Any wireless router gurus in the house?

[Bogie]

I have to hook two up to one incoming line - One for private and secured use, and the other open to a customer base, who should not be able to see/access the private side... Any suggestions?

[Zardozimo Oprah Bannedalas]

You can 'hide' a wireless network, so that you can only connect to it if you know its name. Set the private one to hide itself, and filter by mac address/require an encryption key besides.

[Bogie]

So, it's...
 
cable modem to unsecured router to secured router (hidden plus encrypted)
 
Guessing I'll have to set different IPs to start... unsecured will stay at 192.168.1.1 and secured 172.148.1.1?
 

[zxcvbob]

Just be aware that MAC address filtering and not broadcasting the SSID are easy to hack.  Make sure you also use strong encryption (not WEP.)

[bmitchell]

WPA-2 is available on most modern (last few years) machines and routers.  Very good encryption.

Ben

[sanglant]

one thing to remember, when you hide your network someone can setup a network over it(on the same channel[not that they can't anyway, but they can't tell there doing it if it's hidden]) so remember to check that first if it gets slow. i had my PS3 set to be a AP for remote play with my psp and when it was on my 802.11 was well under a quarter of it's normal speed.

[lee n. field]

So, it's...
 
cable modem to unsecured router to secured router (hidden plus encrypted)
 
Guessing I'll have to set different IPs to start... unsecured will stay at 192.168.1.1 and secured 172.148.1.1?
 

You got it.   "I believe you have it surrounded."

[Firethorn]

So, it's...
 
cable modem to unsecured router to secured router (hidden plus encrypted)
 
Guessing I'll have to set different IPs to start... unsecured will stay at 192.168.1.1 and secured 172.148.1.1?
 

I wouldn't bother with the hidden thing.  Somebody running netstumbler or equivalent will still get the name within a short period as long as there's any clients within range.

Definitely use WPA2 w/AES though.  For the private network - leave the public open or maybe set a key that you only give to customers.

As for the connections, that sounds right, as well as setting different IP address ranges so the NAT works right.

If possible, I'd get a 5ghz capable router for your private network - you get a little less range, maybe, but a lot more channels to play with without interference.

By 'maybe', they've found that 5GHZ channels often have a bit more range in field conditions due to the lower noise floor - too many devices broadcasting in the 2.4 range for you to get the most range out of it. 

Also, if the area to be covered is small, you can turn the transmission power down, makes it harder for people to connect to your network from the parking lot.

[GigaBuist]

Guessing I'll have to set different IPs to start... unsecured will stay at 192.168.1.1 and secured 172.148.1.1?

Eh, you should probably pick a different netblock for the secured network.  172.148.1.1 is owned by AOL.

RFC 1918 defines the blocks acceptable to use for private networks: http://www.faqs.org/rfcs/rfc1918.html

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

I'm not real keen on the idea of just daisy-chaining the routers like that though.  Some nimrod on the public side could play merry hob with the network and the router that's controlling the entire internet connection would be under their mercy.  Probably far better to put an ethernet only router behind the cable modem that can do some QoS and VLANs and then drop the two wireless routers behind that.  The added bonus would be that if you have anything on the secure network that needs to be a server of some sort you could bundle the extra ethernet ports on the main router into that VLAN.

But that's going to be costly, my terminology might not be perfectly correct, and it's probably way overkill for what you really need.  I could have probably stopped with pointing out the improper selection of IP address space. :)

[zxcvbob]

Eh, you should probably pick a different netblock for the secured network.  172.148.1.1 is owned by AOL.

That's a very good catch.  I saw the "172." and assumed it was OK.  (I use "10." addresses whenever I set up a local network)

RFC 1918 defines the blocks acceptable to use for private networks: http://www.faqs.org/rfcs/rfc1918.html

I'm not real keen on the idea of just daisy-chaining the routers like that though.  Some nimrod on the public side could play merry hob with the network and the router that's controlling the entire internet connection would be under their mercy.  Probably far better to put an ethernet only router behind the cable modem that can do some QoS and VLANs and then drop the two wireless routers behind that.  The added bonus would be that if you have anything on the secure network that needs to be a server of some sort you could bundle the extra ethernet ports on the main router into that VLAN.

But that's going to be costly, my terminology might not be perfectly correct, and it's probably way overkill for what you really need.  I could have probably stopped with pointing out the improper selection of IP address space. :)

How about connecting both routers to the modem, using a switch?  Most ISP's will give you more than one address (I think mine gives me 3 or 4; I'm only using one)

[Phantom Warrior]

Isn't the 172.148.1.1 not an issue because it's behind NAT (right)?  If it's behind NAT it shouldn't matter if it's a non-routable IP address.

[Firethorn]

Isn't the 172.148.1.1 not an issue because it's behind NAT (right)?  If it's behind NAT it shouldn't matter if it's a non-routable IP address.

The problem would be that if you need to access annything from that address on the actual internet, your system will be trying to route it within the LAN.  If anything from that IP range outside needs access to the servers, the packets might arrive fine, but again, the packets will be trying to find the address on the local lan.

I don't have the various blocks memorized, that's why I didn't say anything.

I'll also note that it's quite possible if you're not going to have more than 200 IPs per side to run one network on 192.168.1/8 and 192.168.2/8.

You can either go the switch route, or see if you can activate QOS on the switch closer to the router to prioritize your private traffic.  Definitely disable accessing the configuration of the switch from the wireless portion, at least on the public side.

[Bogie]

Okay - - I'll use something else - was just the first number that I pulled up...
 
So access to unsecured to secured not optimal? How about adding in another router, and just turn off the wireless on it? Access to off to public and private?
 

[Firethorn]

So access to unsecured to secured not optimal? How about adding in another router, and just turn off the wireless on it? Access to off to public and private?

You should be able to get a decent quality non-wireless router for substantially less than one with wireless capability, so no need to get a wireless router and shut one of the ports off.

Still, my thought is that since that invovles more money/equipment to see if just the two routers will do what you need it to do.  There are even routers out there with dual radios that can run two networks at once - so you can run an unsecured open point and a secured private point using the same piece of equipment.

Even with two different routers, you should be able to set up QOS (Quality Of Service) to prioritize your private router's traffic.  With something that's actually 'Enterprise/Business', you should be able to set up rules such that the Public side only gets limited access to the internet, while the private gets full access.  Well, except to the public side, because that's blocked.

Valid ranges for NAT:  10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255

As long as your NAT ranges are within there, you won't be duplicating/blocking any of the internet.

On a final point, if you're going to run any servers on the private network, with the two layer router idea you'd need to do port forwarding twice - once on the private router to get the port to the computer, and on the public side to get the port to the private router.

I have to do this right now because the phone company sent me a combined DSL modem/router, while I run my own wireless router.

DSL modem/router - basic 4 port 100mbit switch, no wireless, basic configuration options.

My router:  Dual radio 802.11n, 5 ghz capable, capable of the dual networks I mentioned, gigabit wired switch(4 port), all sorts of QOS fun.  Oh, and I set it up so that to configure the router you need to be on a wired port, plus have the password.

I haven't tested, but I'm pretty sure I could configure one of the wired ports to be 'isolated'.

[sanglant]

it's easier to set up the secure router as a DMZ on the first router