Trouble setting up guest wireless router on domain network

I've been trying to provide guests that visit our company with wireless internet access. In the past we had a single router set up on our internal network an we just gave them the key to the router. In an effort to try and secure this dangerous hole, I purchased an additional router to separate our internal from the guest networks. However, I'm running into a bit of trouble.

I've attached a rough diagram that shows my basic layout, only there are actually about 25 or so workstations, but the IPs are all static for these. So basically what I've done is run an Ethernet cable from a port in an office to one of the LAN ports of the new wireless router. The internet settings is set to automatically detect. The IP of the router is one from our network, just like I would set up a workstation. DHCP is turned off because our server is providing that and I don't want a conflict.

Now, I have another Ethernet cable that is going to the other port in that same office to the Internet port of the second wireless router. This router is set up on a different IP range than our internal network and DHCP is turned on to issue IPs on that same IP range for the guest computers who connect. The problem is that the only way I could get the internet to work through this router is to set the internet settings to an IP on our internal network. See the attached diagram for an example.

One problem I've come across is this. A few of my workstations now show in their network settings that they are connected to a "Network 2" rather than our "domain". Everything still works the same...the Internet works, the mapped drives to the server, everything...but this is not right. It should be connected to our domain rather than a "work" network called Network 2.

Also, I have my doubts that the guest wireless router is configured properly, but my issue is that my ISP router, and the location where I need to provide guest wireless access, is very far away. If I plug the guest router directly into the ISP router, then from there to my ASA, then I might would have wireless access near the server, but it would not reach to the other end of the building where I need it. So, how should I configure this set up?

Yet again, my workstations are all now installing a "Netgear Wireless Module". The Netgear is the new router I put in for our internal wireless, so i must not have that one configured correctly either. I simply want it to act as a wireless switch, not take over the network.

Please help. I can answer questions if needed. Thank you so much.
Who is Participating?
Davis McCarnConnect With a Mentor OwnerCommented:
It's really a very simple task that we don't need to make complicated!

Plug a PC set to automatic lan settings into one of the wireless routers LAN ports and login to the management interface.  Setup the wireless SSID and security.  Ensure that the LAN ip is not in the same scope as your internal lan ( is usually safe), the DHCP is set to match the LAN ip range (some routers don't automatically adjust it), and the WAN/Internet ip does match your internal LAN settings for the default gateway and ip.  In it, too; either use your ISP's DNS server ip's or OPENDNS is a great choice ( and ).

Plug the WAN/Internet port of the router into any available jack and your done.  Anyone connected to that router will tunnel straight to the gateway/Internet and won't have access to your LAN unless they manage to hack the kernel of the router which is not a trivial task.

The only other recommended change is to change the admin password of the router to something that is not it's default.
jbarnetteAuthor Commented:
My netgear router has an option in the LAN settings for RIP direction (In, Out, or Both) and RIP version (1, 2B, 2M). These options are currently set to Direction: Both and Version: Disabled. Could this have an effect with the workstations picking up a Network 2 rather than my domain?
The new Netgear router should be connected to the network via its uplink port, if it has one, and not a regular LAN port. The LAN ports are in the same network as the WIFI on its "inside" network.

You need to sort out the routing first.
Confirm the routes are pointing correctly in each route table after setting this up.

Your new router needs a default route on its WAN side to the GW @ 200.1
The ASA in turn needs a route to the net with a next hop of 200.199.

Is RIP being used on all of the routers or just the new one?
It doesn't really work if only one router is using RIP.
If that is the case turn it off.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

jbarnetteAuthor Commented:
Thanks...let me clarify a bit to make sure my goal is clear:

I have a wireless router and an Ethernet cable running from one of the LAN ports to an Ethernet wall plate that is going directly to a patch bay, then from there to our main switch. From the main switch, there is the ASA, then to the ISP router.

From the other LAN ports of that same wireless router, I have a printer and a workstation plugged in. My goal for this router is to simply use it as a hub or switch to add the printer and workstation to the domain network, as well as broadcast it so that wireless devices can also join the domain network. DHCP from our server will issue all IPs.

The IP for this router is simply another static IP that is in the same range as all the other devices on the network. The internet access is set to automatically detect.

Now, I have the second router and an Ethernet cable running from the Internet port to another port on the same wall plate as the other router. There is nothing plugged into the LAN ports on this router. I simply want to use it to provide Internet access to guests, but keep them separated from our internal network.

The IP for the second router is on a completely different range and DHCP is enabled to provide the guest devices with IPs. However, the only way I could get the internet to work (it wouldn't work using the automatically detect settings on the router) was set the Internet IP in the router to an IP that is on the same range as our internal network, same subnet, and same gateway as the internal network as well. Although it did work, I really don't feel that this is the correct way to do it. One reason that makes me think that is that people who access this Guest Only router can get internet access fine, but cannot connect to their VPNs. When they connect to our internal router, they can connect the their VPNs with no problem.

