Isolating a wireless subnet?

We're replacing an Apple "snow" AirPort (802.11b) with an AirPort Extreme (802.11n) and would like to provide Internet access for clients in the waiting room. Obviously we don't want them to have access to our computers or servers.

By what mechanism can a wireless subnet be created such that the users have Internet access yet cannot (easily) have access to the rest of the private net that shares the DSL modem that supplies 'net access to the LAN as a whole?

Is a router required at the junction of the DSL modem and the 2 AirPort WAPs that controls access between the 2 branches?

Other means?

Thanks, Janie

Reply to
Loading thread data ...

(comp.protocols.tcp-ip added)

Janey wrote: (snip)

I presume you now have one NAT router between you and the DSL connection. To do what you ask requires three NAT routers (and three distinct subnets).

In many cases wireless access points are combined with NAT routers which would minimize the number of boxes. Does the Airport Extreme include NAT? (I thought Airport Extreme was 802.11G not N.)

Unless your DSL supplies more than one IP address you want one NAT router connected to the DSL modem to allow more than one IP address to connect to the Internet. Next, you want a NAT router for your use and a NAT router for other users each connected to the first NAT router. The first one should not have wireless access (or should have it turned off). The second and third could be either NAT routers with wireless access or NAT routers connected to wireless access points.

-- glen

Reply to
glen herrmannsfeldt

Since you're asking here I'll assume your knowledge is a bit limited.

As to the two branches I'll assume you mean the waiting room and office sections of your network.

First you can do it with 3 routers but also two if you do it right.

DSL Modem ---- Router1 **** wireless to waiting room | +-----Router2 (off LAN port of router1) + *********** wireless to office | +------------ wired to office (off LAN port of router2)

With this setup your waiting room can see the Internet as a whole but can't drill down into your office as long as you don't have router2 set to forward anything from the outside to any particular LAN.

To keep things simple Apple somewhat limits your choices as to NAT addresses so I'd pick something like the 192.168.x.x range for the office and 10.0.0.x range for the waiting room. This is set in router2 and router1 respectively.

As to which router you use where, I guess I'd put the newer one as router 2 as it will have somewhat better security options. You should lock down the admin of both routers with very very good passwords. You should also lock down the wireless to the office with a very secure password and no post its allowed. Or turn it off. And keep access to the routers and any wired Ethernet ports restricted. Physically.

And you mentioned "waiting room" I'd find a local mac wiz (there should be a user group in the area) or network wiz who will not get indignant at the Apple routers and pay them $200 for an hour or so of time to make sure you do it right. Doing it wrong in a doctors office can be a very bad idea.


Reply to

I'd point out also that you don't absolutely need Apple products. We have a setup something like this for our Inn using two non-Apple routers; our only computers are Macs, and this setup works equally well in connecting visiting Macs _and_ PCs.

I use Airport Extreme in the Mac Pro now and then to test the wireless connections.

Reply to
Gavrilo Prinzip

Agreed. But the OP implied they had already bought or planned to buy a 2nd Apple router. And if all you've ever seen is a Linksys configuration web page, well things are a bit different. My point was to not get "your brother's friend who's owned a mac for 2 months" to come do it.


Reply to

1 way to do it is to build 2 separate networks.

internet - wlan router (with external users) - wlan router (internal users).

main drawback is the external users could clog up your Internet feed.

or you find a wireless router that can handle multiple SSIDs and keep the traffic flows in separate VLANs. You then use different SSIDs for users & visitors, then priority, different networks and rate limiting to control who goes where and access.

some of the Cisco stuff can do this, so something like an 1800 series router with embedded WLAN would work.

formatting link
- exactly which model depends on DSL flavour, or cable etc.

programming these things can be complicated, so you may want to get some help.

but - not consumer gear, and not consumer prices. 1801s we use at work (without wireless) list @ $1000.

Reply to

The easiest way to do this is to check if your ISP offers a 2nd IP address. If so, connect *TWO* routers to your cable or DSL modem through a cheapo ethernet switch. Each IP address will have its own routeable IP address, its own router, and no way are any packets going to cross over from one router to the other.

Another way is to buy a router that offers dual SSID, dual WPA keys, or security "zones". Seach Google for "dual SSID". Most (not all) of these have independent routing for each SSID. Most routers that are designed to run a public hot spot (i.e. DD-WRT FON router) have this feature.

