Wireless network separation - 2 routers
Hi
I need to separate wireless network we have for customers from our network. We have our network on ADSL router Netgear DGN2200 (192.168.0.1/24) which is dishing out DHCP and doing DNS. Computers are in Workgroup > we don't have machine with server operating system. We also have additional router WNR2200 which is plugged into the DGN2200 network and is getting IP address for its WAN port. WNR2200 has got different local subnet 172.16.16.0 with 255.255.0.0. WNR's IP address is 192.168.1.2 with 255.255.255.252 while DGN2200 gateway is 192.168.1.1 with 255.255.255.0. WNR2200 has wireless on it for customers and has DHCP and DNS enabled for its 172.16.16.0 network. I am not able to introduce VLAN because those routers don't support it.
The problem is that when connected to customers' wifi on WNR2200, I am able to ping and access all the devices on DGN2200's 192.168.0.0 network and obviously I don't want that.
I was wondering what's the best solution. I have researched a little bit and some people suggested getting another router in between DGN2200 and WNR2200. Additionally, I tried TP-LINK TL-WA901ND but it wouldn't sort out the problem.
Thank you for all suggestions.
Tom
I need to separate wireless network we have for customers from our network. We have our network on ADSL router Netgear DGN2200 (192.168.0.1/24) which is dishing out DHCP and doing DNS. Computers are in Workgroup > we don't have machine with server operating system. We also have additional router WNR2200 which is plugged into the DGN2200 network and is getting IP address for its WAN port. WNR2200 has got different local subnet 172.16.16.0 with 255.255.0.0. WNR's IP address is 192.168.1.2 with 255.255.255.252 while DGN2200 gateway is 192.168.1.1 with 255.255.255.0. WNR2200 has wireless on it for customers and has DHCP and DNS enabled for its 172.16.16.0 network. I am not able to introduce VLAN because those routers don't support it.
The problem is that when connected to customers' wifi on WNR2200, I am able to ping and access all the devices on DGN2200's 192.168.0.0 network and obviously I don't want that.
I was wondering what's the best solution. I have researched a little bit and some people suggested getting another router in between DGN2200 and WNR2200. Additionally, I tried TP-LINK TL-WA901ND but it wouldn't sort out the problem.
Thank you for all suggestions.
Tom
Yup by definition on your router you should be putting the wireless users on the guest network. Please take a look at it below...
The NETGEAR N300 Wireless Router with USB is ideal for both professional and personal Internet use, providing Wireless-N speed for simultaneous downloads, voice and music, and online gaming. Storage for downloads is easy with ReadySHARE for shared access to a USB storage device. Faster downloads and online gaming - Provides Wireless-N speed for simultaneous downloads, streaming voice and music and online gaming, in addition to basic Internet applications. Shared storage - ReadySHARE provides fast and easy shared access to an external USB storage device. Live Parental Controls - Keeps your Internet experience safe. Blocks unsafe Internet content and applications and can be managed from anywhere. Protects connected devices through the router such as PCs, gaming consoles, and iPod touch. Guest network access - Provides separate security and access restrictions for guests using the network. Broadband usage meter - Monitors Internet traffic and sends customized reports to help keep costs under control. Jitter-free voice and gaming - Automatic Quality of Service (QoS) for reliable Internet connections. Easy setup - NETGEAR Genie CD with graphical installation guide and multi-language support. Secured connection - Push 'N' Connect ensures a quick and secure network connection. NETGEAR Green features - Power and Wi-Fi on/off buttons and 80% recycled packaging.
The NETGEAR N300 Wireless Router with USB is ideal for both professional and personal Internet use, providing Wireless-N speed for simultaneous downloads, voice and music, and online gaming. Storage for downloads is easy with ReadySHARE for shared access to a USB storage device. Faster downloads and online gaming - Provides Wireless-N speed for simultaneous downloads, streaming voice and music and online gaming, in addition to basic Internet applications. Shared storage - ReadySHARE provides fast and easy shared access to an external USB storage device. Live Parental Controls - Keeps your Internet experience safe. Blocks unsafe Internet content and applications and can be managed from anywhere. Protects connected devices through the router such as PCs, gaming consoles, and iPod touch. Guest network access - Provides separate security and access restrictions for guests using the network. Broadband usage meter - Monitors Internet traffic and sends customized reports to help keep costs under control. Jitter-free voice and gaming - Automatic Quality of Service (QoS) for reliable Internet connections. Easy setup - NETGEAR Genie CD with graphical installation guide and multi-language support. Secured connection - Push 'N' Connect ensures a quick and secure network connection. NETGEAR Green features - Power and Wi-Fi on/off buttons and 80% recycled packaging.
ASKER
Sorry but I forgot to mention that I am using the Guest Network. The option for Wireless Isolation is selected and the option to Allow access to local LAN is unticked.
I believe you will find that the DNG2200 will support BOTH office and separate guest wireless networks. Certainly v3 will do that. Then no need for the added access point.
I think you are using guest AP WAN port on other device LAN port. If like this one you can not prevent it. you have to use same equipment LAN and wireless than enable guest network. It will work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
As I need My DGN2200 (main router) to be the first Lan then would you agree that the easy and cheap way would be to add intermediary router like TP-link -tl-r460 between DGN2200 and WNR2200:
http://www.amazon.co.uk/TP-Link-TL-R460-Port-Cable-Router/dp/B002OMX0XQ/ref=sr_1_1?ie=UTF8&qid=1413827752&sr=8-1&keywords=TP-link+r460
Probably, I could forward the port on to-link to be able to access WNR2200 web interface.
