1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Hotspot and Private Network with 2 Routers

Discussion in 'Networking' started by edmacke, Jan 10, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. edmacke

    edmacke Thread Starter

    Joined:
    Jan 13, 2009
    Messages:
    24
    I have 2 wireless Linksys E1000 routers. My goal is to create an unrestricted public hotspot and a normal secure network, all using a single DSL connection.

    I realize the E1000 has this capability built in, but I ran into several problems:
    • Its public hotspot requires a password - which is entered by the client on a browser page it serves up. That doesn't work if your client doesn't use a browser (e.g. Nintendo DS).
    • I want to use DHCP for my hotspot and static IPs for my home network, but if that's even possible - and I have my doubts - it would require the use of the E1000's control panel. But once you use the control panel, you permanently lock out your ability to control the hotspot (via the Linksys software) - this is completely stupid design on Linksys' part, but it is what it is.

    I've also seen articles that say you accomplish what I'm trying to do with a single router by using DD-WRT, but the E1000 isn't supported by DD-WRT (plus I'm a little nervous about turning my router into a brick).

    So my plan was to do something like this:
    • Connect an E1000 to my DSL modem. This will be my "public" router. Make it a DHCP server with no wireless security whatsoever.
    • Connect the second E1000 to the first. This will the router for my private network. Turn off DHCP.
    • The private router would be locked down: static IP, WPA/WPA2, etc.
    • My thinking is that the "public" router will basically allow anything with a WiFi antenna to connect to the internet, handing out IP addresses as necessary. The second router will get its WAN IP from the first router.

    Questions
    • Will this even work?
    • Are there any security problems?
    • Would router2 get its IP dynamically from router1, or do I assign it a static IP? If so, how do I do that (i.e. what settings do I use on both router1 and router2?)
    • What IP would my (private network) laptop, desktop, etc. use as the gateway?
    • Would I just use a straight-through cable from a public router LAN port to the WAN port on the private router?
    • If I decide to add some basic security (e.g. WEP) on the hotspot router if I have problems with, say, neighbors sucking up my bandwidth, how would my guests connect? Do they have to set up a new network? Or what?
    • I've seen references on the interwebs that a setup using 2 routers might cause problems due to "Double NAT". What problems?!?!
    • A similar thread on this subject mentioned connecting router2 to router1's DMZ, but this is over my head. How would you do that?
    • Anything else???

    THANKS!!
     
  2. TerryNet

    TerryNet Terry Moderator

    Joined:
    Mar 23, 2005
    Messages:
    69,586
    The only definite issue that you will have cascading the routers is that they can't both use the same LAN IP address range. So, for example, if they both default to using 192.168.1.x, change one of them to use 192.168.3.x.

    "Double NAT" is a problem if and only if you want to forward ports (game playing, viewing a web cam from the internet, etc.). The easy way to accomplish that is to put the 2nd router in the 1st router's DMZ (which means you needn't port forward on the 1st router). If you use the DMZ feature then the second router needs to be assigned a static IP address--in the 1st router's IP address range but outside its Dhcp server's range.

    If you add encryption (security) to the first router then your guests will need to type the correct encryption key to connect.

    Your computers and other devices will be connected to the second router; thus the Default Gateway (and optionally the DNS server) will be the LAN address of the second router.
     
  3. edmacke

    edmacke Thread Starter

    Joined:
    Jan 13, 2009
    Messages:
    24
    So..... something like this (not sure about subnet masks and DNS)?

    Router 1 (Hotspot)
    IP: 192.168.1.1
    Subnet: 255.255.255.0
    Connection Type: PPPoE (I have DSL)
    DHCP: Enabled
    DHCP Start: 192.168.1.100
    DHCP Users: 10 (or whatever)
    DMZ: Enabled
    DMZ Destination: 192.168.2.1 (Router 2)
    Wireless Network Mode: Mixed
    Wireless Security Mode: Disabled

    Router 2 (Network)
    Network cable goes from WAN port to Router 1 LAN port
    IP: 192.168.2.1
    Subnet: 255.255.255.0
    Connection Type: Static IP
    Subnet Mask: 255.255.255.0
    Default Gateway: 192.168.1.1 (Router 1)
    DNS: ISP DNS or OpenDNS???
    DHCP: Disabled
    Wireless Network Mode: Mixed
    Wireless Security Mode: WPA/WPA2 Mixed Mode

