LAN segregation ?

Some routers have the option to have two wireless networks - one "internal", one "public". If you've got that choice, go for it for the really low-hassle route.

Apart from that, the easiest way would be to have them connecting to the actual router, then have a firewall (cheap and easy would be a cable router) hanging off the inside of that with your internal network connecting to that.

If you want a bit better security, then have your internal wireless using MAC security, perhaps a hidden SSID. Wireless will never be absolutely secure, but it'll certainly help to prevent idle fingers from being mischevious.

The TP-Link TL-WA901N WIFI AP I have can run its own DHCP server.

However, you will still need a device before it that can act as a true router/NAT/Firewall and split you off 2-3 networks:

1) Your personal "private" network for your house; 2) Cottage 1; 3) Cottage 2;

So you are looking for something that can run 3 subnets (or 2 min if you combine the cottages), prevent traffic between the two and handle NAT for each independently.

In principle the Vigo 2830 can do this, but in practise it makes a pigs ear of more than one LAN side subnet and the firewalling setup breaks my brain (whereas I find linux iptables quite straightforward).

A Firebrick might be more suitable, but they are expensive.

If you are up for a little more DIY, any router that can handle the speed (do you have FTTC yet - as it's recently gone live in Robertsbridge) running DD-WRT which is a router based linux distro with a nice GUI.

Just trying to get my head around this. I assume (just checking I understand) that you are accepting that the IP address which gets to the Internet will be the same for all devices on your internal networks. So your requirement is to provide DHCP services to the guest networks from a wireless AP, and a different sub-net. Thus implementing "double NAT".

You also want the AP interface to the rest of your LAN to be hard wired to a different sub-net so that the AP cannot see your devices, but the second sub-net has to be supported and routed by your primary router which connects to the Internet.

We really need to know the make and model of the AP before we can say if this is possible. The make and model of your main router would also be helpful.

It appears that the device you want for your guests is not an AP at all (which just extends your internal network) but a NAT router which can manage its own little network and NAT through to your main router which will in turn NAT through to the Internet. You should also get things like parental controls and other useful management facilities.

The bad news is that you've already bought the APs.

The good news is that NAT routers are cheaper than APs, even though they can do considerably more than APs. An example of warped industry pricing. I ended up buying a router then configuring it to work as an AP because it was cheaper (and the router would also take 3rd party firmware such as DD- WRT).

I think what you probably need to use the APS unmodified is a VLAN tied to a physical port on your main router and/or an IP address (range?). This should allow you to define a route from the AP to the Internet which is separate from your home VLAN on another port/subnet. However I haven't experimented with VLANs yet so I can't be sure.

Cheers

Dave R

A wifi router for cable use (i.e. intended to connect over ethernet to a separate cable modem) would work if it had a suitable firewall capability built in. Daisy-chain it off your internal network, and configure the firewall to block access to your internal network, except for the address of the BT home hub. It will need a separate private network for itself.

I do something similar at home - I have 3 internal networks which are all firewalled from each other (home, work, visitor's wifi). However, I use a server to do the routing/firewalling with 4 ethernet ports on it, and it also does things like the DHCP and DNS caching for all of them.

MAC security never was "secure" ;-)

Newer mobile operating systems are going to be changing their mac randomly from time to time anyway (to prevent tracking), although it will probably be a configurable option.

Dave,

The AP's are all Netgear WG602 v4, but I have no problem providing a different one for the cottages - they are not hugely expensive

Andrew

The aim is not so much an unbreakable system, just one a little less obviously open to abuse as it it currently

Andrew

Have a similar situation. Originally had: Incoming ADSL Modem/router feeds 3 standard cable routers with wifi in

2 holiday cottages and for main house. So each network is isolated by a firewall and cannot see other networks. Have upgraded this to: ADSL modem/router - Netgear GS108e prosafe plus switch with VLANs setup for each location - standard cable wifi routers . This allows control of bandwidth used by each VLAN. Used cable routers with wifi ( I use netgear) can be obtained for next to nothing and the Prosafe switch was ~£28. To manage all these devices you have to connect to the incoming modem/router when necessary.

