Using 2 daisy chained routers to separate networks on the same ISP.. Help...

WMBlalock

Limp Gawd
Joined
May 1, 2002
Messages
256
Hey guys, I have run into this issue a few times and am trying to gather information on the most reasonably priced hardware to do what I want. At a few small local hotels and businesses that I take care of they would like to offer Wireless to their guests (in the lobby for example) using their existing DSL internet connections that they currently use behind the desk. Most of these small businesses cannot afford two internet connections or a complicated dual IP modem / service from their current ISPs. The idea here is to, with hardware, separate the public and private networks so guests using the free wifi cannot access the business machines on the private side. In the distant past I remember having daisy chained two routers such that the private network runs off the original broadband modem/router and the public network runs off the second router which has its WAN port connected to the modem/router's lan ports. Here are the problems I have had trying to recreate this scenario..

1. At two different times I tried using two different brand routers as the secondary router for the public side but both times I could never get the WAN port of the secondary router to acquire and IP address from the primary private modem/rotuer. I have the secondary router setup to Dynamically acquire an IP on it's WAN port (which is connected to the LAN port of the primary modem/router) but it never acquires an IP, even though the DHCP server on the primary modem/router is on and giving IPs to other PCs just fine. Yes, i've tried both a regular and crossover cable, nothing helps. I even tried to put in info and setup the secondary router as if it were using a Static IP on the WAN port, but that never works out..

2. On one other occasion, I setup a newer Dlink router as the secondary router, it did acquire an IP on it's WAN port from the primary modem/router and would go online fine, but it did not provide the public / private network separation like it was supposed to. Computers running off the private modem/router and the secondary dlink router could still file share and see each other on the work. Just what I was trying to prevent! It still allowed them to share files even if I setup the second routers DHCP server to give out IPs of a different ip type..

3. In the past I have also used a Dlink DSA-3100 public/private gateway that is specifically designed to perform this task but the problem is that they are nearly $500 and I believe they are discontinued as they are hard to find in stock anywhere. If i could find a comparable product that would work, but if I could accomplish the same thing with a daisy chained router for under $100 that would be better.

I know I have done this with two routers in the past, I just forget what brand/model worked for the secondary router. Most routers I have been trying now, for some reason just don't acquire an IP from the WAN port when its connected to the first primary modem/router's lan port. Does anyone know of a brand/model router that will for sure acquire and IP on its WAN port from another routers lan port? Anyone know of another way to do what I want in a cost effective manner? Thanks!
 
Why not just get 2 static IPs from the ISP and really separate it. Put 1 IP on each router and keep them completely separate.

Other than that, we usually segregate with VLANs and such. Plus you want some QoS so the public side doesn't hog all the bandwidth.
 
Why not just get 2 static IPs from the ISP and really separate it. Put 1 IP on each router and keep them completely separate.

Other than that, we usually segregate with VLANs and such. Plus you want some QoS so the public side doesn't hog all the bandwidth.

I thought about the 2 static IPs from the ISP, but right now I am just trying to find a very low cost solution, and I know this would work without that if I had the correct hardware because I have done it before. Another issue related to cost is the cabling, for example this one small local hotel does have a separate internet connection for their guests in the main hotel, but they also have some suites in a separate building about a block away. The building a block away only has a single Ethernet cable (actually fiber optic, then converted to Ethernet) that runs to the main office where the private dsl and network connection is. In that building a block away it needs both private network access and that single connection also needs to provide internet access to those few suites. The simplest and most cost effective solution I can see would to be to put a switch in that separate building, then from that switch to A. A wireless router for the guests and B. The private business pc so it can have private network access. This would work fine If I could find a router that will accept a DHCP IP from a primary router on its WAN port and separate the two networks allowing only internet access to its clients..
 
In the distant past I remember having daisy chained two routers such that the private network runs off the original broadband modem/router and the public network runs off the second router which has its WAN port connected to the modem/router's lan ports.

That's actually backwards, if using standard consumer-grade routers with default-ish settings. The middle router can't access the stuff behind the end router's NAT, but the end router's WAN interface is on the same LAN as the clients on the middle router. You want your private stuff NATed behind the middle router.

If you just need public WiFi access, get a DD-WRT router and setup a second virtual AP with client isolation.
 
I'm not exactly sure how what you said is backwards from what I said, it sounds like the same thing to me.. the private network runs off the combo modem/router supplied by the internet provider, then a cable goes from that combo modem/router to a second router which gives public internet access.. isn't that the same thing you said?

Your idea of DD-WRT for public wifi access will probably work great for one of my businesses. I still need a solution for some other businesses that might need a more expanded public network other than just that single dd-wrt access point such as maybe a hard wired public side instead of a wireless public side. Any suggestions for that? Shouldn't a 2 router setup do this? Any suggestions on what brand/model would accept a DHCP IP address on it's WAN port from another router?
- Mike
 
I'm not exactly sure how what you said is backwards from what I said, it sounds like the same thing to me.. the private network runs off the combo modem/router supplied by the internet provider, then a cable goes from that combo modem/router to a second router which gives public internet access.. isn't that the same thing you said?

