Sign in with
Sign up | Sign in
Your question

Two wireless routers...one for LAN and one for internet. Possible?

Last response: in Networking
Share
April 19, 2011 6:15:05 AM

Hi,

Would it be possible to set up a network with two wireless routers with one of the routers getting internet access and sending it out to the computers on its network and then get another wireless router to hook up to a computer for a LAN? So for example a PC would use router 1 for internet access and router 2 to share files. Would that be possible?

If possible, what port would I plug the PC ethernet cable into on router 2? Would I plug it into the WAN port or just one of the open PC ports?

Also, would it be possible for a laptop to be able to connect to both wirelessly using its built in wireless card and a USB wireless dongle?

Any info will be helpful. Thx :) 
April 19, 2011 6:46:54 AM

Quote:
So for example a PC would use router 1 for internet access and router 2 to share files. Would that be possible?


No, Windows will only use ONE network card
m
0
l
April 19, 2011 12:40:31 PM

You can install and use as many network adapters as you like. However (and this is what Emerald was alluding to), it's pointless unless all those adapters are using different subnets. Anytime Windows sees two or more adapters using the same subnet, it's going to use the one w/ the highest priority (as defined by Network Connections->Advanced->Advanced Settings->Connections) and use it exclusively. Any others for that same subnet are IGNORED.

So sure, you can use two routers, one for subnet A and leading to the Internet, and another for subnet B and leading to another internal network. No problem.

Now whether it’s worth the trouble/hassle is hard to say since I don't know the objectives here. Since the two subnets are effectively isolated from each other, I don’t know if that raises an issue for you as well. Minimally those on the internal router have no Internet access. By default, only your PC has transparent access to both subnets. Therefore, you *might* want to consider enabling ICS on your PC if those internal machines also need Internet access. But then why bother w/ using that second internal router anyway since your PC is now that second (soft) router?

And whether you plug the PC into a WAN or LAN port on router 2 depends on what you’re trying to do. Using the WAN port, users behind router 2 have their own subnet, DHCP server, etc., but block your PC from accessing their subnet. OTOH, if you connect to a LAN port, now you’re part of their subnet, use their DHCP server, etc. And now the WAN port is orphaned.

That’s the whole problem here. You haven’t defined the objective, what you want to achieve in the end. Instead, you’ve proposed several devices and configuration changes without any sense of WHY, to what ends. Ultimately it’s the ends that determine the means, and which means are most effective. For all we know, your ends are not even achievable.


m
0
l
Related resources
April 19, 2011 4:58:27 PM

eibgrad said:
You can install and use as many network adapters as you like. However (and this is what Emerald was alluding to), it's pointless unless all those adapters are using different subnets. Anytime Windows sees two or more adapters using the same subnet, it's going to use the one w/ the highest priority (as defined by Network Connections->Advanced->Advanced Settings->Connections) and use it exclusively. Any others for that same subnet are IGNORED.

So sure, you can use two routers, one for subnet A and leading to the Internet, and another for subnet B and leading to another internal network. No problem.

Now whether it’s worth the trouble/hassle is hard to say since I don't know the objectives here. Since the two subnets are effectively isolated from each other, I don’t know if that raises an issue for you as well. Minimally those on the internal router have no Internet access. By default, only your PC has transparent access to both subnets. Therefore, you *might* want to consider enabling ICS on your PC if those internal machines also need Internet access. But then why bother w/ using that second internal router anyway since your PC is now that second (soft) router?

And whether you plug the PC into a WAN or LAN port on router 2 depends on what you’re trying to do. Using the WAN port, users behind router 2 have their own subnet, DHCP server, etc., but block your PC from accessing their subnet. OTOH, if you connect to a LAN port, now you’re part of their subnet, use their DHCP server, etc. And now the WAN port is orphaned.

That’s the whole problem here. You haven’t defined the objective, what you want to achieve in the end. Instead, you’ve proposed several devices and configuration changes without any sense of WHY, to what ends. Ultimately it’s the ends that determine the means, and which means are most effective. For all we know, your ends are not even achievable.



That is some very good info! Thanks! Here what my possible objective is...what I was going to maybe attempt was maybe buy or build a home server. Router 1 would just be the internet connection and router 2 would be for the actual server. I was thinking by doing this, putting the LAN on a separate router, there would maybe be more security for the server.

Is this still feasible? Also, what is ICS?
m
0
l
April 19, 2011 5:12:07 PM

nvidia2500 said:
That is some very good info! Thanks! Here what my possible objective is...what I was going to maybe attempt was maybe buy or build a home server. Router 1 would just be the internet connection and router 2 would be for the actual server. I was thinking by doing this, putting the LAN on a separate router, there would maybe be more security for the server.

Is this still feasible? Also, what is ICS?



It can be done, but it would be ugly i think.

Why not just have 1 router and connecting everything to it?

Are you worried about security?
if so you can deny internet access to your severs mac address via your router. This stops outside communication to your router.


You say server, are you setting up a fully functional Business sever? or like a home theater/storage/printer server?

Is this for education?
if so then you want to consider using virtual machines instead of changing your network so much.


