Solved Access Point Wireless(public) Secured-LAN 2, (Private )HELP

December 19, 2011 at 07:50:27
Specs: Windows XP SP3, 4000+ / 2gb DDR
I need some help setting up 2 networks, with one network (A)
(my) PRIVATE SECURE LAN and Internet via ADSL cable on
NETGEAR - DG834GSP v3 which supports: Static Routes, I am
using ETHERNET cable between 2 routers as I have no ability
to link them with WDS, as (second router ZyXEL 660HW-T1 v3)
has NO WDS function.

I wish to set-up A SECOND public network providing access to
the Internet VIA the SECOND router which relays the Internet
from the NETGEAR (over ethernet) and most important the
second network must not give access to my PRIVATE LAN on
my primary network.

(I started working on this project a couple of years back but
gave up on it for a while because I did not feel up-to the task
at hand, but now I would like to take another shot at setting
this up.)

I have 2 other identical routers (ZyXEL 660HW-T1 v3) both
are the same model, and both support the following:
IP Alias, Rip-1, Rip-2B, Rip-2M, NAT, Port Forwarding,
Static Route's, Address Reservation (by MAC address), UPnP

My PRIMARY router (NETGEAR) also supports most of these
features: but NOT IP Alias, WPS,

I prefer to stick to using my NETGEAR as my primary
router as it has a much better firewall, and domain keyword
blocking filter and has proven itself to be the most reliable
router for my main internet connection. One feature that I
really like about the ZyXEL is it as a BW MGMT function,
this will enable me to prioritise certain network demands
to limit excesses in use over the "Wireless LAN" portion on
the (B) public network.

I have been reading the following articles on-line!
http://support.microsoft.com/kb/178993
http://www.windowsnetworking.com/ar...

Most of this seems!! straight forward, except I am confused about a
few things including: what is the Destination? and what is the Gateway
aspect when running 2 seperate LAN networks side by side and also
how I can make the 2nd LAN only relay the Internet from the Primary -
network (NETGEAR) on the 1st LAN?

I currently have it set-up so my 2nd LAN is acting as a relay, using
the first LAN as the main DHCP, but both routers are set to SERVER -
DHCP mode.

Both networks are currently in the same subnet of 255.0.0.0
LAN 1 = 10.10.2.x
LAN 2= 10.10.1.x
I am using LAN1 as the main DNS server on 10.10.2.1
for both LANS.

This is experimental as my main goal was to get the second network
relaying the Internet to the WIRELESS which it does currently do, but
the problem is the second network can still access my main LAN1
for browsing which I do not want, I want LAN1 private (no access)
from LAN2 except for the INTERNET portion of coarse.

I live right on the coast and we do have a great demand for access-
points here most cost a lot of money and are not free, I am trying
to provide a free service to users in the area for basic email, web
access etc, of which the ZyXEL is highly configurable for such services.

If anyone can help me sort this long term problem out it would be
very much appreciated as I am always trying to help others with network
problems and this would help me help others set-up their wireless
for ACCESS POINTS also thanks.

Michelle xxx



See More: Access Point Wireless(public) Secured-LAN 2, (Private )HELP

Report •


✔ Best Answer
December 20, 2011 at 07:48:48
Sadly I have no experience working with either product you have (zyxel/netgear) so I can't be of much help in that aspect.

When setting up internal servers on my own equipment (D-Link, Linksys, 2-wire) I've always used port forwards myself and not filters on the actual firewall.

From what I'm seeing you have 4 things going on.
1) flightgear http screenshot image server
2) CVS
3) TeamSpeak
4) ftp

That's 4 port forwards as I see it.

The only one that might be a little tricky is the TS since each server would operate on a different port. I suspect you would have to make individual port forwards for each instance. Let's assume your TS servers are using the following ports
TS1 = 9997
TS2 = 9998
TS3 = 9999

Let's give your TS server the following (example) LAN IP: 192.168.0.25

Here's how the port forwards would look:
PortForward 1:
TS1 on port 9997 to 192.168.0.25:9997

PortForward 2:
TS2 on port 9998 to 192.168.0.25:9998

etc.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***



#1
December 19, 2011 at 09:00:16
After reading your rather lengthy post, I have no interest, or time for, reading two articles.

