I have a private LAN here on a NetGear FVS338 VPN Firewall Router, with a couple of servers for internal use. Our wireless network is password-protected, and I hate giving out the password to people that want to use our wireless while they are visiting. Or I have to ask them to look away while I type it in. What if they have keylogger software installed? Anyone could have my wireless network password. We use passwords on all our network shares, but I still don’t like the idea of guests having that wireless password to begin with. Here’s how I set up my guest access on its own subnet so that guests have access to the internet but not my private LAN.
I have a small pocket router (D-link DWL-G730AP) for travel. I can hook it up in router mode and provide guest access to the internet with some lame-o password like “12345” (bonus point if you immediately thought of Spaceballs).
The weird thing was how I had to do it after a DWL firmware update. Before the firmware update, I set up LAN multi-homing on the Netgear with a secondary IP of 192.168.1.1/255.255.255.0 (my private LAN is on 192.168.0.1/255.255.255.0). The pocket router (“guest router”) was plugged into the physical LAN via a LAN port on the Netgear router and given a static WAN IP of 192.168.1.2 with a gateway 192.168.1.1 (the Netgear Router works as a gateway). Then the guest router was given a LAN IP address of 192.168.1.3, and ran a DHCP server offering addresses from 192.168.1.100 – 192.168.1.200. My client machine could connect and everything worked. Since the WAN IP of the guest router is on a different subnet than the private LAN, Windows Firewall blocks File and Printer Sharing between the guest LAN and the private LAN, which is what I wanted.
If you don’t assign the guest router a WAN IP on a different subnet and just plug your guest router into your LAN so it gets a WAN IP on your private subnet (typically 192.168.0.1xx from your DHCP server), your guests can see all your network shares because in front of the guest router NAT, all your guest machines appear to be coming from the guest router WAN IP, which is still on your private subnet. Don’t do that. You must separate the subnet on which your guest router WAN IP resides. Other people accomplish something like this by putting the guest router first in the chain, but I don’t want to do that because A). my network is all set up the way I like it, so I don’t want to make major changes, and B). then my private network would be double-natted and I don’t want that as I occasionally open up a service or two (don’t tell my ISP, it’s for personal use only).
Then I merrily updated the firmware on the guest router and suddenly the above setup didn’t work anymore. After the firmware update, the guest router wouldn’t take a LAN IP that was on the same subnet as the WAN IP. The client machines had no access to the internet. I left the WAN IP set up as above, 192.168.1.2/255.255.255.0/gateway=192.168.1.1, and I set the LAN up on 10.10.10.1, with its own DHCP server handing out addresses in 10.10.10.100-10.10.10-200. Then the clients immediately started working.
So it is possible to add a guest wireless router to an existing private network with its own subnet that Windows Firewall (and others, presumably) will respect, without doing any major restructuring to your private LAN.
EDIT: Thanks to Geoff for pointing out that the networks may not be as well separated as you might think at this point. You can still access shares and services on the machines on the main LAN from your guest subnet. My solution was to add firewall rules to the guest router blocking access to the main LAN. I have 3 rules defined on the DWL-G730AP:
1. Drop from all interfaces, source 10.10.10.100 – 10.10.10.254, dest. 192.168.0.2 – 192.168.0.254, proto ICMP, ports 1 – 65534, always
2. Drop from all interfaces, source 10.10.10.100 – 10.10.10.254, dest. 192.168.0.2 – 192.168.0.254, proto UDP, ports 1 – 65534, always
3. Drop from all interfaces, source 10.10.10.100 – 10.10.10.254, dest. 192.168.0.2 – 192.168.0.254, proto TCP, ports 1 – 65534, always
This prevents any services from being accessed, and blocks pings as well so guests on the LAN can only get to your main router (192.168.0.1) for DNS lookups and traffic allowed to pass through that router only.