Explain why you want seperate networks, what you server will be doing, and the purpose of this network please.

Far as security goes, deny internet access via your router to your server only is just as save as your 2 lan idea. This protects outsiders but not viruses from your own computers/clients. Might consider making a firewall PC if you have a old computer laying around.


m
0
l
April 19, 2011 5:23:19 PM

Adding a second router for the purposes of burying the server behind it doesn't really buy you anymore security. You're already behind a router and firewall, that’s sufficient. Adding more routers (firewalls) only complicates configuration needlessly (multiple NATs, multiple firewalls, multiple port forwarding, etc.).

You only want/need to add routers where you don’t already have protection. For example, suppose you wanted to allow guests to have Internet access while visiting your home, but deny them access to your other resources. Then a second router would make sense. You'd connect the first (guest) router to the modem, then chain the second router behind it. Guests would have internet access, but no access to your internal network due the second router's firewall.

Again, you add routers only when you need protection, and once you have it, adding more routers is pointless. Only add them where a wall is needed and doesn’t already exist.

ICS (Internet Connection Services) allows you to share your desktop/laptop internet access w/ other desktops/laptops by bridging your internet connection to another network connection on the same machine (wire or wireless). In effect, it turns that desktop/laptop into a router (or what some ppl call a “software” or “soft” router).

m
0
l
April 19, 2011 9:39:26 PM

eibgrad said:
You only want/need to add routers where you don’t already have protection. For example, suppose you wanted to allow guests to have Internet access while visiting your home, but deny them access to your other resources. Then a second router would make sense. You'd connect the first (guest) router to the modem, then chain the second router behind it. Guests would have internet access, but no access to your internal network due the second router's firewall.


This is what I am looking to do! Have the internet connection shared but also have a private network. So you suggest modem to router 1. Router 1 will give off public access. Then have router 2 plugged into one of the lan ports on router 1. This will then create a secure private network on router 2? Will I need to adjust any settings or will it just be automatic and the routers will know what to do?


m
0
l
April 19, 2011 10:32:30 PM

Ok, well you never quite described it that way, but that's exactly why I wanted you to describe your intentions. Otherwise we'd end up down the wrong road.

This topic has come up many times before, and so I would suggest reading another thread on another forum first, just to save some typing on my part.

http://www.maximumpc.com/forums/viewtopic.php?f=25&t=10...

I should point out (because sooner or later someone else will :)  ), the one limitation of the two router configuration is that it’s vulnerable to a MITM (Man in the Middle) attack, specifically ARP poisoning. Basically, a client of router #1 ( the “guest” network) could potentially spoof the MAC address of router #1 w/ their own MAC address and redirect traffic from router 2 back to himself, do whatever they plan to do w/ it, then send it back to router #1 as if nothing happened, and the client behind router #2 none the wiser.

Now before anyone goes over the deep end, the chances of this happening are extremely remote if you're dealing w/ trusted users (family, friends, neighbors, etc.). But it has to be mentioned as a possibility and something that any serious hacker would know about. So if you were leaving your wifi open to the public “at large”, that would be worrisome.

The only truly safe solution is using three routers in a Y configuration.

[router B (private network)](wan)<-- wire -->(lan)[router A (connected to modem)](lan)<-- wire -->(wan)[router C (public/guest network)]

Now ARP poisoning is not possible beyond the WAN of either router B or C. Of course, this adds to the expense of the solution. And if you want access to the public/guest network from the private network, you’d need to open the firewall on the private/guest network, forward ports, configure static routes, etc. IOW, it gets a bit messy. Or you might treat each network like any other remote networks across the Internet and use a VPN to facilitate communications.
m
0
l
April 20, 2011 3:28:18 AM

eibgrad said:
Ok, well you never quite described it that way, but that's exactly why I wanted you to describe your intentions. Otherwise we'd end up down the wrong road.

This topic has come up many times before, and so I would suggest reading another thread on another forum first, just to save some typing on my part.

http://www.maximumpc.com/forums/viewtopic.php?f=25&t=10...

I should point out (because sooner or later someone else will :)  ), the one limitation of the two router configuration is that it’s vulnerable to a MITM (Man in the Middle) attack, specifically ARP poisoning. Basically, a client of router #1 ( the “guest” network) could potentially spoof the MAC address of router #1 w/ their own MAC address and redirect traffic from router 2 back to himself, do whatever they plan to do w/ it, then send it back to router #1 as if nothing happened, and the client behind router #2 none the wiser.

Now before anyone goes over the deep end, the chances of this happening are extremely remote if you're dealing w/ trusted users (family, friends, neighbors, etc.). But it has to be mentioned as a possibility and something that any serious hacker would know about. So if you were leaving your wifi open to the public “at large”, that would be worrisome.

The only truly safe solution is using three routers in a Y configuration.

[router B (private network)](wan)<-- wire -->(lan)[router A (connected to modem)](lan)<-- wire -->(wan)[router C (public/guest network)]

Now ARP poisoning is not possible beyond the WAN of either router B or C. Of course, this adds to the expense of the solution. And if you want access to the public/guest network from the private network, you’d need to open the firewall on the private/guest network, forward ports, configure static routes, etc. IOW, it gets a bit messy. Or you might treat each network like any other remote networks across the Internet and use a VPN to facilitate communications.


