Wireless Tips & Tricks: Setting Up a Secure Public/Private Wi-Fi Net

Wireless Tips & Tricks: Setting Up a Secure Public/Private Wi-Fi Net


How can I secure my home Wi-Fi net, while also providing public access for guests?

This is a surprisingly difficult question to answer, but a very common request. Here's the secret. You'll need to set up two routers, one with strong encryption (WPA or WPA2) for your private use, and one public network for guests. The tricky part is how to share one broadband Internet connection between the two routers without allowing the public network access to the private one.

The answer comes courtesy of Linksys, whose networking team recommends using the DMZ feature found in most Wi-Fi routers as a separator for the public and private nets. Essentially, you connect your public Wi-Fi router's WAN port to a LAN port on your Internet-connected private Wi-Fi router. Then you configure the public router as a DMZ per your private router's manual.

For best performance, set the two routers to widely separated Wi-Fi channels (such as 1 and 11). Also, to avoid IP conflicts, the public router's subnet needs to be changed to be different than the primary (private) router. For example, if the primary router uses 192.168.1.1, the secondary should be set to something else, like 192.168.2.1 or 10.10.2.1. Computers connected to the secondary (public) router will get IP addresses assigned in that subnet. Linksys says "this configuration allows users of the public Wi-Fi router access to the Internet, but no access to the LAN."

Finally, to avoid DNS problems that can arise when Internet data must traverse two NAT routers, you should manually program a DNS address into the secondary router, pointed at a good known DNS server address. Using 4.2.2.1, for instance, will force the secondary router to use this DNS service instead of the one that was automatically assigned to the secondary router by the primary router. (DNS servers are the giant databases pairing up verbal domain names, like www.google.com, with numerical IP addresses, such as 64.23.192.5. Without DNS, you'd need to know the numeric address for every site you browse to. And if DNS is not working, you won't be able to call up Web pages.)

In other words, the solution for DNS woes is to go into your secondary router's WAN setup area, and give it a fixed address for the DNS server, rather than automatically retrieving it from your ISP. Your ISP can give you a list of valid DNS server addresses to choose from. Some routers may force you to use a static IP address as well if you want to have a static DNS. This is fine, and probably a good thing. Just choose a number from the range assigned by your primary router. For example, if your primary router is at 192.168.2.1, then you might choose an IP address of 192.168.2.30 for your secondary router. The "gateway" or "router" IP address is 192.168.2.1, and the subnet mask will be 255.255.255.0.


1 Comment:

Hi,
First of all i would like to say thank you for such a good tutorial.

I use this to setup my shop's wifi net (one public wifi and another private wifi LAN). Everything is working fine except that workstations connected to the 2nd router is able to access to resources connected to the first router. Did i do something wrong?