Creating two networks

[Azmandius]

Hello everyone,
It’s nice to meet the community and hope to have best question-solving time here.

Now, I’d like to get straight to the subject.
I have the need for two Internet networks, a chilling café network and an office network.
The Internet is starting in the office via a DSL modem, configured like a router, to share Internet connection with other office computers through a simple switch.
Due to database requirements office computers must be, and are on static IPs.
In the café I would like to share same Internet connection, but via a wireless router, and I have attached that wireless router to the switch in the office.
My question is: how should I configure the wireless router in café properly, so the visitors will be able to connect to Internet automatically, via dynamic IPs?
I don’t think is normal for them in order to connect to Internet to configure their network cards manually, all the time when they visit my cool café.
Also is it possible to hide somehow local network computers IPs from bad hackers in the café.

DSL Modem is: D-Link 2500U
Wireless Router is: DI-624S - Wireless 108G USB Storage Router (http://support.dlink.com/products/vi...ctid=DI%2D624S)

Some help is really and deeply appreciated.
Thank you very much.

[MovedGoalPosts]

I would suggest you would be needing a firewall somewhere between your more public bits of cafe kit, and the private office stuff.

Most routers will allow you to also set fixed IPs to PCs, but for real security you do want the office to be on a separate subnet.

Basic wiring would probably be:

modem <> wireless router <~~> internet cafe
and wireless router <> firewall and/or 2nd router (set with forwarding to wireless router) <> office

[handyman]

We have just set up something similar for our training room to give people free wireless. We have used a linksys router wrt54gl (I think) and flashed it wih new firmware (dd-wrt) to be able to run a seperate VLAN from it. That way the guys on wireless are oblivious to the office netowork and we have full security. Other than spending a fortune on a router that offers this functionality out of the box this would be the best way.

[Dai]

You may find Steve Gibson's article about multi-router systems interesting. You can use the NAT effect to create isolated subnets.

http://www.grc.com/nat/nats.htm

[Graham M]

I would do it like this, it may work out more expensive but is probably the most stable solution:

Attachment 17082

[Dai]

Quote:

Originally Posted by Graham M

I would do it like this, it may work out more expensive but is probably the most stable solution:

Looks good. Presumably two different LAN IP groups and the double NATting will make cross-hacking virtually impossible?

[Graham M]

Quote:

Originally Posted by DaiNasty

Looks good. Presumably two different LAN IP groups and the double NATting will make cross-hacking virtually impossible?

The IP addresses don't matter as all the users on both networks will be able to see is anything connected to the top router and the Internet (which would include the opposite router but nothing below it)

[Dai]

Quote:

Originally Posted by Graham M

The IP addresses don't matter as all the users on both networks will be able to see is anything connected to the top router and the Internet (which would include the opposite router but nothing below it)

How would you handle DHCP on a twinned setup like that?

[nffc]

Quote:

Originally Posted by DaiNasty

How would you handle DHCP on a twinned setup like that?

Routers connect one network to another so you'd have 2 routers DHCPing off the main router, with each of the other two routers on a different subnet DHCPing their clients.

Say you could give the main router 192.168.0.1, the two will be 0.1 and 0.2 on their WAN ports, and then 0.1 assigns itself 1.1 (on LAN) and clients 1.2>, 0.2 could assign itself 2.1 (on LAN) and clients 2.2> - if you get it.

[Uncle Peter]

As suggested above. Here it is in pretty pictures and some quick notes (I've populated the diagram with some IP addresses for illustrative purposes):

Reserve an address on your office LAN for the WAN interface on your cafe router

Plug the WAN interface of your cafe router into the office LAN (CAT5)

Configure your cafe router LAN with a different subnet or network block to your office LAN

Use the firewall rules on your cafe router to lock access down as you see fit (ie no SMB, NETBIOS or the usual suspects).

[img]Download Failed (1)[/img]

[Azmandius]

First i want to say i am impressed by the feedback of this forum.
That is pleasant and great.
Thank you everyone!

---------- Post added at 11:13 ---------- Previous post was at 11:12 ----------

Quote:

Originally Posted by DaiNasty

You may find Steve Gibson's article about multi-router systems interesting. You can use the NAT effect to create isolated subnets.

http://www.grc.com/nat/nats.htm

That gives some light,
Thanks.

---------- Post added at 11:18 ---------- Previous post was at 11:13 ----------

Quote:

Originally Posted by Graham M

I would do it like this, it may work out more expensive but is probably the most stable solution:

Attachment 17082

Sound simple though.

