I wish to establish a private and guest network for a local business. They have Verizon service with its wireless router plus their own personal wireless router.
The Actiontec mi424wr (rev i) wireless router is connected via Coax and will remain the first in line so as not to disrupt the set top boxes (STB) channel guide and other features managed by the Actiontec. The radio is active with an SSID of "ABC-Private" and its network is 192.168.1.xx. The thought is that only business personnel will connect to this router for internet.
I have connected their Linksys WRT54GS to the LAN port of the Actiontec, using a static IP which I have allocated in the Actiontec's DHCP pool for this purpose. This radio is active with an SSID of "ABC-Guests" and its network is 192.168.2.xx. The thought is that only patrons will connect to this router for internet.
My overall goal is that business personnel will have unrestricted access to the internet AND to each other … while patrons will only have HTTP and HTTPS access to the internet … and no communications will be permitted between the two network subnets. I realize there are hardware firewalls designed for accomplishing such a goal, but the business hopes to avoid the additional expense, if the aforementioned model can provide this capability.
In order to accomplish this goal, my remaining tasks as are follows:
1. On the Linksys, permit only http and https traffic (and whatever else the patrons would need/want).
2. On the Actiontec, deny Linksys IP address access to everything except for the Actiontec gateway.
Any help would be appreciated, as I have been unable to determine how to configure the Actiontec as described on item#2 above. I am thinking a Route needs to be defined to accomplish the goal in item#2 ... but I am not certain.
Without detailed reading of the manuals I would guess it is not possible to do #2. Generally consumer routers only have the ability to do any filtering between lan and wan ports. LAN-LAN is switched layer 2 and you can do nothing.
You best option is to try to find a way to misconfigure the linksys in such a way it does not know how to get to the other machines on its wan port. I would be thinking of intentional ARP poison...ie put in invalid mac for all the other IP on the wan port. You may also be able to intentionally put in the wrong subnet mask and then hardcode the arp entries on both routers.
Not easy you really need layer 2 firewall ability on the actiontec.
If you have the correct hardware level the linksys supports dd-wrt. This software has many more options so you may be able to get creative to solve your issue. It firewall is much more advanced so you may be able to put in a rule that only allows traffic to go to the gateway address on the wan network.