I don't have a good picture of how you've arranged that. I can't tell if you have 2 or 3 WRT54GS units either.
Is this accurate:
is a wired link, is a wireless link
WRT54GS #1 (WDS enabled) ADSL WAN PORT 192.168.0.20 +++> LAN/WIRELESS 192.168.10.254 WRT54GS #3 (WDS enabled) + neigbhor's + WRT54GS #2 (WDS disabled) +++> WAN PORT 192.168.10.10 +++> LAN/WIRELESS 192.168.50.254 Laptop client + + ETHERNET SWITCH +++> INTRANET PORT +++> INTRANET PORT + ... + +++> Multiple Desktop Hosts
If you want traffic from the switch to be able to access the Internet, then WRTGS #1 and #2 *must* route traffic between those IP addresses
You can, however, enable the firewall and put filters on what WRT54GS #2 will allow through the WAN port. That of course will necessitate configuring ipchains in that router.
Yes. Configure his WRT54GS as an Access Point with WDS enabled. He can then use _both_ wireless connections and plug local wired connections into the LAN ports.
For that his WRT54GS would be set to Client, and he would *not* be able to access it with wireless clients.
I'd change your layout a little, perhaps.
WRT54GS #1 (WDS disabled) ADSL WAN PORT 192.168.0.20 +++> LAN/WIRELESS 192.168.50.254 Laptop client + + ETHERNET SWITCH +++> INTRANET PORT + INTRANET PORT Multiple Desktop Hosts + + WRT54GS #2 (WDS enabled) + WAN PORT 192.168.10.10 +++> LAN/WIRELESS 192.168.10.254 WRT54GS #3 (WDS enabled) neigbhor's
With this arrangement you don't need to do anything special with the ipchains filters, and instead need to do a little fancy fiddling with the route tables in the WRT54GS #2.
Specifically, any subnet that you want to isolate from the neighbor should be routed to the WAN port (device vlan1). You could have one entry that routes one subnet to the LAN port (actually, to the bridge, device br0), and then a catch all entry to route everything else in the 192.168.n.n range to the WAN port. And then a default that sends everything else to the ADSL address.
So, lets say your ADSL has an IP of 192.168.0.1, and the other ranges are as follows:192.168.50.n Your LAN, both wired and wireless 192.168.10.n Neighbor's LAN, both wired and wireless
In WRT54G #1 you want a route table that looks like this
Destination Gateway Netmask Device 192.168.0.0 * 255.255.255.0 vlan1 192.168.10.0 * 255.255.255.0 br0 192.168.50.0 * 255.255.255.0 br0 default 192.168.0.1 255.255.255.255 vlan1
Everything to 192.168.0.n goes to the WAN port (vlan1), which provides a route to the gateway specified as a default address. The two subnets, yours at 192.168.50.n and the neighbor's at192.168.50.n are routed to the bridge and thus to both wireless and LAN ports. (Which also means you can actually use the same IP address range on your LAN or for a wireless client... *if* you want the neighbor to have access to that particular host.)
And the default sends everything else to the WAN port.
In WRT54G #2 you want a route table that looks like this
Destination Gateway Netmask Device 192.168.0.0 * 255.255.255.0 br0 192.168.10.0 * 255.255.255.0 br0 192.168.0.0 * 255.255.0.0 vlan1 default 192.168.1.1 255.255.255.255 br0
This also sends everything to 192.168.0.n to the LAN/Wireless ports. If you wanted, that could be just a host route, which would be192.168.0.1 * 255.255.255.255 br0
and then *only* that one address would have a route.
It also sends everything for the neighbor's subnet,192.168.10.0, to the LAN/Wireless ports. Then there is the catch all which sends *all other* 192.168.n.n traffic to the vlan1 device (which is a dead end with nothing attached). That effectively filters out all traffic directed at your LAN subnet.
And finally there is a default, which sends everything else to the LAN/Wireless ports (and thus to WRT54G #1).
Caveat: I haven't tried it all. I did try the routing as described for WRT54G #2 and am positive that part will work.
I also don't know just how you can set routes like that via the web interface. I found it very frustrating to deal with, and simply gave up and went to using a command line interface by accessing the router via telnet.
If you choose to telnet into the WRT54GS, I have no experience with the Sveasoft Alchemy firmware, but it is no doubt very similar to their Satori firmware for what you'll need to do. I can give you a /tmp/.rc_startup file that will,
initialize /etc/hosts, /etc/resolv.conf, /tmp/.profile and a /tmp/routes file that contains routing commands.
Execute the /tmp/routes file, to set routing.
Set a hostname for the router
Set the timezone and the hardware clock
The /tmp/.profile root shell profile contains the following,
Sets a color prompt that shows the host name of the router, the user name, and the current directory.
Defines a function to save /etc/hosts, /etc/resolv.conf, /etc/.profile, /tmp/routes, and /tmp/.rc_startup files to nvram, allowing configuration to survive a reboot.
Defines a function to restore /etc/hosts, /etc/resolv.conf, /etc/.profile, /tmp/routes, and /tmp/.rc_startup files from nvram. Hence you can try things, and with one command reset to the boot time configuration.
Defines aliases for ls and ll, variations of /bin/ls.
Defines a "help" command alias for the _wl_ program, which will page the help output of wl for easier reading.
Defines a command alias to repeat, every 10 seconds, the signal strength from any of a list of MAC addresses for wireless clients.