Oct 24, 2011
Summary: Want to use a WRT54G cascaded behind existing DI-604 router to offer free wi-fi to guests. Need to keep guests on a separate subnet, and make sure their traffic is never routed to currently existing one (office PCs).
View 9 Replies
......... WAN| |
|Cable- |.............| Router A |
| modem | (ISP-assig| (DLink DI604) |LAN
`.......' ned addr)`..................|192.168.0.1 (static)
| | |
| | |
| ,---. ,---. ,---.
| |.10| |.11| |.12| Office PCs
| |___| |___| |___|
Tried above settings, with DHCP enabled for the new guest subnet. Using normal Gateway mode (i.e. re-NATting). Wireless guests can access the Internet, but also 192.168.0.x machines.Also tried, as suggested on several docs, disconnecting the WRT from the main network, resetting to factory defaults and setting up router from scratch, with the same result. It seems reasonable that, by default, things are set up in such a way that the new subnet can share resources with the existing one; however, I need the contrary and can't seem to get it right.BTW, as soon as I enter the static IP and default gateway for the WAN interface I see new default entries appearing on the static route table (Adv Routing / Show Table) for 10.x.x.x to 192.168.0.x routing. I suppose that this is necessary for the router itself, as a member of both, to be able to perform NAT and gateway through the upper tier -- since I can't seem to delete these entries manually, anyway.Considered using Router mode, but if I understand correctly, that would disable NAT, which seems (to me) inconsistent with the "separate subnet" requirement, since the main router would need to NAT guests as well as employee PCs (which would imply using one subnet for both, right?). Considered adding a firewall rule at the WRT, but the firmware does not seem to offer a suitable feature. There are "Filters", but those aim at restricting Internet access (which I want to allow), or to a certain range of ports, or even search keywords -- but not to a range of *hosts*.Tried filtering out guest-to-LAN traffic at the main router, but this proved nontrivial to get working (probably due to NAT-within-NAT which, other than that, works fine). It sounds a bit silly, anyway, I mean, why route this kind of traffic only to filter it out later on? I'd rather not route it at all in the first place. Can that be avoided? How?