Another company wifi thread...

Edgar

2[H]4U
Joined
Jul 24, 2005
Messages
2,777
Hello everyone.

Got another one of these threads. This time with a bit more experience.

So I had a netgear WNDR 4500 doing ALL of our office wifi. Guest wifi and internal wifi. It was starting to die. My boss order us 2 new linksys ea6500 http://www.amazon.com/Linksys-Wireless-Dual-Band-Anywhere-EA6500/dp/B008I21EA2/ref=sr_1_2?ie=UTF8&qid=1428592679&sr=8-2&keywords=ea6500 to really seperate the 2. I set the first one up perfectly.

Our internal IP scheme for this office is 192.168.2.xxx.

1st router:
192.168.2.252 with DHCP off. Our server does the actual DHCP and anyone that connects to this is on our internal network. And is connected with one of the LAN ports onto our main switch. Can connect through my web browser and ping it. Setup PERFECTLY.

2nd router: This will be used for our guest network.
In order to keep this seperate linksys says I have to segment the network. So I changed it to 192.168.100.100. Which protects us from the people connecting on the guest network. But I cannot connect to it through my web browser. Nor can I ping it. Also I have to set this one up on the internet port in order for DHCP to work correctly since I want guests to have IP's that can't connect with us.

I'm assuming I can't ping it because it is using the internet port. Same reason for why I can't connect through web browser? I would like to connect to it through my web browser instead of having to use my phone. Is that possible, or do I have something setup incorrectly?

Any help appreciated. I'm always looking to learn.
 
As an Amazon Associate, HardForum may earn from qualifying purchases.
To make this setup work the second router needs to get an IP address from your DHCP server, or needs to have a statically assigned address in an available range. You can then have the DHCP server on the second router issue IP addresses in the 192/168.100.x range.


However, this wont provide you any protection from your clients. Anyone connected to the second router will still be able to see everything in the 192.168.2.x subnet.

You really should get a wireless router that allows you to set up a guest network instead.
 
It has guest wifi capabilities. But it will only work if the ethernet is plugged in through the internet port.

If I plug into one of the regular LAN ports like my first router. Guest wifi does not get internet.
 
It has guest wifi capabilities. But it will only work if the ethernet is plugged in through the internet port.

If I plug into one of the regular LAN ports like my first router. Guest wifi does not get internet.

Then you only need the one router. Set up a guest WiFi SSID on the first router, enable the security settings that it allows you to, and you're good.
 
I got the 2 to balance the load of all the connections.

Guest wifi will not work on the first router because it is connected to our switch from one of its LAN ports. In order for guest wifi to work it needs to be plugged into through the internet port.
 
you could just plug it up through the internet port and then just port forward your web interface so you could get to it remotely... at that point you'd use the ip address it has from your secured network...


this kind of convoluted setup is what results from buying consumer grade gear for a business...
 
Our internal IP scheme for this office is 192.168.2.xxx.

1st router:
192.168.2.252 with DHCP off. Our server does the actual DHCP and anyone that connects to this is on our internal network. And is connected with one of the LAN ports onto our main switch. Can connect through my web browser and ping it. Setup PERFECTLY.

2nd router: This will be used for our guest network.
In order to keep this seperate linksys says I have to segment the network. So I changed it to 192.168.100.100. Which protects us from the people connecting on the guest network. But I cannot connect to it through my web browser. Nor can I ping it. Also I have to set this one up on the internet port in order for DHCP to work correctly since I want guests to have IP's that can't connect with us.

I'm assuming I can't ping it because it is using the internet port. Same reason for why I can't connect through web browser? I would like to connect to it through my web browser instead of having to use my phone. Is that possible, or do I have something setup incorrectly?

Any help appreciated. I'm always looking to learn.

1. This is a decent setup, and is definitely working as intended.

2. The reason you can't ping or manage this device is because you are connecting its EXTERNAL interface, and like any home wireless router will deny any traffic inbound on the WAN (external) interface...including PING and HTTPS management. You can enable this feature if you get back to the web management.

What you need to do is connect to one of the 4 switch ports (the blue labeled ports) and reconfigure.

Honestly, the proper set up for this (depending on your edge router/firewall) would have been to purchase access points and place them on their own networks, either with a L3 switch or a new interface at your edge.

If you connect your guest access wireless router to your LAN and NAT that network behind the WAN interface, you will need to create a static route on your edge router so return traffic can get back to it.

If you need a rudimentary diagram to explain this, please let me know.

EDIT: With Router #2 having its Internet port connected to your LAN, you can essentially think of your trusted LAN as being the ISP for that wireless network. Just think of the security implications and how that would work.
 
1. This is a decent setup, and is definitely working as intended.

2. The reason you can't ping or manage this device is because you are connecting its EXTERNAL interface, and like any home wireless router will deny any traffic inbound on the WAN (external) interface...including PING and HTTPS management. You can enable this feature if you get back to the web management.

What you need to do is connect to one of the 4 switch ports (the blue labeled ports) and reconfigure.

Honestly, the proper set up for this (depending on your edge router/firewall) would have been to purchase access points and place them on their own networks, either with a L3 switch or a new interface at your edge.

