[allochthonous]

I finally got it to work. Apparently at least part of the problem was was a cabling issue.

I was not happy with the performance though, as it seemed to take a long time for a host to be able to access the internet from the second layer.

Can anyone think of another way to accomplish what i want? A friend recommended DD-WRT and set up seperate VLANS.

pk

[zx10guy]

Yes, you can accomplish it in another way. I've never played with DD-WRT so I can't comment there. But I have extensive experience with network devices with this type of native support. The basic setup you would need to do is to create two VLANs to get logical separation of the two areas of your network you want isolated. The router/firewall you use as the common connection to the internet has to support either multiple physical router interfaces where each physical interface is plugged into the respective VLANs. The other method is to use one physical connection for both VLANs into the router/firewall but you'll need to create sub-interfaces or virtual interfaces to allow routing of traffic from the VLANs. You also need ensure the router/firewall does not do inter-VLAN routing. Finally, you need to configure proper NATing which becomes harder if you only have a single public IP.

At the layer 2 level, you'll need either a single managed switch which understands VLAN tagging that's if DD-WRT adheres to the IEEE802.1Q standard. Or you'll have to buy two physical switches and plug each of them to a designated port for the VLAN they are to serve.

[JohnWill]

I'm curious as to your issues with the daisy-chained routers, I've done this a number of times and there has been no measurable performance hit on the secondary router.

Are you sure you don't have an MTU issue here? What kind of modem is the primary router connected to, make and model please?

[zx10guy]

I agree. Having the routers daisy chained should not impact performance measureably. In fact, my home setup has a Netgear FVS338 as the edge router and a Cisco ASA5505 right behind it. I see no issues with performance.

[allochthonous]

To eliminate any hardware issues with the hand me down router, I bought a new second router (a Netgear WPN824) and hooked it up as planned. Everything seems to be working OK. I left both routers set on DHCP. ROUTER1 getting its IP address and DNS IP’s from the modem (ISP) and ROUTER2 getting its IP and DNS addresses from ROUTER1. I can ping both gateways (192.168.1.1 and 192.168.6.1) from a client on the 1.0 network, but cannot ping a client on the 6.0 network. I cannot ping 192.168.1.1 from a client on the 6.0 network, nor can I ping a client.

Am I good to go? Is this the best method for what i want to do?

I just don't have time to delve into the world of DD-WRT.

PK

[JohnWill]

Well, that's pretty much as expected. You are trying to communicate across the NAT layer, the whole point of the NAT layer "firewall" is to prevent outside access to machines on the router.

[allochthonous]

So are you saying that I am successful and this is a way to accomplish my goal of two distinct networks with the same Internet access?

Are there any potential issues i should be aware of?

PK

[JohnWill]

You're talking about two networks, yet you're trying to connect between them. Are you trying to isolate network segments or do you want them all to be able to connect to each other?

[allochthonous]

No, thats just it. I am trying to NOT communicate between the two. I want them completely isolated, with no risk of cross contamination.

My not being able to ping is a GOOD thing....right?

PK

[JohnWill]

Correct, that's a good thing.