To accomplish your aim all you should need to do is connect a second, wireless, router via it's WAN port, assign it a completely different subnet from what you're using on A and configure the WAN side of B to see the LAN side of A as it's default gateway.

For more information click on my name above in this response and read my “how-to” guide titled, “Add a second Router to your LAN

Pay attention to the scenario where you interconnect A to B "LAN port to WAN port"

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#2
December 19, 2011 at 09:55:20
Dear Curt R, thanks for your reply the forum does say to give as much detail as possible sorry if my post was to long for you, but as someone like myself with difficulty understand how to do something I hope you forgive my detail.

Michelle


Report •

#3
December 19, 2011 at 10:43:14
"the problem is the second network can still access my main LAN1"

This is because you have them in the wrong order. You need the guest network first and the private network second. Then the guest can't see the private subnet but only the internet

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

Related Solutions

#4
December 19, 2011 at 12:05:05
Actually, your post wasn't too long. What I said was, after reading it, I didn't feel like reading the two articles.

Apparently I didn't read your post thoroughly enough because I obviously missed something. My sincere apologies for that.

What wanderer says is correct, you'll want the private network (subnet) behind the public (guest) network. So router A, connected directly to the internet, would host the guest/public network. Router B would host your private network.

The rest of what I said, and my how-to, still applies.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#5
December 19, 2011 at 13:16:22
Well it's ok Curt, I forgive you, its just giving me some REAL BIG headaches I keep locking my own access to the 2nd network out, every time I try to add the static IP in the WAN section I get locked out were I have to reset my router to factory settings before I can re-import my configuration oO (head spins around)

Well I never realised I had things backwards ??? this makes things awkward as I want the 2nd router far away from me with it's active wireless, and my cables to my Netgear are not long enough to reach the ZyXEL, just been talking to a guy on ebay who may have another netgear like mine to pair up with WDS still unconfirmed as yet.

The ZyXEL has much more wireless power than my Netgear which is why I chose it for my wireless accesspoint. So you mean I got the IP's wrong way around or the physical connections?

Ahh will I still be able to use my NETGEAR customised firewall for my current services I have setup? Reason I ask is for some reason setting up the ZyXEL firewall seems to have zero effect perhaps I have set something wrong their ?

Michelle


Report •

#6
December 19, 2011 at 14:00:06
Is there any reason you can't duplicate the firewall settings you presently have on the Netgear on the other router? If it were me, I'd just swap the config's as that would preclude having to buy any different equipment or change locations of existing.

You should be able to just document all the settings on your Netgear and duplicate them on the other one.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#7
December 19, 2011 at 14:45:13
Dear Curt R, actually now I think about it it should be quite easy, I was thinking 2 dimensionally before, as I WAS going to say I have over 100 security settings in both my incoming & out going firewall rules and would be a nightmare, but if my private LAN is effectively behind 2 firewalls then I won't need most of the custom blocks I guess? As I have blocked certain countries also in my firewall on the NETGEAR router, I do have a few blocks even on my outgoing rules to prevent potential trojan's from communicating with countries such as China were most attacks seem to come from. to give you some idea of my router settings here is a portion from my exported con-fig file not including all my services customisations in total their is close to 100 manual configurations, and the NETGEAR config file can be edited manually in a text editor unlike the ZyXEL as when I export that all I see in a text editor is gibberish.

