Networking / Beginners

Separating your networks

Sometimes you want to make your network segments not talk to each other. Our favorite example of this is when you've set up one wireless (or wireless and wired) network for your own private use (with your personal PCs, file servers, and the like on that network) and another for public use.

Perhaps you want to set up an open "hot spot" AP. Or maybe you want to create an AP in the lobby of your office to provide access to your visitors. You want users on this AP to be able to access your Internet connection, but not to get into your "private" LAN.

In such a scenario, you should configure your private router to be the farthest device from your Internet connection. This may require you to get another router if you need wired ports as well as wireless ones. Your shared network will be connected directly to your Internet connection and your private network will connect to the shared network, ideally through a cable to the AP at the Internet connection.

Remember Take note of the IP address range used by the private router. As we've said several times, it will be something like 192.168.1.xxx (where xxx is a range from 0 to 150). You can find this setting somewhere on that screen where you enable DHCP and router functions, or turn them off to turn your AP into a non-routing AP-only bridging device.

For your "public" network AP, configure the AP so that its router functionality is turned on and so that the AP's DHCP server is active. Look at the IP address range for this network now. Make sure that it's different than the range being used by the private router (and your private network). If, for example, the private network is 192.168.1.xxx, set this network to be 192.168.0.xxx.

This keeps your networks separate - because private addresses are not routable via the Internet. That same simple logic is built in to most consumer APs so that a reserved IP range won't route to another reserved IP range inside of itself. This effectively means users on the public network can't connect directly to devices on the private network. At the same time, the NAT router within your secondary AP continues to allow devices connected to your public network to get access to your Internet connection and to get online.

Tip If you really want to keep the public and private networks separate and secure from each other, you may want to establish some firewall protection between the two segments of your network.

Remember This approach lets you access anything on that public network but it won't keep users on that public network from accessing each other's PCs if they have enabled file or printer sharing and have not otherwise locked down their own systems.

Warning Here are a couple of things to keep in mind: You must make sure that your private network is inside of your public one to prevent the public from entering your network. It's easy to make the mistake and reverse this leaving your private network wide open to your customers, or friends using your publicly accessible network. Also, this approach won't really keep things very safe if you don't secure that private wireless network to keep folks from associating with your private APs. We highly recommend that you set up and use WPA (preferably WPA-Enterprise) to keep that network secure.

[Previous] [Contents] [Next]