I only know one router that has two WPA keys. MyEssentials ME-1004R.

This is a cheap ($40) router owned by Belkin that has this useful feature. If the client uses one settable WPA key, they get the internet and the local LAN. If they use the settable "guest" key, they get only the internet. The catch is that the clients MUST use a WPA key, which is generally a good idea anyway.

Incidentally, make sure your wireless router has "client isolation" or "AP isolation" as Linksys misnamed it. It prevents the clients from seeing and attacking each other.

Sonicwall uses security zones:

for isolation.

Another way is to use two routers in series. The network connected to the LAN side of the 2nd router is the "inside" protected network. The

2nd router keeps anyone from the LAN side of the 1st router (or "public" side) out of the "inside network. The IP layout is something like this: Router 1 Router 2 WAN= ISP assigned WAN= WAN Netmask= ISP assigned WAN Netmask= Gateway= ISP assigned Gateway= LAN IP= LAN IP= LAN Netmask= LAN Netmask=

Users on the LAN side of Router 1 use (public access) Users on the LAN side of Router 2 use (inside LAN)

This works but causes problems due to the double NAT. Details on request.

Reply to
Jeff Liebermann

There is a mask error in the example you provided.

You've specified a mask of for the LAN interface of Router

1, and a mask of for the WAN interface of Router 2.

Since you are connecting these interfaces together, they must use the same mask.

Use for both.

Best Regards, News Reader

Jeff Liebermann wrote:

Reply to
News Reader

(someone wrote)

That is a good way, but when they do they usually charge extra for it. If you don't need the extra IP, and/or static IP, then double NAT works well.


As someone else mentioned, the Router2 WAN Netmask is wrong.

This keeps the public net from accessing the inside LAN, but doesn't keep them from watching the data going by. At least they can see broadcast packets, and any other that are flooded by the switch.

What problems due to double NAT? As I said, I would do double NAT for both nets for full isolation. If it is worth worrying about isolation it is worth the price of another NAT router.

-- glen

Reply to
glen herrmannsfeldt

Eye nver maek mistrakes.

  1. Please don't "top post".
  2. Your comments are absolutely true if Router 2 needs to see all the devices on the LAN side of Router 1. For that, I would use However, I do NOT want them to see all those users and devices. Router 2 only needs to see the LAN side IP address of Router 1 (plus the broadcast address) for a total of 2 IP addresses.

With, it looks like this:

Address: Netmask: Network Address: / 30 Broadcast Address: First host: Last host: Total host count: 2

It can also be done with CIDR /31 or, but I like to save the 2nd IP address for tinkering, testing, sniffing, etc.

The security of such an arrangement is marginal at best. Users on the LAN side of Router 1 cannot see machines on the LAN side of Router 2, but can sniff their traffic. Users on the LAN side of Router 2 cannot see users on the LAN side of Router 1, but only because of the router netmask.

This arrangement is far from ideal and the netmask is somewhat of a kludge. It's the best I can do with one WAN IP, and not going to a VPN tunnel. IMHO, the best way are two routers, two WAN IP's, two LAN's, and never the two shall meet. However, many ISP's will not provide more than one routeable IP, requiring abominiations like this.

Reply to
Jeff Liebermann

See my reply to someone else. For the specific case of where Router 2 only needs to see the LAN side IP address of Router 1, using the netmask to prevent Router 2 from "seeing" other devices on the LAN side of Router 1 works.

Correct. It does nothing to prevent sniffing. Please note the question was about wireless networking. You could have the ideal case of two WAN IP's, two wireless routers, two isolated LAN's, and the wireless traffic of BOTH wireless LAN's are exposed to sniffing.

In my customers coffee shop wireless installations, the problem was keeping the wireless customers out of the wired ethernet devices that were also on the premisis. That works, but as you note, not very well. I used double NAT for this purpose and was generally successful. However, the local ISP's are very cooperative and I switched to dual IP addresses with two routers and have lived happily ever after.

I guess that's a request for details. Note that double NAT is not the classic double firewall, with a DMZ in between, stuffed with public servers.