[70001]"Inbound Rule"=1:bootp:0:0.0.0.0:0/0:1
[70001]"Inbound Rule"=1:TeamSpk:2:10.10.2.10:0/0:1
[70001]"Inbound Rule"=1:TS-SQ:2:10.10.2.10:0/0:1
[70001]"Inbound Rule"=1:TS2:2:10.10.2.10:0/0:1
[70001]"Inbound Rule"=1:TS2-Q:2:10.10.2.10:0/0:1
[70001]"Inbound Rule"=1:Restrict1:0:0.0.0.0:0/0:1
[70001]"Inbound Rule"=1:CHINA:0:0.0.0.0:0/0:1
[70001]"Inbound Rule"=1:remote:0:0.0.0.0:0/0:1
[70001]"Inbound Rule"=1:LSASS-2:0:0.0.0.0:0/0:1
[70001]"Inbound Rule"=1:LSASS-1:0:0.0.0.0:0/0:1
[70001]"Inbound Rule"=1:system-ports:0:0.0.0.0:0/0:1
[70001]"Inbound Rule"=1:Win-Server:0:0.0.0.0:0/0:1
[70001]"Inbound Rule"=1:devel:0:0.0.0.0:0/0:1
[70001]"Inbound Rule"=1:130-140:0:0.0.0.0:0/0:1
[70001]"Inbound Rule"=1:Any(ALL):0:0.0.0.0:66.249.71.164:0
[70001]"Inbound Rule"=1:Any(ALL):0:0.0.0.0:60.000.000.000-61.255.255.254:3
[70001]"Inbound Rule"=1:Any(ALL):0:0.0.0.0:62.193.0.0-62.193.0.31:1
[70001]"Inbound Rule"=1:Any(ALL):0:0.0.0.0:66.249.64.0-66.249.95.254:1
[70001]"Inbound Rule"=1:Any(ALL):0:0.0.0.0:71.0.0.0-72.55.165.254:1
[70001]"Inbound Rule"=1:Any(ALL):0:0.0.0.0:81.13.000.000-81.13.255.254:1
[70001]"Inbound Rule"=1:Any(ALL):0:0.0.0.0:112.000.000.000-114.79.255.254:3
[70001]"Inbound Rule"=1:Any(ALL):0:0.0.0.0:118.000.000.000-118.255.255.254:0
[70001]"Inbound Rule"=1:ftp-block:0:0.0.0.0:122.000.000.000-125.211.255.254:3
[70001]"Inbound Rule"=1:ftp-block:0:0.0.0.0:134.000.000.000-134.255.255.254:3
[70001]"Inbound Rule"=1:ftp-block:0:0.0.0.0:159.000.000.000-159.255.255.254:3
[70001]"Inbound Rule"=1:ftp-block:0:0.0.0.0:161.000.000.000-168.255.255.254:3
[70001]"Inbound Rule"=1:Any(ALL):0:0.0.0.0:187.78.104.33:2
[70001]"Inbound Rule"=1:Any(ALL):0:0.0.0.0:202.83.0.0-202.83.255.254:1

# The Same as Inbound Rule
[70002]"Outbound Rule"=1:AppRunner:0:0/0:0/0:1
[70002]"Outbound Rule"=1:Restrict1:0:0/0:0/0:1
[70002]"Outbound Rule"=1:Any(ALL):0:10.10.2.6:0/0:1
[70002]"Outbound Rule"=1:CHINA:0:0/0:0/0:1
[70002]"Outbound Rule"=1:remote:0:0/0:0/0:1
[70002]"Outbound Rule"=1:LSASS-2:0:0/0:0/0:1
[70002]"Outbound Rule"=1:LSASS-1:0:0/0:0/0:1
[70002]"Outbound Rule"=1:system-ports:0:0/0:0/0:1
[70002]"Outbound Rule"=1:Win-Server:0:0/0:0/0:1
[70002]"Outbound Rule"=1:Any(ALL):0:0/0:69.89.31.247:1
[70002]"Outbound Rule"=1:devel:0:0/0:0/0:1
[70002]"Outbound Rule"=1:130-140:0:0/0:0/0:1
[70002]"Outbound Rule"=0:Any(ALL):0:10.10.2.13-10.10.2.14:0/0:1
[70002]"Outbound Rule"=0:Any(ALL):0:10.10.2.5-10.10.2.6:0/0:1
[70002]"Outbound Rule"=0:Any(ALL):0:10.10.2.14:0/0:1
[70002]"Outbound Rule"=0:Any(ALL):0:10.10.2.25:0/0:1
[70002]"Outbound Rule"=0:Any(ALL):0:10.10.2.10:0/0:1
[70002]"Outbound Rule"=0:Any(ALL):0:10.10.2.12:0/0:1
[70002]"Outbound Rule"=1:Any(ALL):0:0/0:60.000.000.000-61.255.255.254:0
[70002]"Outbound Rule"=1:Always-BLOCK:0:0/0:64.34.178.178:0
[70002]"Outbound Rule"=1:Any(ALL):0:0/0:66.139.73.159:0
[70002]"Outbound Rule"=1:Always-BLOCK:0:0/0:70.85.110.242:0
[70002]"Outbound Rule"=1:Always-BLOCK:0:0/0:72.51.46.31:0
[70002]"Outbound Rule"=1:Any(ALL):0:0/0:85.12.58.201:0
[70002]"Outbound Rule"=1:Any(ALL):0:0/0:126.000.000.000-126.255.255.254:0
[70002]"Outbound Rule"=1:Any(ALL):0:0/0:159.153.106.28:0
[70002]"Outbound Rule"=1:Any(ALL):0:0/0:202.83.000.000-202.83.255.254:0
[70002]"Outbound Rule"=1:Any(ALL):0:0/0:207.46.248.249:0
[70002]"Outbound Rule"=1:Any(ALL):0:0/0:216.73.93.8:0
[70002]"Outbound Rule"=0:Any(ALL):0:0/0:218.000.000.000-222.255.255.254:0

