My dad (for various reasons) needs to run a guest network from his router – he wants to do this by running a length of Cat5 from one of the LAN ports on his router, and use an access point to provide the guest network. So far, so easy. The hard part is that he wants the guest network to be remote from the main network.

He’s currently using a BT Home Hub which I don’t think will do what he needs. The question is *how* do we do what’s required?

Ta!

he wants the guest network to be remote from the main network.

what does he mean by ‘remote’ ie. what does he want to achieve exactly?

I think he wants to run the guest network in such a way that users on it can’t see/access users on the main net (and presumably vice versa)

You need a router that allows a DMZ which is a network separate from your own.
A simple way to do this is to use an Apple Airport Express or Airport Extreme [for wifi duties] which can supply a separate guest network with a single click – there are probably others also.

Airport Extreme’s can be bought on eBay for about £40-50 – just plug it into one of your existing routers LAN ports and switch off the wifi on the existing router so it still handles the connection while the AE does the wifi.

The Airport Extreme will need to be acting as the router to provide a guest network that is separate from your private network. You’ll need an ADSL modem, too. It *might* be possible to configure your current router to behave as an ADSL modem rather than as a router. Some do, some don’t.

Rachel

Herein lies one of the problems – he wants to put the guest access point some distance from the main router, so a second SSID isn’t going to work for this.

So much easier to post a link than write it. 🙄

http://cavewall.jaguardesignstudio.com/2012/05/10/setting-up-a-secure-guest-wifi-network/

Herein lies one of the problems – he wants to put the guest access point some distance from the main router, so a second SSID isn’t going to work for this.

No problem using the Airport Extreme/Express as you can easily daisy chain them together (either wirelessly or cat5) to create a single large wifi network with a single SSID. Devices will move between the stations seamlessly.

You’ll need an ADSL modem, too. It *might* be possible to configure your current router to behave as an ADSL modem rather than as a router. Some do, some don’t

I don’t see what the problem is. I’ve previously just disabled the wifi on the old router and plugged the AE into it – works lovely (maybe I was lucky but I don’t see why the existing router wouldn’t work).

The Airport Extreme will need to be acting as the router to provide a guest network that is separate from your private network

It does.

Do you need network traffic separation (users on guest can’t see traffic on main) or is the aim just to have a remote access point with a different SSID? Do you need to be able to throttle the guest network?

Do you need network traffic separation (users on guest can’t see traffic on main) or is the aim just to have a remote access point with a different SSID?

Yes, he wants network traffic separation. Not bothered about throttling at the moment.

You can do it with current router and 2 access points.

Router 1 (current home hub), wifi disabled. All this does is provide the internet connection via lan cables to the 2 access points.

AP1 (private wifi), connects via lan cable to router. Can be right next to adsl router.

AP2 (private wifi), connects via long, long lan cable to router. Has different SID

I don’t see what the problem is. I’ve previously just disabled the wifi on the old router and plugged the AE into it – works lovely (maybe I was lucky but I don’t see why the existing router wouldn’t work).

That’s different, with the wifi off the router is still a router (or more accurately a router modem). Some devices allow the router to be completely turned off so they act just like an adsl modem.

That’s still one network though (192.168.x.x) created by the HH – no different to two PCs each connected to the HH by cat5. You could still connect/ping from one SSID to the other.

That’s different, with the wifi off the router is still a router (or more accurately a router modem).

What’s wrong with that?
It doesn’t matter anyway. As long as all the devices/DHCP server are set to have the private IP addy of the HH as the gateway (which they will) then it works.

Internet -<-
HH without wifi (192.168.0.1) -<-
AE (192.168.0.2 static address) + is dhcp server -<-
devices (assigned by dhcp)

That’s still one network though (192.168.x.x) created by the HH – no different to two PCs each connected to the HH by cat5. You could still connect/ping from one SSID to the other.

Agreed – how do you stop the two networks accessing each other?

different subnets (so 192.168.0.x and 192.168.1.x). AE should do that for you …. I’ll check shortly

Many routers actually allow a guest network, with separation from the private network under a different SSID with a different security model / passkey – my NetGear does. Worth checking, the range might be sufficient for his needs.

Sharkbait has the answer if that physical separation of the guest AP really is necessary.

EDIT: Depends on your level of paranoia. Different subnets would hide the private network / broadcast domain to a casual observer, but if this is to provide public access to unknown guests, I would say that isn’t sufficient – if it’s physically possible to bridge there’s usually a logical way to do it.

That’s still one network though (192.168.x.x) created by the HH – no different to two PCs each connected to the HH by cat5. You could still connect/ping from one SSID to the other.

Each access point is a dhcp server for its segment (like you say on different subnets). Nether knows the route to the other. Hh and access points configured using fixed IP. Access points are configured to stop traffic from everything but internet access ports from entering their segment.

What’s wrong with that?
It doesn’t matter anyway. As long as all the devices/DHCP server are set to have the private IP addy of the HH as the gateway (which they will) then it works.

Yes it works (never said it didn’t) however it is different from the modem mode some devices offer (e.g. in modem mode the downstream device handles the authentication with the service provider).

A single ae will not do what the op wants because he needs there to be a physical distance between the hh and guest network. 2 ae’s could be used however there are cheaper options.