0

For my home network (with internet provided from a cable modem) I would like to setup a secure wireless access point that I use for all of my personal connections (home PC, iPhone, Xbox, etc) and also another public access point that friends and folks in the neighborhood may connect to (for good karma).

I want to ensure that my private traffic cannot be accessed from users of the public access point. I currently have one router that is running the Tomato firmware that I use with WPA security.

What is the best way to accomplish this kind of setup securely (if it is possible in a home environment)?

Doug Porter
  • 170
  • 1
  • 8
  • 1
    I think the "good karma" is completely ruled out when someone uses your connection to download something they shouldn't. – DanBig Jul 08 '10 at 19:14

3 Answers3

4

Throw hardware at it :-)

One option: Start with a home router/firewall device (not one with wifi though). Connect it to your cable modem. Get two wifi routers and plug the WAN port of each into LAN ports on the main router. Now, as long as you don't add any static routes to the main router you have two networks that can't "see" each other.

Another option: Pick up a fonera device. Two APs in one device, one for public and one for private use.

Chris_K
  • 3,444
  • 6
  • 43
  • 45
  • What a nice simple solution. Any recommendations on a cheap non-wifi router/firewall that would fit the bill? – Doug Porter Apr 03 '10 at 04:42
  • 1
    Sorry, nope. I'm using an old netgear SOHO class unit I bought about 8 years ago :-) – Chris_K Apr 03 '10 at 05:15
  • 1
    I'll maybe do something similar. Is there an advantage to have a non-wifi main router? I planned to just put two wifi routers in row via a LAN cable (the one nearer to the internet for public access)? – Chris Lercher Apr 03 '10 at 09:23
  • 1
    I suggested non-wifi main router just for simplicity (and, if buying a new device also the cost). The thing about two in a row is that all your private traffic is going through your "public" device. I'd be quite nervous about the security aspects. – Chris_K Apr 03 '10 at 16:12
1

Cisco has just announced wifi routers that can do exactly that: http://homestore.cisco.com/en-us/products/linksys_stcVVcatId551966VVviewcat.htm

Max Alginin
  • 3,284
  • 15
  • 11
1

One router can be enough, but it needs to be dd-wrt capable. Check on dd-wrt.com the models your retailer offered you for compatibility.(should be wireless N capable, 2 antennae) More details on oldwiki.openwrt.org/TableOfHardware.html

Then flash your router with the latest firmware from its producer. Do a hard reset. After that, flash it with the appropriate dd-wrt firmware. Do a hard reset (a 30-30-30).

Then follow the instructions found here: www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN If you really want 2 wireless networks, access your router at 192.168.1.1/Wireless_Basic.asp press add and you will create a virtual wifi interface ath0.1. So, use ath0.1 and ath0 instead of eth0 (wired lan) and ath0(aka wl0.1) then encrypt (192.168.1.1/WL_WPATable.asp) one of the interfaces.

Recommended setup: Do NOT use wifi for your communications as even WPA2 can be cracked. Assume that any data put on a wireless network can and will be intercepted and used against you. So, use some cables to connect your computer, xbox and whatever else you might have directly to the router. Then follow the instructions from the web page and set the iptables to deny access from/to wifi to/from the lan segment.

Two routers can also be enough:

router 1: *connected to wan (the internet) *has open wifi access b/g/n *has one output connected to router 2

router 2: *has the wan port connected to router 1 *has the wifi secured (mac address and wpa2) *has the home computers connected to it.