Small Office network with two routers, being one of free internet access.

[Hitbyatruck]

Hello, I have a small office network set up the following way: one Thomson router providing the internet connection to a switch where I have several wired computers connected and another router for free web access.

The office computers are supposed to have access to the internet and to each other. My main problem is knowing how to close the office computers from those who access the network through the second router.

So this goes as follows:

One Thomson router providing internet to the network switch and providing wireless access to the laptops from the office. This is router 1 and the one with DHCP server enabled. From the network switch, several leads connect to several computers and to one router (Router 2), which is being used to give wireless internet access to people from outside.

I'd need to forward all the connections coming from Router 2, to the internet, without having access to the other computers connected on the switch and to the wireless computers connected to Router 1.

Is there an easy way to have this acomplished?

Thank you for all your time and attention.

 

[john-b691]

You will need to use a security feature in the router to prevent traffic from going to the subnet of you office machines. If it does not have that feature I would reverse the function and place your office machines behind the second router. This would mean the office machine could initiate contact to one of these other machines but not the other way around. As long as you do not setup port forwarding no machine could open a connection toward your office machines.

 

[Hitbyatruck]

You will need to use a security feature in the router to prevent traffic from going to the subnet of you office machines. If it does not have that feature I would reverse the function and place your office machines behind the second router. This would mean the office machine could initiate contact to one of these other machines but not the other way around. As long as you do not setup port forwarding no machine could open a connection toward your office machines.

Hello, john-b691. Because of the lenght of the cables and the placement of the routers, I must have Router 1 connecting to the office computers. Router 1 is also the modem for my ISP.

I believe the best solution would be to be able to get Router 2, to work on a different IP range or subnet, so all the computers connected to Router 2, wouldn't be on the same subnet or IP range of Router 1. I believe this would suit my needs, although I have the problem of not having a WAN port on Router 2, to make this possible. So I was wondering if I can route all the Router 2 traffic to the port 80 and 8080 of Router 1.

I'm a bit of a newbie on this more complex solutions, so I appreciate any help anyone can give me.

Thank you.

 

[Alabalcho]

Your easiest solution is to get a router with "Guest WiFi Network" as your main router. This should not cost more that $200 (we are using NetGear WNDR4500 for this purpose).

 

[Hitbyatruck]

Your easiest solution is to get a router with "Guest WiFi Network" as your main router. This should not cost more that $200 (we are using NetGear WNDR4500 for this purpose).

Hi, Alabalcho,

I have some equipment to use and I really can't afford to buy at least two Routers to be able to cover the entire area.

I believe there's a way of doing this with several routers, but I would love to understand how to do it in a general manner, in order to be able to fix these problems I have right now.

I just want to forward any wireless connected PC on Router 2, directly to the internet, instead of being able to check all the computers on the cabled network and laptops connected through wireless to Router 1.

The easiest way, I believe to be, having the different IP ranges on each router, and/or different subnets on each.

Or just forward all the traffic coming from Router 2 to the internet connection on Router 1.

I appreciate all the feedback and I hope someone will be able to raise my knowledge on the matter, by presenting a pratical solution.

Thank you all for all the feedback and attention. I hope I'll be able to get there soon with all your help.

 

[broseephus]

post up the exact model number of both your routers.

 

[Hitbyatruck]

post up the exact model number of both your routers.

Hello, Broseephus,

I apologize, it would be better to provide this information from the start.

So here it is:

The setup is actually as follows:

MODEM 1 - Modem Router from ISP - Thomson TG585 V7 (This is the router that provides wireless internet to the office laptops and the one that dials the connection to the internet)

In order to keep things simple, both of the following routers are connected directly to one of the MODEM 1 TG585 V7 ethernet ports.

ROUTER 1 (free wireless access) - LINKSYS WAG354G (this router should only allow connection to the internet for the visitors)

ROUTER 2 (free wireless access) - THOMSON TG585 V7 (this router should only allow connection to the internet for the visitors)

I believe it would ease up the setup if both of the routers would have a WAN port. If it happened to be so, I would connect the WAN port from both routers to the MODEM 1 and set up two different IP ranges on each router, as such (ROUTER 1 - 192.168.2.x and ROUTER 2 - 192.168.3.x). In this case, I believe you would have the ROUTER you're connected to providing the IP address and forwarding the computer to the WAN port, giving it Internet access to that computer, but no access to both the other ROUTER and MODEM 1 IP range.

The MODEM 1 is using 192.168.1.x adresses.

You believe I'll be able to do what I pretend with this equipment?

Let me thank you all for the interest and feedback provided. All your help is extremely welcome and I hope I'll be able to return the favor in the future.

All the best.

 

[broseephus]

If you have everything set up on the same subnet (IP network- 192.168.1.x Subnet mask-255.255.255.0) The best case scenario would be set the office equipment on one VLAN and then set the guest network on another. If your equipment doesn't allow you to do VLANS then see below.

-Set up all office devices with Static IP addresses. Set them in a specific range (example 192.168.1.50-200)

-Set up a DHCP pool of a certain range for the guests (example 192.168.1.201-224)

-Set up QOS that Denies ALL traffic From the DHCP pool > office equipment IP addresses.

I'm not exactly sure the details on how you can do this because I have never used the routers you have listed but those are the steps you want to accomplish.


ALSO, there is a glaring security hole in this setup because the guests only have to manually assign themselves an IP and then they can have access to your office equipment.



If your current equipment doesn't allow for VLANs I would highly suggest you looking into getting a basic firewall that way you can break your network up into different zones. You can have a decent one that will allow you to do this for <$300, and that way you can be sure your guests will not have access to your network resources.

 

[Hitbyatruck]

Hi, Broseephus,

That's really not the best workaround for me, mainly because of the static IP adresses. I can handle it properly on all the wired computers, but the wireless ones at the office will be a stretch.

I'd like to understand more about the VLANS. This might be one of the ways to go, since I don't have the WAN ports on the routers.

Could you please advise me better on the VLAN solution?

Thanks in advance.