No, that's still backwards. "You want your private stuff NATed behind the middle router." meant that you should separate the private stuff from the public stuff with another NAT router, not that the private stuff should be on the middle router. You want the public one first, then the private one.

Code:
      ^
      |
      |
|-----------|
|  Public   |
|-----------|
  ^  ^  ^  ^
  |  |  |  |
           |
           |
           |
     |-----------|
     |  Private  |
     |-----------|
       ^  ^  ^  ^
       |  |  |  |

If you do it this way, the public router clients can't access the private router clients due to the NAT on the private router. Just like a NAT router on a regular internet connection protects you from direct connections from the WAN side, the private router will keep anything on its WAN side (the public router) from connecting directly to the private machines.

If you do it the other way:
Code:
      ^
      |
      |
|-----------|
|  Private  |
|-----------|
  ^  ^  ^  ^
  |  |  |  |
           |
           |
           |
     |-----------|
     |  Public   |
     |-----------|
       ^  ^  ^  ^
       |  |  |  |
then all the public data is actually passing through your private network to get out.
 
Ahhh, I see. Thanks for explaining! See, one of my scenarios is such that a hotel has two buildings, the main building and the suites building (which has an office in it as well). There is one Ethernet (over an optical cable actually) cable between the two buildings. The main building has the hotels private network. The cable between the two buildings is hooked up to the private network in the main building. In the suites building I need to take that connection and allow one office pc onto the private network, then i need to take the internet from that same cable and share it for public wifi use in that suites building. What do you think the cheapest and easiest way to do that is? Options with and without QoS?
- Mike
 
Honestly, I'd pay the $5/mo for an extra IP and run two separate NATed LANs for private and public. Unless you get into VLANs and stuff (which I don't know much about), you can't securely provide public access from behind the private connection in the second building. A second IP would also isolate the public traffic from the private stuff - how much will it hurt when someone spams or DDoSes from that public connection and it interrupts the internet connection for the private LAN? Run the modem into a cheap switch to split it off to two routers, public and private. From there, you may need to buy additional switches and/or access points (you can buy a cheaper router and disable the "routing stuff" to make it act as an AP) to extend each LAN to other areas. Also remember that consumer-grade routers are consumer grade. They can hand out 250 IPs, but most don't handle it too well once you get more than a few clients behind one. They simply aren't made to handle much more than a common household's setup.

It seems like you're looking to do quite a bit of advanced routing with only buying 2 $20 routers. Like the old saying goes, "Good, cheap, secure - pick two". You're either going to have to pony up a little more cash to get enterprise stuff, deal with half-assed setups, or sacrifice security.
 
my setup currently is {ISP} -> DD-WRT with no special settings (192.168.0) -> d-link (192.168.1)

.0 is my network, .1 is isolated purely because its a malware risk (i know .1 can see .0, but self propagating malware usually cant cross subnets + local firewall ignores .1)
 
Why bother double NAT'ing....
1 router/firewall
1 managed switch...and do port based VLANs.
VLAN1 for the office
VLAN2 for the guests
Uplink ports and wireless access points to appropriate VLAN.

For hotels 'n such...500 dollars for a unit which runs stable under heavier loads and provides that separation isn't much.

There are also some biz grade wireless units which will provide client isolation...each wireless client is treated like its own VLAN.
 
If your clients/friends are going to have any heavy use, I'd highly recommend looking into a decent manged switch, $300-$500 managed switch, and setting up some VLANs (ports 1-18 VLAN-1, the guest network, and ports 20-24 VLAN-2, the 'private' network) The thing is, if they have a customer or hotel guest who experiences hangups and crashes in their connection, it's going to leave a bad taste.

But, if you're anticipating small usage, a DD-WRT router would work very well. I set up my accountant with a DD-WRT on a Linksys WRT54, setting up ports 3 and 4 as a separate VLAN and running the cable to a desk in their conference room, with separate DHCP subnet. I.E., the 'guest' ports are 192.168.2.1/2 while the home ports are the usual 192.168.1.xx. Port 1 goes to a switch that runs to their 3 computers and port 2 to his wifi. Now when I, or other clients, have to meet in their office I can easily use his internet connection without fear of 'network contamination.' I charged him $200 for the whole deal, but parts were only $60 or so.

EDIT:
I forgot to include this, but the reason for my post is to steer you away from the double NAT. It can cause issues with some network registrations, in my case the super-crappy antiquated VPN I have to go through to connect some NIST Labs just doesn't work when going from a router behind a router. I really don't know why, but it just don't work. Those Gov. IT weenies have told me it has something to do with 'older' routers, which may or may be. Maybe I'll try to connect my spare router and test this at home for you. That said, some people who need to use the network may have the same issues.
 
Last edited:
Back
Top