How can I isolate a wireless router from my LAN?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Bryanba, Jan 30, 2007.

  1. Bryanba

    Bryanba LI Guru Member

    I've got a RV042 serving as my router for residential cablemodem access.

    I've got a WRT54G Wireless router that I would like to setup for public access and isolate it from my internal LAN. In other words, I would like to allow people to connect to the internet but not have access to my local LAN..

    Can this be done with the above hardware?

    I was thinking about VLAN's but I don't think the RV042 supports this.

    Any ideas?

  2. TazUk

    TazUk Network Guru Member

    Not if the WRT54G is not directly connected to the internet :unsure:
  3. pablito

    pablito Network Guru Member

    The RV042 doesn't support vlans? The RV08/16 does and that would isolate it from the LAN. Another way is if the R42 supports multiple internal subnets (like the beta FW for RV082/16 does) you could put it on a different subnet. Not sure about the 42.

    Another way is to load a hotspot firmware on the WRT. I don't don't which one is best for your needs but there are a few out there. They usually run on an isolated subnet but can NAT through a basic router so it wouldn't require special NAT tricks.
  4. Bryanba

    Bryanba LI Guru Member

    I believe the RV042 does support multiple subnets.. I'm running a beta firmware on it now due to some VPN disconnect problems I had been working with Cisco techician on. ver

    There's a "Multiple Subnet" checkbox on the Setup/Network page under "Lan Settings section" .. The help file states:

    "Multiple Subnet Setting: This feature allows users to take the existing address allocation and split it up into multiple networks. Click Add/Edit to add new subnets by entering LAN IP Address and Subnet Mask and then clicking Add to list."

    So how would I effectively segment this out so that wireless nodes would not have access to my local LAN? My current LAN network is Should I setup the WRT as a router or Gateway and connect to it's WAN port or a lan port?

  5. venom51

    venom51 LI Guru Member

    Build multiple subnets
    Address Range -
    Gateway of with a broadcast of
    Address Range -
    Gateway of with a broadcast of

    Put you internal network in the first segment and your WRT54G in the second segment.

    Build a firewall Deny all rule and place just above the default Allow for local All traffic lan to lan rule. Then build rules for access to the necessary traffic for each lan segment. Allow the WRT54G segment to pass traffic on 80 and 53 to and from the wan interface and but do not allow any traffic from segment 2 to segment 1.
  6. ifican

    ifican Network Guru Member

    Your making this way to hard, make the wireless the gateway router for your isp connection and hang the RV off the WRT thereby creating a segmented network because you local lan will be behind the RV's firewall and nothing will get through unless you let it.
  7. venom51

    venom51 LI Guru Member

    I anwered making the assumption he wants the RV042 to left as the unit connected to his modem and controlling traffic in and out of his network.

    You method works as well if he wants the WRT in front of the RV042. My method also works if he doesn't want to use the WRT as a router and just as a wireless AP.
  8. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Or....if they aren't using the 2 WAN port option on the RV042, they can use the second WAN port as a dedicated DMZ and put the WRT on the DMZ. The default rule for the WAN port when configured as a DMZ is that it cannot initiate a connection into the LAN side of the RV042 while it WILL be able to connect to the Internet. Instant Hotspot!

  9. venom51

    venom51 LI Guru Member

    Also ok. However on an AP you would not be providing any protection to the clients using the AP.
  10. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    I didn't say the WRT54G would be setup as an AP. You would put the WAN interface on the WRT54G into the DMZ of the RV042. You would have to configure a static IP address on the WRT54G, making the RV042's DMZ interface its default gateway and DNS server. The wireless clients behind the WRT would be protected by the WRT54G's firewall *and* separated from the internal LAN since they are in the RV042's DMZ.

  11. venom51

    venom51 LI Guru Member

    Again I am not disagreeing but others may come along and read this thread that will want to do the same thing but will be using an AP only. Just presenting a scenario that will work for either.
  12. Bryanba

    Bryanba LI Guru Member

    Thanks everyone..

    I like Venom51's solution. I don't understand the need for the rules though. It sounds like a lot of work. I'd want clients on both segments to have full access to the internet, just not each other. This sounds like a lot of rules to create.

    Can't use ifican's solution because I use the dyndns feature to authenticate one of my vpn tunnels and to access my network remotely via pptp. I believe the wan interface of the RV042 needs to be on the internet for this ... right? I thought about this solution myself but then remembered the dyndns and pptp functions that i use.

    Can't use Eric's solution either since I have a residental connection and don't have but one dynamic IP address. Utilizing the DMZ on the RV042 requries another public IP right? I'd have to subscribe to a business class connection and pay for a 2nd IP address which would double the cost of my internet access. I'm not sure if they offer a 2nd ip address to residential customers. I'll look into this..
  13. ifican

    ifican Network Guru Member

    With Eric's solution you are using an ip from the RV not a public ip so it would work. All of these ideas will work, the one i suggested was to make it as simple as possible for you. Eric's recommendation would be second easiest and Venom51's will work but as you have static is rather complicated. Is it really, no but for someone that does'nt understand everything that is going on it can be extremely complicated. Good luck with whatever you do and please dont hesitate to ask if you have any other questions.
  14. venom51

    venom51 LI Guru Member

    The rules are to control traffic. I personally like to control traffic both in and out bound. I am fairly anal retentive that way.

    The Deny all stops traffic both in and out bound from the local lans unless specifically allowed. This allows you to control what enters and leaves either segment on a very granular level. Not only for specific protocols but for an individual IP or range of IP's.

    Can be difficult to implement if you are not well verse in the protocols and ports they use to make connections.

    You easiest setup will be what ifican suggested and will work as long as you are using the routing functions of the WRT.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice