Public Wifi on a private LAN

I'm sure this is simple, but so far I have not had success.  I have a WRT54G loaded with DD-WRT and a Netgear FVX538 router.  The Netgear ( is connected to my internet and is a DHCP server.  I want to be able to provide wireless internet through the Linksys without the possibility of probing to the 1.1 network where my personal computers are.

What I have done: set up DD-WRT as 2.1 with a static IP on the WAN (1.17) and connected the Internet port to a LAN port on the Netgear.  It works; it is acting as a DHCP server on the 2.1 network and I can access the internet; however, I can also type in a 1.xx address and open a web page on one of those computers.  I can't have that.  The Linksys (clients will always be wireless) needs all traffic to go to-from the internet only.  I don't even want a ping to a 1.xx address to respond.

What am I missing here?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
You have them backwards.  The one closest to the ISP connection should be the public one.  I have attached a paper that describes.
Put in the Netgear's DMZ.

According to the FVX538's manual, that router has advanced features for the DMZ, including being able to assign port 8 as the DMZ port, so you should study the manual carefully when configuring the DMZ.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

you need a firewall filter rule on the DD-WRT that blocks traffic between and

iptables -I FORWARD 1 -p tcp -s -d -j DROP

if you have NAT on for the subnet, you may also need to add a rule to block traffic also from the dd-wrt router itself:

iptables -I FORWARD 1 -p tcp -s -d -j DR

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

RareSeedsAuthor Commented:
Thanks for the suggestions.  Let me answer each one of you in order...

@fmarshall: The Netgear FVX538 has two WAN ports; I have two internet connections set up as a balanced load.  As a result, I must to use the Netgear as the primary router.  But there's more as described in the next answer:

@Darr247: The routers are in separate buildings connected by fiber.  It is not possible to connect the Linksys exclusively to a particular LAN port on the Netgear.  The Linksys building also needs private LAN access in addition to hosting the public wifi.  Also, both internet connections go to the Netgear building.

@meverest: You can't block all traffic to since it is the primary router supplying internet to the rest of the network as described above.  I am a complete novice at the iptables commands, so if there's a modification you can make to allow 1.1 while blocking 1.2-1.254, please post it.  Or this may not be a good idea; I don't know.
In DD-WRT, on the Administration tab, Commands sub tab, paste in the iptables commands meverset gave you, and click Run Commands after pasting in each one.

After you've pasted both in and ran them, test that the DD-WRT firewall is blocking from talking to - if it is, then click Save Firewall.

Those setting will be saved until you do a hard reset (holding the reset button in, plugging in the power, then continuing to hold the reset button in for 30 seconds, should clear the NVRAM where the iptables settings are stored... those settings should not be cleared by holding in the reset button for 30 seconds withOUT removing the power).

Here's a link to the wiki -
Fred MarshallPrincipalCommented:
OK.  I didn't mean to imply that you couldn't use the Netgear as the ISP interface.  That's fine.
What I did mean to say is that you would not want to connect the private computers at the Netgear LAN.  It's hard to isolate them that way.  Either it won't work or the settings will be somewhat obscure as in hard to figure out and/or hard to remember and maintain.  Keep it simple.

So, I would do this as shown in the diagrams:

Add another router (it doesn't have to be more than a commodity router unless you have a whole lot of computers).  It's WAN side will be  Then connect all the private computers to its LAN side.
If you don't want to change IP addresses on the working subnet then do this:
Make the new router LAN side be using so that it will be come the subnet gateway .. which it will be anyway.
Change the netgear LAN subnet to using
Now you will have a private LAN with wireless if you want it.

Now add a wireless router as a switch on the netgear LAN.  Turn off DHCP.  It will now act as an access point and get addresses from the Netgear.

This is a very simple setup that's fairly easy to understand and maintain.
>> You can't block all traffic to since it is the primary router supplying internet to the rest of the network as described above.

yes you can! :-)

The reason that this will work is because when traffic is forwarded to for internet access, the destination IP address is NOT (it is the internet address) and therefore the firewall will pass those packets. :)

You won't be able to ping the actual gateway itself, and when you try a traceroute, it will time out on that hop, but it will work perfectly OK - go ahead and try it ;-)

RareSeedsAuthor Commented:
Thanks for these suggestions and pointers.  I have implemented a combination of the accepted answers and it is working well.
RareSeedsAuthor Commented:
- Connecting the public Wifi to the DMZ is by far the best solution.
- The iptables command blocked the traffic between the private and public networks successfully; it is not the best, but it works.
- Redesigning and rewiring the network as fmarshall is also a perfect solution; it just requires more hardware.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.