Create a guest network w/o a special router?

[bomba6]

Hi.

I was wondering: can I create a "guest wifi" network with my current routers, without the need to buy a new smart router?

As demonstrated in the picture, I have a "main" tp-link 741 router, a second 741 router that is configured as an AP (wds) which is connected wireless to the main router.

I also have an old 3com router which now serves as a switch/hub (its wifi is turend off by me) and connected by wire to the main router.

 

I would like to know if it is possible to use the 3com to create a guest wifi that could only connect the Internet, while the wired clients connected to it need to retain the access to the inner network.

 

Thanks!

 

 

[manroweb]

Not sure you can create it with a the default firmware, but on the TP LINK 741 you can load dd-wrt.

This will allow you to setup multiple SSID's from one Access point, and have them separated.

[bomba6]

Yes, I know that, but I was trying to avoid installing a firmware on my router. (Don't want to brick it).

[The_Decryptor Veteran]

Unless the router advertises it as a supported function, you'll probably need to flash a 3rd party firmware like OpenWRT on it, my router supported it out of the box, but it was a "power user" router.

[TPreston]

huh ? if he is going to use two routers cant he just change the subnet and ip4 gateway to the other router ?

Still I doubt this would give him different vlans and the firewall is probably rubbish only supporting "low medium high"

[manroweb]

huh ? if he is going to use two routers cant he just change the subnet and ip4 gateway to the other router ?

Still I doubt this would give him different vlans and the firewall is probably rubbish only supporting "low medium high"

 

I took the diagram to mean he needed both current access points as they were for the existing network.

Maybe that was a wrong assumption to make. Will have to wait for the OP to reply

[bomba6]

That's correct, I can't change the topology of the network.

All I can (and hope to) do is enable the WiFi in the 3com and separate the WiFi only from my network. The computers connected by wire need to stay there, with the same subnet as the other computers in the network.

[JonnyLH]

huh ? if he is going to use two routers cant he just change the subnet and ip4 gateway to the other router ?

Still I doubt this would give him different vlans and the firewall is probably rubbish only supporting "low medium high"

Although they're called routers, home routers are just gateways which simple switching capabilities. They can't actually route between networks. They work on L2.

 

This idea is a very long shot but you can try this:

Subnet the whole network apart from the guest wireless network to the defacto 192.168.0.0/24.

Whatever device is your gateway, make sure that IP sits on the highest IP so: 192.168.0.254.

Subnet the guest network to 192.168.0.224/28.

 

In theory, the guest network can't talk to any machine on the main subnet but since the gateway is still in range, it'll be able to talk to the internet.

Even though technically the guest device is in the main subnet range, when it hits the client on the guest network, those boxes still can't talk to the main range.

Edited August 14, 2013 by SHoTTa35
Cleaned - Left suggestions however

[bomba6]

Jonny, your idea is interesting, but as I mentioned, I need the PC and the Printer on the 3com to be in the same subnet as the PC on the 741 #1 (and #2).

According to your solution, I can't have that. Am I right?

[sc302 Veteran]

Another way you can do it is to create a double nat situation.  Have one router closer to the internet than the other.  The one that is directly off the internet would be your guest network and the router behind that would be your secure network.  The guest network would never see anything on the secure network.  This would be the most simple way of doing it without vlans, firmware updates, or other networking equipment.  Otherwise you would (and is recommended) to have vlans and the proper networking equipment to be able to do what you want with the wireless.  That includes having access points capable of multiple vlans and ssids

[JonnyLH]

Jonny, your idea is interesting, but as I mentioned, I need the PC and the Printer on the 3com to be in the same subnet as the PC on the 741 #1 (and #2).

According to your solution, I can't have that. Am I right?

Only way to do it is to change the subnet mask on the guest machines then, it sorta defies the point though.

[sc302 Veteran]

Jonny, your idea is interesting, but as I mentioned, I need the PC and the Printer on the 3com to be in the same subnet as the PC on the 741 #1 (and #2).

According to your solution, I can't have that. Am I right?

If you need to be able to print from a different network, use google print or have a hp printer that supports eprint.  With these options anything that can email can print, just send the doc as an attachment.  In my scenerio you can open the port up for printing and forward it to a printer of your choosing, that would give anyone on the guest network the ability to print and not have access to anything else.

[bomba6]

+sc302, again- the printer alone is not the problem. There are other PCs connected to the router.

Thank you all for replying.

I guess I'll just buy the 842 or 1043, or get enough courage to install DD-WRT.

[sc302 Veteran]

The tp-link 842 does support multiple ssid's but it does not support vlans.  IMO if you are looking for inexpensive, build a pfsense firewall you will need a nic for each vlan (to make life easier on you), then put your waps/accesspoints on the vlans you need them to be on.

[The_Decryptor Veteran]

I wouldn't use DD-WRT, unless I'm missing something the last supported release was 5 years ago and has a known security flaw in it.

[+BudMan MVC]

^ what???

5 years ago -- you blind??

I show latest builds were dated 7-24-2013

ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2013/07-24-2013-r22118/

[Roger H. Veteran]

Sorry guys, good info but it's off topic

 

Let's help the OP with his problem :)

 

To the OP, I think you'll need software to do it or get a "special router" (that already has the software basically).

DD-WRT or Tomato or other 3rd part stuff is the best way to go in this regard unless you want to buy said special router.

[The_Decryptor Veteran]

^ what???

5 years ago -- you blind??

I show latest builds were dated 7-24-2013

ftp://ftp.dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2013/07-24-2013-r22118/

I'm not talking about trunk builds or whatever, I'm talking about "stable" builds. I'd never recommend using OpenWRT trunk builds to somebody, but I have no problem recommending stable builds, and stable OpenWRT builds have the benefit of not being out of date.

[+BudMan MVC]

Your statement was "supported" releases, they support the current releases be it they call them stable or not, etc..

I run development code for pfsense, not considered stable by any means.. But its clearly supported, if you find an issue you report it. Normally next snapshot that comes out corrects it, etc.

So the current version for openwrt is great, unless your on a lower end box.. Then they suggest you use backfire, which is OLD -- so what is your point?

"Lower end devices with only 16 MiB RAM will easily run out of Memory, for bcm47xx based devices is Backfire with brcm-2.4 recommended"

Clearly dd-wrt is being supported -- look at their changes and tickets

http://svn.dd-wrt.com/timeline

Just because they don't call the release "stable" seems an odd reason to tell someone not to use it.. Are they in an enterprise with 100's of people using the internet and if the router goes down they loose their job or get some boss yelling at them -- wtf you using non "stable" code for ;)

[bomba6]

Solved by installing DD-WRT on the main 741.

Easy installation, not so straight forward configuration, but explained really well in their Wiki.

 

Thanks everybody.

[+BudMan MVC]

out of curiosity which build did you install ;) What was the date on it?

[bomba6]

DD-WRT v24-sp2 (07/24/13) std
(SVN revision 22118)

[+BudMan MVC]

Well that sure looks newer than 5 years old ;)

Dude I don't think you understand the use of answer feature.. Looks to me that manroweb was first to suggest dd-wrt, so he really should be the best answer.. Or if someone gave you clearer detailed instructions on using dd-wrt, then they would get the best answer flag, etc.

Not your own post ;) Saying you put dd-wrt on it and working.