Again very good info! I don't think I need to use the three router setup, but I do actually do have a third router available already. It's a wired one that hasn't been used in like a year, but worked well enough. Again, probably not going to go this far with it, but out of curiosity...in your diagram the private network is router B and the public is router C, does it matter what LAN ports I use on router A to plug into the WAN port on router B and C? Like what I mean is should LAN port 1 from router A go to router B's WAN port and LAN port 2 from router A go to router C's WAN port? Or does this not even matter?
m
0
l
April 20, 2011 4:42:36 AM

The LAN ports you use on router A don't matter at all. They're all part of the same switch and reside on router A's subnet.
m
0
l
April 20, 2011 1:15:21 PM

I'm sorry, maybe i'm not understanding but this whole multiple routers seems a waste.


I'm guessing this is for a private at home setup? Why not use a single router, and just require authentication (password) to access network resources?

That way Joe Blow can connect and use your broadband, but when try to click to search one of your other computers *boom* password requested!!

*edit* this would be a feature inside windows not on your router, although some routers do have a Guest feature.
m
0
l
Anonymous
May 24, 2011 11:46:02 AM

Can i throw a question in the mix.
Im finding this all interesting i cant see point in more than 1 router as options in router can block services but using second router with firewall may be safest.
Anyway i was wondering if its possible to have a wired lan & wireless card in same pc allowing most programs to use wired for printing excel etc & firefox/opera to use wifi internet wireless connection. Now the reason being the wired network is routed via usa ip but i have access to a uk ip via wi-fi so i want to use uk ip for internet where other work programs use a usa server. Is it possible if so how do i do it?
m
0
l
May 25, 2011 2:17:18 AM

c911darkwolf said:
I'm sorry, maybe i'm not understanding but this whole multiple routers seems a waste.


I'm guessing this is for a private at home setup? Why not use a single router, and just require authentication (password) to access network resources?

That way Joe Blow can connect and use your broadband, but when try to click to search one of your other computers *boom* password requested!!

*edit* this would be a feature inside windows not on your router, although some routers do have a Guest feature.


Realize that we're simply addressing the OP's own inquiry into the use of two routers for this purpose. No one is suggesting this is the ONLY, or necessarily the BEST solution. It's only about what can and can't be done w/ more than one router.

Yes, you could accomplish some of this w/ a single router, perhaps one that supports a second "guest" network/ssid (e.g., DIR-655). But of course, you may not want the added expense, esp. if a second (or third) router is available and can at least be configured (if somewhat clumsily) into a viable solution.

As far as relying on Windows authentication, or anything similar, you have to realize the underlying protocols of your local network (ethernet, SMB, etc.) are simply not secure. Once someone has access to your local network, it's relatively easy to spoof MAC addresses (ARP poisoning), sniff traffic, engage in brute force attacks, etc. Relying on simple application level authentication schemes to protect your local resources is asking for trouble. That’s why you should use either a guest network or second router to keep them completely off that local network.


m
0
l
May 25, 2011 2:43:39 AM

Quote:
Can i throw a question in the mix.
Im finding this all interesting i cant see point in more than 1 router as options in router can block services but using second router with firewall may be safest.
Anyway i was wondering if its possible to have a wired lan & wireless card in same pc allowing most programs to use wired for printing excel etc & firefox/opera to use wifi internet wireless connection. Now the reason being the wired network is routed via usa ip but i have access to a uk ip via wi-fi so i want to use uk ip for internet where other work programs use a usa server. Is it possible if so how do i do it?


Not really enough detail here to answer this accurately. You never mention, for example, if each of these internet connections are directly from the PC, or indirectly through different routers, or whether they use the same or different subnets, etc. But I’ll try to provide some general guidance anyway.

You have to realize that Windows exhibits specific behaviors wrt networking. If you have more than one network adapter, and both are configured for the same subnet, Windows will always use the one w/ the highest priority and/or best metric, and completely ignore the other. Also, you can only have one default gateway. Here again, if you have more than one internet gateway, Windows will always use the one w/ the highest priority and/or best metric and ignore the other. Finally, Windows generally doesn’t allow applications (services yes, but not applications) to decide which network adapter/interface will be used for communications. These decisions are made by Windows “below” the application level. IOW, you can only “influence” what will happen by understanding how Windows makes its decisions wrt networking and thus configuring your network resources accordingly.

So basically what I’m saying is, it’s not that easy to make some applications use wire, and the others use wireless. Windows just isn’t designed to allow that type of granularity to applications. Just think how complicated configuration could become (it’s tough enough as it is) if it did!

What I have suggested to others is to use a VM (virtual machine), such as VirtualBox. Because you can control which network adapters are exposed to guest VMs, you could use one network adapter on the host (the one you know Windows will use by default based on the above behaviors) and only give access to the other network adapter in the VM. You thus have/maintain network separation at the OS level and can segregate your applications according to the VM w/ the appropriate network interface. Of course, you could do the same thing using another physical computer, but a VM makes it far more practical for most ppl.

m
0
l
!