I installed a wireless router on an existing wired network. The wireless router is a Cisco/Linksys and the wired router is also a Linksys.

The wired router's DHCP server provides IP addresses to the wired devices on the network, which all have and need full access to all LAN resources. I configured the DHCP server on the wireless router to provide IP addresses in a different range, separate from the wired devices. The wireless clients ONLY need internet access, and do not need to be able to access any LAN resources.

I am having trouble finding a way to exclude the wireless IP range from LAN access. I have gone through all of the settings in both the routers. While I can find ways to prevent Internet access or access to certain services and ports, I don't see a way to specify that the wireless IP range can't access LAN resources.

Any suggestions?

Thanks.

btw the wired router is a Linksys BEFSR41 and the wireless router is a Cisco Linksys E1000

I'm also just using the manual router configuration of going to its IP in a browser, instead of the Cisco software...I did notice the Cisco software had an option called "Guest Access" or something where if the router's SSID is "RouterA" it will add another SSID called "RouterA-guest" and anyone who connects to the "RouterA-guest" SSID is only given Internet access...I could not broadcast the main SSID and only broadcast the guest...but the problem is the guest setup only allows a maximum of 10 clients, and I need to be able to accomodate up to 40-50 clients at a time

12/9/2010 7:32:01 PM

When you say different range do you mean different subnet?

I would try putting wireless clients on a different subnet (like 192.168.2.x instead of the wired 192.168.1.x)

Then on your wireless router firewall ban all traffic from LAN (wireless clients) to WAN (the wired network) in the 192.168.1.* range (block all traffic to machines on your wired LAN.)

You may have to do a port range to make sure the Gateway shows up instead of blocking all; but the theory is sound.

12/9/2010 11:41:58 PM

The wired is 192.168.1.x and I originally tried 192.168.2.x for the wireless but couldn't connect to it when I plugged it in the wired router and went to the IP

Currently the wired IPs are in the 192.168.1.10-60 range and I have the wireless set to 192.168.1.90-190 or something, not sure as its powered down right now...I can certainly switch it up but I don't want to affect all of the other connected peripherals and devices that keep the business running, so optimally I'd just like to limit a certain block of IP addresses to internet access only

12/10/2010 12:02:34 AM

... After looking at the user guides for both models I'm not even sure it's possible

Hopefully someone else has another idea. I'm too used to models with a little more freedom in their firewall settings. I don't even see where you can block traffic (other than blocking internet access) - just where you can port forward and stuff.

On a side note we use an old box as a linux-based firewall between the outside world and our internal stuff. It's free software if you have an old machine with 2 NIC's in it. Once inside we currently run 2 independent networks (physically separate) but that's just because we're re-purposing old equipment instead of getting something with VLAN's. One for 'our' machines and a public network for just internet.

12/10/2010 1:27:43 AM

I'm pretty sure that using 192.168.1.0/25 would give you two subnets that could talk to their respective ranges but not to the others. I doubt it matters, but this would overlap your current .90-190 range for wireless. Perhaps BobbyDigital or the likes will chime in eventually and tell you how to do it.

Really though, I have no idea why the following wouldn't work. Basically you're implementing what some people do to their home networks and wonder why they have 5000ms pings in CoD. The infamous doubleNAT

WAN -> BEFSR41 -> (192.168.1.1) <-> (192.168.1.245) <- E1000 -> 192.168.2.0/24 -> 802.11

---
Excuse all the incorrect symbols and the mspaint editing (Visio isn't installed and I just ganked the first diagram google found). Original diagram is actually more what ^ was talking about with his linux box. pfSense would do this amazingly well as would DD-WRT or Tomato, but I digress.



[Edited on December 10, 2010 at 5:41 AM. Reason : png]

[Edited on December 10, 2010 at 5:56 AM. Reason : ]

12/10/2010 5:30:29 AM

^ya, we have DD-WRT on everything we own. I forgot how menacing simple tasks were on regular consumer firmware

12/10/2010 8:43:57 AM

i've always like how the internet is a giant angry storming cloud in most diagrams.

12/10/2010 11:03:57 AM

so the consensus is the best thing to do is use DD-WRT or something similar to basically hack the router's firmware

another option is to return the E1000 which I only bought yesterday and get a little better wireless router? I hear Netgear routers usually have better settings and configuration options?

[Edited on December 10, 2010 at 1:20 PM. Reason : .]

12/10/2010 12:52:17 PM

if you do, you'll want to find out if the netgear or whatever other brand supports what you're trying to accomplish.

dd-wrt and tomato are generally superior to the standard firmware regardless of brand.

12/10/2010 2:21:57 PM

Should I be able to download a firmware upgrade file from DD-WRT or Tomato's site for the E1000 router?

12/10/2010 3:05:47 PM

http://www.dd-wrt.com/site/support/router-database

And the E1000 gets "not possible" and "work in progress" - sorry.

I think I purchased 3 of our units off of Craigslist - all for $10 or less. One was from TWW. In my experience if you can find a model that takes TFTP flash instead of doing the WRT54G song and dance you're better off (ours is a buffalo unit if that helps.)

12/10/2010 7:48:13 PM

I guess I'll just do some research about some other cheap routers that offer that feature and maybe trade it in :/

12/10/2010 8:03:18 PM

http://raleigh.craigslist.org/sys/2105104976.html

http://raleigh.craigslist.org/sys/2077959695.html

Try these - the second already has DD-WRT flashed to it (saving you the expertise/effort.)

12/10/2010 11:44:09 PM

^thanks a bunch...I'm actually in Charlotte but found one already flashed on charlotte.craigslist for $20

12/17/2010 6:44:47 PM

I usually just place the LAN ports on a separate VLAN from the wireless interface. DD-WRT does allow for configuring VLANs but I've only ever done it in IOS so I'm not sure how user friendly the setup process is using DD-WRT.

12/18/2010 1:55:03 PM