If you connect your guest access wireless router to your LAN and NAT that network behind the WAN interface, you will need to create a static route on your edge router so return traffic can get back to it.

If you need a rudimentary diagram to explain this, please let me know.

EDIT: With Router #2 having its Internet port connected to your LAN, you can essentially think of your trusted LAN as being the ISP for that wireless network. Just think of the security implications and how that would work.

you don't need any static routes if you're using NAT
 
As goodcooper phrased more kindly ... Don't use toys to do work. When you need an access point buy a damned access point and business class one at that. When you buy the correct equipment all this kill chicken, spill the blood, say the words crap goes away. It will make your job easier and the job of the person that comes behind you to clean up the mess easier. That said, I hope you're documenting this steaming pile of err solution.
 
you don't need any static routes if you're using NAT


EDIT: DISREGARD BELOW
If your network behind the wireless router is 192.168.100.0/24 how would your edge router on the 192.168.2.0/24 network to get there? You need static routes to access networks behind other routers. The 192.168.100.0/24 network will be able to send traffic out because of default gateways, but traffic will not return when the edge router sees a destination of 192.168.100.0/24 and nothing in the routing table.
 
Last edited:
unfortunately this is what I'm stuck with. Cmustang I would LOVE a diagram. These routers don't have an AP operation mode or that is what I would be using for the second router.
 
If your network behind the wireless router is 192.168.100.0/24 how would your edge router on the 192.168.2.0/24 network to get there? You need static routes to access networks behind other routers. The 192.168.100.0/24 network will be able to send traffic out because of default gateways, but traffic will not return when the edge router sees a destination of 192.168.100.0/24 and nothing in the routing table.

that's how NAT masquerade works... the edge router send that info back to whatever IP address your 2nd double natted router's WAN port has... then that router is smart enough to send it back to whoever on your "guest" network requested the info...

the only reason you'd need a static route on your first network is so you could access things on your 'guest' network from it... and you'd have to jump through some hoops to open the builtin firewalls (and NAT) to allow that... i'd even venture to say that'd be impossible on stock firmware.... plus your 'guest' network, even on your consumer grade equipment (the wrong tool for the job) should be doing client isolation...

it's neither here nor there, as wisdum (and cmustang) mentioned, if you double nat it back, your 'guest' network still technically has access to things on your 'secured' network... if anything you would want to double nat your secured network to make it further up the stream...

what you really need is a 3rd router so that both of these routers can be plugged into IT, to be alongside one another instead of nested....

or, ya know, you could just hire a professional to sell and install the proper equipment, lol

EDIT: good lord these things are 100/each... just send them back... disabled the wireless on your current router and buy two $79 ubiquiti unfis, they'll do this out of the box, even without needing to do it the 'proper' way with fancy VLANs and routers/switches that support such features...
 
Last edited:
EDIT: good lord these things are 100/each... just send them back... disabled the wireless on your current router and buy two $79 ubiquiti unfis, they'll do this out of the box, even without needing to do it the 'proper' way with fancy VLANs and routers/switches that support such features...

Was reading through the thread and was wondering when the hell I would see someone comment on the price and recommend going with some Unifi's to get the job done for cheaper and faster then trying to have two garbage consumer routers hacked together...
 
that's how NAT masquerade works... the edge router send that info back to whatever IP address your 2nd double natted router's WAN port has... then that router is smart enough to send it back to whoever on your "guest" network requested the info...

the only reason you'd need a static route on your first network is so you could access things on your 'guest' network from it... and you'd have to jump through some hoops to open the builtin firewalls (and NAT) to allow that... i'd even venture to say that'd be impossible on stock firmware.... plus your 'guest' network, even on your consumer grade equipment (the wrong tool for the job) should be doing client isolation...

My mistake, you are correct on both accounts.

And yes, OP, this is just a bad deployment concept on all facets.
 
Cmustang I would LOVE a diagram.

image.png


This is about what you would need to do with your setup. It's pretty ugly...
 
Left router is your private (trusted) zone, and the right is the public wifi. However with this setup the public wireless would be able to access your LAN.
 
Last edited:
Was reading through the thread and was wondering when the hell I would see someone comment on the price and recommend going with some Unifi's to get the job done for cheaper and faster then trying to have two garbage consumer routers hacked together...


I didn't want to be "that guy".... but when there is literally no upside to doing it the OPs way, you sort of feel obligated to inform them...
 
I know, kind of sucks OP is in this position. I don't understand why they can't return them?
 
So, here is a dirty solution using current equipment and about 3 minutes setup time. This breaks many RFCs and is not something I recommend, but it will work...

(Assuming your default GW is 192.168.2.1)
Guest router's WAN port STATIC configured to 192.168.2.2 with a subnet mask of 255.255.255.252, default gw of 192.168.2.1. Use public DNS servers for DNS.

This means that you cannot have a machine as 192.168.0.3 since that is the address the second router is using for broadcast, even though no one is listening...

This will segregate guest wifi traffic and is the kind of thing I would do(have done, 3 weeks by mail from new equipment) in a pinch on a home connection where guest segregation is more of a nice thing to have than a absolute requirement.

I reiterate, this is a band-aid solution until you get the proper setup and definitely does not meet any sort of security compliance standards whatsoever.
 
Back
Top