I am not planning to have any VPN or anything which requires port forwarding on WNR2200 network.
And to Just to clarify: WAN PORT OF WNR2200 plugs into the LAN port of DGN2200. There is no AP port on WNR2200. There is AP port on DGN2200 but this is only if you want to use DGN2200 as access point (then you can't log into it and you cannot use ADSL port in that configuration).
I do not require wifi on DGN2200 and if I did I would need those devices to be able to access DGN2200 lan.
http://www.amazon.co.uk/TP-Link-TL-R460-Port-Cable-Router/dp/B002OMX0XQ/ref=sr_1_1?ie=UTF8&qid=1413827752&sr=8-1&keywords=TP-link+r460
Probably, I could forward the port on to-link to be able to access WNR2200 web interface.
I am not planning to have any VPN or anything which requires port forwarding on WNR2200 network.
And to Just to clarify: WAN PORT OF WNR2200 plugs into the LAN port of DGN2200. There is no AP port on WNR2200. There is AP port on DGN2200 but this is only if you want to use DGN2200 as access point (then you can't log into it and you cannot use ADSL port in that configuration).
I do not require wifi on DGN2200 and if I did I would need those devices to be able to access DGN2200 lan.
ASKER
Or another idea I have:
Would it work if I replaced DGN2200 with the router (probably entry basic level Cisco) which supports VLAN. then I would configure 3 LAN ports to be VLAN1 for local network (currently DGN2200) and the 4th LAN port on Cisco would be VLAN2 to which WNR2200 would be plugged in. Please note that WNR2200 does not support VLANs. However, I assume it would be Cisco router managing VLANs access and segregation so it would not matter.
What do you think?
Would it work if I replaced DGN2200 with the router (probably entry basic level Cisco) which supports VLAN. then I would configure 3 LAN ports to be VLAN1 for local network (currently DGN2200) and the 4th LAN port on Cisco would be VLAN2 to which WNR2200 would be plugged in. Please note that WNR2200 does not support VLANs. However, I assume it would be Cisco router managing VLANs access and segregation so it would not matter.
What do you think?
You would need a modem.
Then you could add a router with VLAN capability.
Then you could use each VLAN as you choose - including as you described.
Do you need office wireless? Where from then?
If you notice the diagram I attached earlier, the *private* LAN is at the bottom of the page (and the cascade of routers) and the *guest* LAN is higher up. This is because one can generally "see" the computers on the upper LAN from the computers on the lower LAN and not vice versa. So, adding the WNR2200 to an upper LAN will likely allow unwanted access as you are now experiencing. I don't really see any great application for the WNR2200 in this case unless the office LAN router has no wireless. Then use the WNR2200 as an office wireless AP.
Then you could add a router with VLAN capability.
Then you could use each VLAN as you choose - including as you described.
Do you need office wireless? Where from then?
If you notice the diagram I attached earlier, the *private* LAN is at the bottom of the page (and the cascade of routers) and the *guest* LAN is higher up. This is because one can generally "see" the computers on the upper LAN from the computers on the lower LAN and not vice versa. So, adding the WNR2200 to an upper LAN will likely allow unwanted access as you are now experiencing. I don't really see any great application for the WNR2200 in this case unless the office LAN router has no wireless. Then use the WNR2200 as an office wireless AP.
ASKER
fmarshall, so it looks like my mistake is that I am using Interim network as main network for wired computers (I have similar configuration which is using the main router with wireless for employees) and "2nd Subnet Wireless" is plugged directly into that main router which doesn't do VLAN.
I mentioned Cisco router because it has WAN ports and I was hoping it is compatible with BT Infinity Fibre optic as it comes with BT OpenReach modem (this modem plugs into the phone line and the router plugs into the modem - there is no local private network on the modem as it is passes public IP address directly to the main router).
The reason why I mentioned Cisco is that I trust it more than TP-link. I assumed the following:
1. I could replace main router with Cisco router doing VLANs so the local network would be separated from the LAN4 port on Cisco router which would have WNR2200 router with public wireless. I was thinking of Cisco RV215W model.
2. I could use current DGN2200 as main router - just reconfigure network id. Then get tp-link I mentioned earlier to be my private local subnet which used to be on DGN2200, this would be plugged into the main router. WNR would also plug into the main router.
I mentioned Cisco router because it has WAN ports and I was hoping it is compatible with BT Infinity Fibre optic as it comes with BT OpenReach modem (this modem plugs into the phone line and the router plugs into the modem - there is no local private network on the modem as it is passes public IP address directly to the main router).
The reason why I mentioned Cisco is that I trust it more than TP-link. I assumed the following:
1. I could replace main router with Cisco router doing VLANs so the local network would be separated from the LAN4 port on Cisco router which would have WNR2200 router with public wireless. I was thinking of Cisco RV215W model.
2. I could use current DGN2200 as main router - just reconfigure network id. Then get tp-link I mentioned earlier to be my private local subnet which used to be on DGN2200, this would be plugged into the main router. WNR would also plug into the main router.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have ordered both Cisco and TP-link as I have this problematic configuration for 2 customers. Will let you know once I tested it and then I will assign the points. However, I may not be able to do it for the next two weeks (not sure if that's allowed).
ASKER
Will do VLAN for one of the customers and TP-link for other two as it is cheaper and the wifi for customers is not used much.
I can recommend you ubnt.com wireless system that guest network will be isolated.