    Guest Client Settings (to get to Router 1)
    Nothing really - if it can get a signal it can get to the internet (assuming they are set up for dynamic config)

    Network Client Settings (to get to Router 2)
    Fixed IP Address
    IP: Anything in the range 192.168.2.2 through 192.168.2.255
    Subnet: 255.255.255.0
    Default Gateway: 192.168.2.1 (Router 2)
    DNS Servers: ISP DNS or OpenDNS???
    WPA Passkey
     
  4. TerryNet

    TerryNet Terry Moderator

    Joined:
    Mar 23, 2005
    Messages:
    69,586
    For Router 1 (Hotspot) the DMZ destination has to be in its LAN IP address range; e.g., 192.168.1.10.

    For Router 2 (Network) its WAN IP has to be in Router 1's LAN; e.g., 192.168.1.10. It's WAN DNS server can be either that you specified or 192.168.1.1. Its LAN address can be 192.168.2.1.

    For the Network Client Settings the DNS Server(s) can be either that you specified or 192.168.2.1 (Router 2's LAN address).

    Otherwise your chart looks correct.
     
  5. edmacke

    edmacke Thread Starter

    Joined:
    Jan 13, 2009
    Messages:
    24
    So the updated, correct chart would be

    Router 1 (Hotspot)
    Router (LAN) IP: 192.168.1.1
    Subnet: 255.255.255.0
    Connection Type: PPPoE (I have DSL)
    DHCP: Enabled
    DHCP Start: 192.168.1.100
    DHCP Users: 10 (or whatever)
    DMZ: Enabled
    DMZ Destination: 192.168.1.10
    Wireless Network Mode: Mixed
    Wireless Security Mode: Disabled

    Router 2 (Network)
    Network cable goes from WAN port to Router 1 LAN port
    Router (LAN) IP: 192.168.2.1
    Subnet: 255.255.255.0
    Connection Type: Static IP
    Internet (WAN) Static IP: 192.168.1.10
    Subnet Mask: 255.255.255.0
    Default Gateway: 192.168.1.1 (Router 1)
    DNS: ISP DNS, OpenDNS, or 192.168.1.1
    DHCP: Disabled
    Wireless Network Mode: Mixed
    Wireless Security Mode: WPA/WPA2 Mixed Mode

    Guest Client Settings (to get to Router 1)
    Nothing really - if it can get a signal it can get to the internet (assuming they are set up for dynamic config)

    Network Client Settings (to get to Router 2)
    Fixed IP Address
    IP: Anything in the range 192.168.2.2 through 192.168.2.255
    Subnet: 255.255.255.0
    Default Gateway: 192.168.2.1 (Router 2)
    DNS Servers: ISP DNS, OpenDNS, or 192.168.2.1
    WPA Passkey
     
  6. edmacke

    edmacke Thread Starter

    Joined:
    Jan 13, 2009
    Messages:
    24
    Also, I currently have my XBox and Wii connected to the "network" router (since it's the only network I currently have).

    Is there any advantage/disadvantage to putting them on the "hotspot" router instead of the "network" router?
     
  7. TerryNet

    TerryNet Terry Moderator

    Joined:
    Mar 23, 2005
    Messages:
    69,586
    Chart looks correct to me.

    You already know the answer. :) On the "hotspot" they can play games with your guests, but they are vulnerable to your guests and neighbors.

    I would advise keeping at least WEP encryption on your "hotspot." It will keep most neighbors out of your network.
     
  8. edmacke

    edmacke Thread Starter

    Joined:
    Jan 13, 2009
    Messages:
    24
    OK, this worked! I now have exactly what I want. Thanks so much.

    Some issues I did run into:
    1) I assigned the Xbox to Router 2. I did the port forwarding that you're supposed to, but I was still getting the infamous "Moderate NAT" warning. When I disabled UPnP, the warning went away and the Xbox is now happy as a clam. Just FYI...