There is a slightly simpler setup using the 2830 that would probably work for the OPs requirement. You can group up to 4 different wireless SSIDs and the 4 ports on the internal switch in any combination of groups, that are independent of each other. So you can specify (say) one WiFi SSID (your private one) so it has access to the internet and also the LAN0 port. That in turn can connect to a switch for addition physical wired machines - or additional WAPs for wireless on your private side of the setup.

Port 1 could then be assigned to one cottage, port 2 the next. (That would leave them sharing the same DHCP pool as the primary side, but comms between them would not be possible).

If the OP wanted, he could also create additional LAN subnets and have separate ones for each cottage.

Robert, this sounds just the thing I need to do. So as I understand your set up you have:

Incoming ADSL router (ie my BT Home Hub), feeding the Netgear GS108e Prosafe, which is set to create separate VLANS each with a wireless access point on each vlan

or have I got that wrong ???

Andrew

Not sure about the BT home hub, but can it be set up as a public hotspot?

I've set up my SFR (french equiv of BT I think) modem for our home use and also for public use.

It shows as 3 distinct services: (1) Midi (our default home network) (2) SFR public hotspot (allows other SFR users with similar set-ups to use it) (3) SFR FON (allows FON subscribers to use the FON network)

(2) and (3) require the user to already have their own username /password

Virtual LANs (VLANs), yes I was going to suggest this when I saw the OP's message.

Quite a few routers support VLANs.

Yes thats right. For wifi APs I use a netgear cable router for the house wifi and wired, an old WAG102 wifi AP in another and an old netgear cable router with wifi in another. All older used models with no special setups. The only reason I added the Prosafe was to provide bandwidth control, VLANS are I think the icing on the cake if each location is fed via a firewalled router. Others may/will disagree ?

Just putting them on a separate subnet isn't going to deter any computer savvy user. BT do a public access wifi using their latest hubs if you get one and enable the service. It gets you access to all the others that have joined the service while you are out. Its independent of your connection but does share bandwidth. I have no idea how secure it is as I have never looked at it since suggesting the possibility of doing such a service about 5 years ago in a meeting we had with BT.

I think we were probably assuming the subnets would have no routing between them, or a firewall.

Andrew,

one option is to replace your BT Home Hub with another ADSL router which supports VLANs or with one which supports Open Router software such as DD- WRT. I have not been impressed by the flexibility of the router software which comes with my Buffalo WZR-600DHP2 or my TP-Link TL-WDR3600 so I can't recommend a replacement router manufacturer (mine are cable routers not ADSL).

As you are seeing from the responses there are many ways of skinning this particular cat.

If I remember correctly you have an ADSL router in your main home, then Ethernet to the two cottages to serve the two APs.

If this is correct then the minimum hardware is a smart ADSL router which can support multiple LANs each with its own DHCP and segregate the traffic. Using VLANs or something similar.

I was planning to go down that route and bought an old CISCO router because it had much more functionality that the average consumer router (although it is a bastard to configure until you have learned how to speak CISCO IOS). However the ports are 10/100 and shortly after I got it the cable network from Virgin was bumped up to 150 Mbits/sec so I can't persuade myself to chop a third of my bandwidth for added security.

I am planning to put DD-WRT or similar on my second wireless router. Soon. Honestly. ;-) Then it can replace my main router (which can then have DD- WRT installed).

When my Tuit is finally round.

Cheers

Dave R

I don't think openWRT et al support (the ATM interface of m)any of the ADSL routers, only the dual ethernet "cable" routers.

I've always used a separate ADSL router combined with an openWRT firewall, recently upgraded from a WRT54GS to a WNDR3800, that setup can certainly handle multiple VLANs with separate DHCP scope/SSID per VLAN as required.

Nice GUI these days, just requires a little knowledge and confidence to flash the opensource firmware over the manufacturer's firmware.

I don't think the OP would know that.

Anyway the vlans will work provided the router doesn't actually do any routing on the LAN. Mine can.

Maybe one of these would be useful

That may be underestimating the OP!

Thanks for the vote of confidence Tim :)

Andrew