I block some stuff just based on my Gut feeling being Psychic has saved my network from a lot of hassle some anti-malware programs have flagged IP's which I later blocked in the router to save problems later.


Report •

#8
December 19, 2011 at 14:55:38
This is going to take me some time to do so have patience wth me, running some voice chat servers and an ftp server means I need to add this stuff manually because their is no quick way as this is what I see when I edit a ZyXEL config file in a text editor.

ZÀ7þÍæ4/hý0?ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿx

lots of Gibberish

Michelle


Report •

#9
December 19, 2011 at 16:57:46
Well this just is not working out the ZyXEL just does not have enough custom service slots for all my needs, I run a flightgear http screenshot image server, use CVS, and 3 voice chat servers, an ftp server, basically the 10 slots for custom services on the ZyXEL is just not enough. One of my Team-speak servers for example use 2 separate ports and their too far apart for a range I try to avoid opening ranges were ever possible as this invites trouble.

I hope to get word back from a guy on Ebay tomorrow about a second Netgear Router same as the one here, he only wants £5.00 for it, although it will still not have the wireless power needed but "can act as wireless repeater" maybe their is a 3 router way around this problem? Also I do currently have 2 identical ZyXEL routers here, so if their is another way to do this I am all ears!!!

PS, while I was configuring the ZyXEL I was not happy that when I deleted one of my custom services to try to sqeeze in my most critical services, it did not error on my attempt and instead left a garbled service in the firewall rules this is a very bad sign of poor firmware programming and makes me less trusting of ZyXEL's reliability.

Michelle xxx


Report •

#10
December 19, 2011 at 17:08:05
Time for bed hope to continue tomorrow thanks Curt and Wanderer maybe a good nights sleep will bring a brain wave oO

Michelle xxx


Report •

#11
December 20, 2011 at 07:48:48
✔ Best Answer
Sadly I have no experience working with either product you have (zyxel/netgear) so I can't be of much help in that aspect.

When setting up internal servers on my own equipment (D-Link, Linksys, 2-wire) I've always used port forwards myself and not filters on the actual firewall.

From what I'm seeing you have 4 things going on.
1) flightgear http screenshot image server
2) CVS
3) TeamSpeak
4) ftp

That's 4 port forwards as I see it.

The only one that might be a little tricky is the TS since each server would operate on a different port. I suspect you would have to make individual port forwards for each instance. Let's assume your TS servers are using the following ports
TS1 = 9997
TS2 = 9998
TS3 = 9999

Let's give your TS server the following (example) LAN IP: 192.168.0.25

Here's how the port forwards would look:
PortForward 1:
TS1 on port 9997 to 192.168.0.25:9997

PortForward 2:
TS2 on port 9998 to 192.168.0.25:9998

etc.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#12
December 20, 2011 at 11:09:14
Dear Curt R,
Actually after writing my last message and having some sleep I looked again, the ZyXEL is quite a confusing router as I never noticed it had also a port forwarding feature as you mentioned. Confusing as it seems to have 2 ways of redirecting incoming traffic the port forwarding is sort of hiding behind the NAT option so it may be possible, as I have all my settings backed up it can't hurt to continue trying to do this as you suggested earlier with the ZyXEL as the router connected to the ADSL line so will not be rushing this as confusing it is for me having to swap things around I am so used to having my main NETGEAR on the front line and have never really like using the ZyXEL it just makes me nervous for some reason :p and is not very stable in my experience it is very erratic and easily locks me out of the configuration settings if I get just one IP address wrong in the WAN section, it's reset time.