    2) Just for S&G, I completely disabled Wireless Security on Router 1 - basically creating a public hotspot. But even though I was connecting to an unsecured network, my Vista laptop was still making me press the "WiFi Protected Setup" button on the front of my router. This seemed really odd, especially give that AFAIK, WiFi Protected Setup was turned *off* in the router control panel (it has a radio button for "Manual" or "Wi-Fi Protected Setup"... I chose "Manual"). It worked, but it seems like an unwanted, unnecessary extra step for my guests to go through. If my friend brings over a laptop and wants to connect, who wants to have to run to the router and push a button to make that happen??? I don't have to do that at Starbucks.

    3) Then, I turned on WEP security for Router 1. I've always used WPA/WPA2 so this is new.

    On the router, there's a Passphrase field, a Key field, and a "Generate" button next to the Passphrase. I'm assuming the passphrase is a seed to generate a Key?

    I entered a Passphrase, hit "Generate", and got a 26-character key (I had the 104/128 bit encryption level chosen). OK, so far so good.

    Now, when my son's Nintendo DS asked for the "key", I put in the passphrase but it didn't connect.

    I wondered if it wanted the hex key, but there's no way I'm going to type in a 26-character hex key, so I went back to the router and changed the WEP encryption to 40/64 bits, and regenerated a 10-character key.

    When I entered the 10-character key, it worked!

    But... is that normal to have to enter the key instead of the passphrase, or is that just a Nintendo thing? It would be really lame if I have to give my guests a 10-character hex key that they have to type in to connect!

    Me: "Oh, sure you can use my hotspot Bob - when it asks for the key just type in F9D3CA05BA"
    Bob: "You're kidding, right?"
     
  9. TerryNet

    TerryNet Terry Moderator

    Joined:
    Mar 23, 2005
    Messages:
    69,586
    Some devices translate a WEP ascii passcode differently, so it is always preferable to use the actual HEX key. You can always use a little imagination and create a "fun" HEX key. Lame examples: 1fade2dead, fadbad4dad
     
  10. edmacke

    edmacke Thread Starter

    Joined:
    Jan 13, 2009
    Messages:
    24
    Turns out that the "Manual Setup" and "Wi-Fi Protected Setup" radio buttons are a little misleading. They are not, as you'd expect, two mutually exclusive ways of doing setup.

    The "Manual Setup" tab does NOT specify that you want to do Manual instead of WPS, it is just a spot to "manually" change some router settings like SSID and Channel.

    The "Wi-Fi Protected Setup" allows you to configure a client. There are no settings that pertain to the router itself; the term "Setup" in "Wi-Fi Protected Setup" refers to client setup, not router setup.

    It doesn't appear you can turn off WPS in the Linksys E1000.

    I don't know if you can turn off WPS in Vista (or in the NIC drivers), or if you can manually add a connection that bypasses WPS. I'm not a fan of things happening behind my back, especially where Windows is involved.
     
  11. edmacke

    edmacke Thread Starter

    Joined:
    Jan 13, 2009
    Messages:
    24
    Also, one more question: Is there any easy way with static IP to effectively limit the number of IP address, like you can with DHCP?

    For example, I have 6 devices connected to Router 2 (192.168.2.1), with static IPs of 192.168.2.100 through 192.168.2.105.

    I know for a fact that 192.168.2.106 through 192.168.2.255 will never be used (unless I get a new laptop or something). Seems like it would be a Good Thing to mark those IPs as invalid/unused.
     
  12. TerryNet

    TerryNet Terry Moderator

    Joined:
    Mar 23, 2005
    Messages:
    69,586
    The only wireless security is WPA(2) encryption.

    The only ethernet security is examining to where all the cables go from the router.

    Restricting the Dhcp server's address range or using only static IP addresses can effectively make your network more difficult to use, but it does nothing for security. You may enjoy reading The ABCs of securing your wireless network. :)
     
  13. edmacke

    edmacke Thread Starter

    Joined:
    Jan 13, 2009
    Messages:
    24
    Ah, OK. Good to know.

    Thanks so much for your time. I was able to get everything up and running perfectly - I wouldn't have been able to without your help!

    I will read that Ars Technica article...looks good.
     
  14. TerryNet

    TerryNet Terry Moderator

    Joined:
    Mar 23, 2005
    Messages:
    69,586
    You're welcome. :)

    You can mark this solved using the [​IMG] button at the upper left of the page.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/973781