wiki - http://www.dd-wrt.com/wiki/index.php/Iptables_command
0
 
Fred MarshallConnect With a Mentor PrincipalCommented:
OK.  I didn't mean to imply that you couldn't use the Netgear as the ISP interface.  That's fine.
What I did mean to say is that you would not want to connect the private computers at the Netgear LAN.  It's hard to isolate them that way.  Either it won't work or the settings will be somewhat obscure as in hard to figure out and/or hard to remember and maintain.  Keep it simple.

So, I would do this as shown in the diagrams:

Add another router (it doesn't have to be more than a commodity router unless you have a whole lot of computers).  It's WAN side will be 192.168.1.xxx.  Then connect all the private computers to its LAN side.
If you don't want to change IP addresses on the working subnet then do this:
Make the new router LAN side be 192.168.1.0 using 192.168.1.1 so that it will be come the subnet gateway .. which it will be anyway.
Change the netgear LAN subnet to 192.168.99.0 using 192.168.99.1
Now you will have a private LAN with wireless if you want it.

Now add a wireless router as a switch on the netgear LAN.  Turn off DHCP.  It will now act as an access point and get addresses from the Netgear.

This is a very simple setup that's fairly easy to understand and maintain.
Wireless-Router-as-a-Simple-Swi.pdf
0
 
meverestCommented:
>> You can't block all traffic to 192.168.1.1 since it is the primary router supplying internet to the rest of the network as described above.

yes you can! :-)

The reason that this will work is because when traffic is forwarded to 192.168.1.1 for internet access, the destination IP address is NOT 192.168.1.0/24 (it is the internet address) and therefore the firewall will pass those packets. :)

You won't be able to ping the actual gateway itself, and when you try a traceroute, it will time out on that hop, but it will work perfectly OK - go ahead and try it ;-)

Cheers!
0
 
RareSeedsAuthor Commented:
Thanks for these suggestions and pointers.  I have implemented a combination of the accepted answers and it is working well.
0
 
RareSeedsAuthor Commented:
- Connecting the public Wifi to the DMZ is by far the best solution.
- The iptables command blocked the traffic between the private and public networks successfully; it is not the best, but it works.
- Redesigning and rewiring the network as fmarshall is also a perfect solution; it just requires more hardware.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.