I had some problems with:

  1. Remote admin. Every time I needed to administer a machine on the LAN side of Router 2, I had to punch a hole in BOTH firewalls. This made port forwarding a mess.
  2. Port triggering and port forwarding setups required tweaking both routers.
  3. A few applications just didn't work. I don't want to itemize these or I'll never get back to doing my taxes.
  4. The credit card machine was on the LAN side of Router 2. The service company wanted access from the internet and went ballistic when they found they were going through two routers. They claimed it was "unsupportable" even though it worked.
  5. Applications that require UPnP (MSN Mess, AOL with Port Magic) would complain that the router is misconfigured. It would work on the LAN side of Router 1, but complain on the LAN side of Router 2. Most of these applications have been fixed to run on such double NAT systems long ago, but that provided additional inspiration to avoid double NAT.
  6. It would screw up some file sharing software. This was actually an advantage except that the P2P junk would work on the public LAN (LAN side of Router 1), but not on the inside LAN (LAN side of Router
2). This falls under "I don't care".
  1. Some reports that VoIP (SIP phone) services had some weird problems that I wasn't interested in debugging.

Some more comments on double NAT by others:

Reply to
Jeff Liebermann

Your comment - "if Router 2 needs to see all the devices on the LAN side of Router 1.", is off base.

It has nothing to do with "seeing".

A mask determines whether a destination device is reachable directly, or whether the services of another router are required.

If Router 2 had traffic to forward to a LAN host on the WAN side, and the host was determined to be on another network due to the difference in masks, it would forward the packet to Router 1, and Router 1 would forward it to the host that shares the same mask.

If Router 1 had a return route, and the WAN port of Router 2 permitted return traffic, a connection would be established.

If Router 1 did not have a route to the LAN side of Router 2, connections would not be established.

Best Regards, News Reader

Jeff Liebermann wrote:

Reply to
News Reader

OK. Please replace my use of the word "see" with "reach". The WAN port on Router 2 only needs to see, reach, connect to, handshake, pass traffic with, etc, exactly one device. That's the LAN IP address of Router #1. It has no need to see, reach, connect to, handshake to, pass traffic with any other device on the LAN side of Router 1 other than the sole router IP address and it's broadcast address. The whole idea is to *NOT* let Router 2 see, reach, connect to, handshake , pass traffic with, etc, to anything on the LAN side of Router 1 (other than the router itself).

If the traffic from the LAN side of Router 2 needs to go to a host on an "another" (what other?) network, it would all go through the default gateway, that points to Router 1, which would forward the packets to its favorite default gateway at the ISP. You can stack up default gateways this way forever.

However, passing through a default gateway does NOT magically inherit the netmask of the originating client or router. The netmask is strictly a filter and is only used on the device to which it is configured. There's no field in the IP or TCP headers for netmask.

Coming from the LAN side of Router 2, the return path is via two default routes, both of which are within the netmask. This is not a problem.

Would it help any if I setup such a double NAT setup and posted the resultant router tables? I think I can throw something together running DD-WRT in the next day or three. (But first I gotta work on my taxes). I know it works because I've done it this way in the past, but it's been a while and I may be having a memory fault.

Reply to
Jeff Liebermann

You mis-understood my point.

I understand that you don't want LAN hosts on the LAN side of Router 2 to communicate with LAN hosts on the WAN side of Router 2 (i.e. LAN hosts of Router 1, if you prefer).

My point is that you have suggested that your mask on the WAN port of Router 2 would "prevent" the undesirable communication. That is not true.

The WAN interface of Router 2 (, sees its network as being Subnet, with assignable host addresses in the range of -, and a broadcast address of

A host connected to the LAN interface of Router 1, with an IP address of lets say, is seen by Router 2, as NOT being on the same network. It is not one of the assignable host addresses ( -, and not the broadcast address.

Packets are forwarded to a default gateway when a better route is NOT known.

Who said anything about inheritance?

The LAN interface on Router 1 (, sees its network as being Subnet, with assignable host addresses in the range of -, and a broadcast address of

If Router 1 receives a packet forwarded from Router 2, that is destined to host e.g.:, Router 1 says "that is on a network that I am attached to, I can reach it directly". It would therefore deliver that packet to the LAN host contrary to your claims.

A default route is used when a better route is not known. If the destination of a packet is on a network connected to the router, "and" the the destination host's IP address is within the range of the network "as defined by" the mask, the router will deliver the packet directly, and not blindly follow a default route.

A network is defined by a mask. It is not defined by physical interfaces.