---------- Post added at 11:28 ---------- Previous post was at 11:18 ----------

Quote:

Originally Posted by nffc

Routers connect one network to another so you'd have 2 routers DHCPing off the main router, with each of the other two routers on a different subnet DHCPing their clients.

Say you could give the main router 192.168.0.1, the two will be 0.1 and 0.2 on their WAN ports, and then 0.1 assigns itself 1.1 (on LAN) and clients 1.2>, 0.2 could assign itself 2.1 (on LAN) and clients 2.2> - if you get it.

To make it clear, does this solution give me the possibility to share internet with the cafe via dynamically assigned IPs on visitors computers?
As i mentioned in the first post, the office users must stay on static IPs, while using internet, and that way is the DSL Modem configured, as a router.
Thanks much.

[popper]

Quote:

Originally Posted by Uncle Peter

As suggested above. Here it is in pretty pictures and some quick notes (I've populated the diagram with some IP addresses for illustrative purposes):

Reserve an address on your office LAN for the WAN interface on your cafe router

Plug the WAN interface of your cafe router into the office LAN (CAT5)

Configure your cafe router LAN with a different subnet or network block to your office LAN

Use the firewall rules on your cafe router to lock access down as you see fit (ie no SMB, NETBIOS or the usual suspects).

[img]Download Failed (1)[/img]

that will/would work OC and is fine for fully private (wireless)LANs , but without that 3rd router as per Graham's diagram, anyone on the open cafe LAN can just use a netmask of 255.255.0.0 and see all the data on the office wire without to much trouble.

wireshark and several others would even let you pull the packets and reassemble them to see the full data be it http pages or binary.

[Azmandius]

Quote:

Originally Posted by Uncle Peter

As suggested above. Here it is in pretty pictures and some quick notes (I've populated the diagram with some IP addresses for illustrative purposes):

Reserve an address on your office LAN for the WAN interface on your cafe router

Plug the WAN interface of your cafe router into the office LAN (CAT5)

Configure your cafe router LAN with a different subnet or network block to your office LAN

Use the firewall rules on your cafe router to lock access down as you see fit (ie no SMB, NETBIOS or the usual suspects).

Sorry, i only don't understand where do i connect the router? You mean to the regular switch to which other office devices are connected or to some particular office computer?

And i would like to mention again that while office computer are on static IPs and use Internet, cafe visitors should be able to connect via automatic IPs.
Thank you.

[popper]

Graham's 3 way router will work fine for that fixed ip's on the office side router, and the requirement for DHCPd assigned cafe Ip's from the cafe router side.

although taking into consideration what i said about the netmask above and the ability to snoop if you set your mind to it, you can also get your master net<=>router to give out fixed IP's to the office PCs and have it's DHCPd give out the dynamic Ips for the wireless 192.168.1.* parts as well OC for fully private (wireless)LANs.

as for your red edit, its a slight confusion on your part, the 192.168.0.1/24 (i.e a netmask of 255.255.255.0) to 192.168.0.2 line is infact a direct line to the dlink 2500u router, if thats any clearer!

"dlink 2500u router"LAN-port2<=fixed 192.168.0.2 IP=>WAN-port"dlinkDi624s"

---------- Post added at 10:33 ---------- Previous post was at 10:05 ----------

the reason Zeph's 3 router setup works far better, is the basic fact your wireless LAN is connected to the WAN side of the office routers connection rather than the LAN side of a two router setup, so one LAN cant see the other LAN(s) data throughout.

the only way any router3 LAN PC could see router2 LAN PC data is if you tunneled through the routers on both sides using two PCs if you want that OC, but keep that tunnel data info secure and dont let other cafe users know it.

a multicast tunnel might be useful for you though so you can send video streams to both sides and play it on screens around the place.

a simple "Mtunnel" and copy of VLC will probably work for that id think, something to play with anyway

http://www.cdt.luth.se/~peppar/progs/mTunnel/
http://www.videolan.org/doc/streamin...o/en/ch02.html

use "UDP Multicast" and an IP of say 224.0.0.1:7777 as your stream channel for instance, good for cafe adverts and entertainment streaming for the whole LAN.

[Azmandius]

Thank you popper,
I will really try to digest it all, and apply it.

---------- Post added at 14:22 ---------- Previous post was at 14:06 ----------

One more issue if you allow me please,
From one side i want cafe visitors to have DHCP internet and from other side i want to watch from inside office over all cafe's video cameras activity, can i push both tasks through same cafe router? And what method is best for that?
Thanks