Also I have my eye on this it could make things much easier might seem a bit of an over kill however it opens up more possibilities and it's a good price in fact.
http://www.ebay.co.uk/itm/390357175...

Michelle


Report •

#13
January 31, 2012 at 17:50:16
Dear Curt or anyone else, I have Just got my new access point after a little mix up at Christmas I almost got the wrong one I now have this one but need some help setting it up.

Netgear WN802Tv2 Wireless-N Range Extender Access Point

I am running 2 separate LAN networks both use the same subnet of 255.255.255.0
However my WN802Tv2 is on an IP range of 192.168.0.x
My Other network with the Router which is connected to the Internet is now on-
192.168.2.x I separated them to avoid collisions, I have configured my NETGEAR DG843G as Wireless Point to Multi-Point Bridge
AP to Wireless Point-to-Point Bridge

Using WEP (Wired Equivalent Privacy) on an OPEN network for testing.
However for some reason it just is not happening ? I am misled by what if anything I did wrong, I can't even see a signal from the AP.

In some modes I do see a signal, but I currently have to use either g or b mode for compatibility with my netgear DG843G

If any one can guide me would be much appreciated thanks.

Michelle

PS, I guess someone has taken a dislike to all my posts here :p perhaps I should give up the ghost.

UPDATE:
YAY NEVER MIND GOT IT SORTED :D


Report •

#14
February 1, 2012 at 17:57:00
SOLVED

On my ROUTER Here is what I did, I took the MAC address of my ADSL, on the NETGEAR (DG834G) AND set WDS mode to (Wireless Point to Multi-Point Bridge) and used this MAC address for the remote MAC for the WN802Tv2 to connect to.

SET the WN802Tv2 to (Wireless Point-to-Point Bridge) then used that provided MAC to my NETGEAR DG834G Yet it does not always connect if I happen to reboot one of the routers (I DISCOVERED IF OUT OF RANGE THIS CAN HAPPEN) = I have to re-insert the Ethernet cable to re-establish a link.

Both routers are close to each other for the moment, for testing.

Later I will move the WN802Tv2 to the bedroom or kitchen about 30 feet away from the DG834G and see how it goes, but so far so good.


Report •

#15
February 2, 2012 at 07:27:01
Hey Ortorea

Sorry for not getting back to you but I somehow lost track of this thread.

My apologies.

I'm glad to see you got it figured out in the end and thanks for posting your fix, it may very well help someone else out in the future.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#16
February 2, 2012 at 10:21:36
It's OK Curt R, I learn best anyway sometimes by struggling, one of the thing's I did figure out is that if while connected I move the AP farther away from the (GATEWAY/ROUTER) it is bridged too, or TURN it slightly (as it is a bit directional) I lose the connection over the bridge. In my situation the AP must be within 20 feet of the gateway otherwise the link drops.

Anyway the people I bought the access point from sent me this link today (after I solved it myself)

http://support.netgear.com/app/prod...

I also found out another VERY IMPORTANT TIP I kept getting disconnected after several minutes of network inactivity, it turned out to be in Qos (Quality of Service) settings I turned OFF the "WMM Powersave" it was that which caused my (connection dropping problem) so is working well now,

I walked around where I live with my daughters net-book in hand and was able to get about 400 feet before the connection dropped, but had to get within 200 feet to get the connection back. Of coarse where I am located is not the best place am surrounded by water pipes in the building around my AP which does a lot of damage to the signal, plus the window frames are steel re-enforced and my AP is very close to one.

Hope it does help others :)

Michelle xxx


Report •


Ask Question