I am not saying your topology won't work. I am saying that your use of the mask, does not in itself prevent the communications that you want curbed.

Reply to
News Reader

I'll provide a bit more of a summary here regarding the undesired communications, and why the use of a mask on the Router

2 interface, would not prevent it.

Lets say we have a LAN host (Host 2) connected to the LAN interface of Router 2, and a LAN host (Host 1) connected to the LAN interface of Router 1

Lets say Host 2 tries to communicate with Host 1.

Router 2 receives the packet on its LAN interface, looks in its routing table for a route to Host 1.

Because of the limited mask, Router 2 concludes that Host 1 is NOT on the same network as it's WAN interface, and because it doesn't have a route to Host 1, it defaults to it's default route, and forwards the packet to Router 1.

Router 1 receives the packet, looks into its routing table, and determines that it has a route to Host 1 (a connected route), because Host 1's IP address is on the same network ( , as Router 1's LAN interface.

Router 1 forwards the packet to Host 1 via its LAN interface. It does not send the packet upstream the the ISPs router.

On the return path:

Typically, Host 1 will not have a route to Host 2 in its local routing table. Therefore, it will forward the packet to its default gateway (Router 1).

If Router 1 has a return route to Host 2, and the WAN port of Router 2 permits return traffic, a connection will be established.

If Router 1 does not have a route to Host 2, connections will not be established.

Best Regards, News Reader

Reply to
News Reader

Amend as follows:

Since the packet from Host 2 was NAT'd to Router 2's WAN IP address, Host 1 will respond directly to Router 2, rather than sending to its default gateway Router 1.

Amend as follows:

Router 2 will forward the packet to Host 2 because it is a response to a permitted connection request from Host 2.

Amend as follows:

No longer relevant, as Host 1 can respond to the connection request via Router 2. The reason being Host 2 is represented by Router 2's WAN address, and according to Host 1's mask, that address ( is on the same network, and directly reachable without the services of Router 1.

I have confirmed this behavior this evening with a network sniffer. I was able to access an FTP server on Host 1, from Host 2.

I recognize that your concern was that you wanted to ensure that Host 1 could not access Host 2, and that you will likely agree that Router 2 will prevent connection attempts from Host 1 to Host 2 due to NAT.

Furthermore, I recognize that you suggested a better solution than the one being discussed.

Please remember, my response is only intended to demonstrate that your beliefs about the use of a mask on Router 2's WAN interface are incorrect. The mask does not prevent communication between these two systems.

Best Regards, News Reader

Reply to
News Reader


Argh. You're correct. Despite my being sure the WAN netmask trick would work, it just failed. I setup a test system using two routers running DD-WRT that look like my example:

Router 1 Router 2 WAN= ISP assigned WAN= WAN Netmask= ISP assigned WAN Netmask= Gateway= ISP assigned Gateway= LAN IP= LAN IP= LAN 1 = LAN 2 = LAN Netmask= LAN Netmask=

Users on the LAN side of Router 1 use (public access) Users on the LAN side of Router 2 use (inside LAN)

I also setup Host 1 on LAN 1 at and Host 2 on LAN 2 at

According my explanation, I should NOT be able to ping Host 1 from Host 2 thanks to the netmask. Well, that didn't work. It was possible to ping Host 1 from Host 2, which means that the netmask trick does NOT work.

As it stands, it's still a way of preventing users on LAN 1 from seeing LAN 2, which is blocked by NAT. However, all the machines on LAN 1 can be seen by LAN 2.

Incidentally, I tried a few random programs from LAN 2 (via double NAT) to see if any of them break. So far, everything I've tried works. Of course, anything that requires incoming ports (Echolink, VNC, Remote Desktop, etc) won't work without router reconfiguration.

I'll swear I had this working at one time and will play with it some more tonite to see if I missed something. Thanks much for your patience and explanations. I'm not sure where I screwed up, but I'll read your comments more carefully after I work on my taxes some more.

Reply to
Jeff Liebermann

The mask impacts "how" the packet is delivered and not "whether" the packet is delivered.

Key points:

Router 2 determines that Host 1 is not directly reachable due to the mask, and therefore forwards to Router 1.

Router 1 determines that Host 1 is directly reachable via a connected route, and delivers packets to it.

Good luck with your taxes.

Best Regards, News Reader

Reply to
News Reader Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.