I don't know if rip is being used on the ISP router. I still don't even understand exactly what RIP is.

I am at an intermediate level at networking. I don't go into the ASA other than to view some of the logs and I don't have a lot of experience with routing tables, so the above answer is a bit too complex for me to understand. Maybe my comments here will better clarify what I'm trying to do.  If possible, please noob it up a bit for me :)
all you have done is add another wireless access point to the network.

I would follow the below

create a new VLAN on the ASA using a private address range that is not in use
create suitable ACLs for inbound and outbound traffic (I usually block port 25)
create suitable outbound NAT rules
configure DHCP on the ASA for wireles clients (I would use either your ISP, Google or OpenDNS DNS servers)
connect the LAN port on the new access point to the ASA

the new access point must use a different SSID to your existing wireless network, and staff must be told that if they connect to it, they will not have access to internal resources.

As I read it, you're suggesting

1/ having the LAN address of the "wireless router" on a different subnet to the LAN
2/ having DHCP on the "wireless router" hand out the same subnet as the LAN with the same default gateway.

I am presuming that as you are suggesting running DHCP, that you are suggesting running NAT on the "wireless router".

With this configuration, when the wireless client does an ARP request for the MAC address of the default gateway, there will be no response, unless you can configure the "wireless router" to do a "proxy ARP" for the IP address of the default gateway.

Even if it can do a proxy ARP for the address of the default gateway, there may be other issues as unless the "wireless router" runs two network processes, it will have the MAC address of the default gateway as itself...

There can also be issues on some devices running NAT with the same subnet on both the  "inside" and "outside" interfaces.

To take part of your idea, you could run the "wireless router" with a non overlapping subnet and use NAT, guests would still have full access (over the NAT in the "wireless router") to the internal network, but if the "wireless router" has the capability for ACLs for outbound traffic, and you could configure an outbound ACL on the "wireless router" that had  

allow to internal address of firewall
deny to LAN network
allow to all

you would have a reasonably secure system.

However, from my experience of "wireless routers" most of them would struggle with an ACL for outbound traffic, let alone a "slightly complex" one such as the above...

As however there is an ASA 5505, which has support for multiple internal VLANS, I would usually use that, and remove all of the complexity to the device that is designed to  segregate and secure networks.
jbarnetteAuthor Commented:
Plug a PC set to automatic lan settings into one of the wireless routers LAN ports and login to the management interface.  Setup the wireless SSID and security.  Ensure that the LAN ip is not in the same scope as your internal lan ( is usually safe), the DHCP is set to match the LAN ip range (some routers don't automatically adjust it), and the WAN/Internet ip does match your internal LAN settings for the default gateway and ip.  In it, too; either use your ISP's DNS server ip's or OPENDNS is a great choice ( and ).

Plug the WAN/Internet port of the router into any available jack and your done.

This is basically how I have it, except for a few things. But those few things make me wonder how secure the system is...

If i were to be looking at the router settings, what should I enter for the text below in bold?

Internet: Use static IP
IP Address: Not sure what I'm supposed to put here...currently using a randomly selected IP from the internal network. Should I use something else?
IP Subnet mask: Same as internal network
Gateway IP: Same as internal network (this is the IP to our ASA)

DNS address: Currently same as internal, which would be our server. Change this to an OPENDNS IP?

Sorry for all the questions, but this is fairly new to me and I need specific details.
Thanks so much for your help!
Davis McCarnOwnerCommented:
A random ip from the internal network is fine.  Personally, I leave alll of the workstations as DHCP, start servers at .100, printers at .150, and routers/access points at .180; but, it isn't important.
Use another DNS server for the router; not, the internal server.  OPENDNS includes a blacklist which prevents access to many known purveyors of malware which, these days, is a huge plus!
jbarnetteAuthor Commented:
Any idea why folks wouldn't be able to connect to their VPNs when connected to this guest network (event though they have Internet access), but would be able to if they connect to the internal network?

I'm going to change the DNS to opendns and see how that works...
jbarnetteAuthor Commented:
This seems to be working great! I did test a VPN connection just now and can get out, but tried to access a computer or shared drive on our network and it's like I'm not even connected to a network. I believe I had most of it figured out on my own, but I did take your advice and change to the OPENDNS IPs.

This is the kind of answer I was looking for. Very simple and not too over-technical. Thanks again for your help!!
rather than connecting by name, which will fail as the external DNS will not resolve the internal name, the test is to connect via IP address.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.