Hi, I hope someone can help me with this, as im not sure if it is even possible...? this is how i need to set them up... I have one internet connecton coming through a cable into router 1 - this is also a switch with 4 ports on it which i use for my internal server 2008 r2 network. I also have another router/switch that i want to use for external wireless access - eg when a friend comes to my house they can access the internet by connecting to router 2 via wireless - but cannot see/connect to anything on my internal lan. I have no idea how to wire that - so that router 2 can also access the internet but not the internal network. I have one spare port on router 1 for an ethernet cable and all 4 ports free on router 2 (it also has an internet port as does router 1) and router 1's inet port is connected to the modem) (these are ethernet ports) is this possible? and if so how? i was gonna try and connect a spare port on router 1 to router 2's inet port or a lan port - but thats probabably wrong. Thank you Timez82

Hello In Enterprise environment you could create a VLAN but at home withthe basic routers you can have two seperate subnets. YOu will plug in router 2 on one of the ports on router1 and change it settings to broadcast on a separate subnet..Say router one is 192.168.1.0-254 then router 2 will be 192.168.2.0-254. And you can broadcast on router SID as Home and router 2 as Guest Isaac Oben MCITP:EA, MCSE

Your proposed design: 192.168.100.x (Wireless) --> [Router2] -- 192.168.2.x cross connect -- [Router1] <-- 192.168.1.x computers ^-- Internet This design would not prevent each of the private networks (192.168.100.x & 192.168.1.x) from communicating with each other. As a matter of fact, to get Router2's computers to get on the internet, Router1 will need to have routing information about Router2. Once that is in place, computers from Router2 and Router1 will be able to freely communicate with each other. Therefore, you can continue with this design, but you will need to place a Firewall between Router1 and the computers located on its LAN side. Visit: anITKB.com, an IT Knowledge Base.

ok i got it working execpt for one thing - you can still ping the servers i set the inet settings in router 2 to a static ip on my lan - and made the secondary routers lan a different subnet and ip range. I then plugged a cable from the lan port of router 1 to the wan port on router 2 all working well but you can still ping the internal lan from it. also i turned on the dhcp on router 2 to service wireless clients - dhcp is off on router 1 and one of the servers handles lan dhcp (will router 2 try and give my internal lan computers an ip at all? - i obvislly dont want this to happen) Timez

bump

ok i ran a test and the secondary router never tries to hand out dchp addresses to the internal lan. Im still stuck on how to make sure its secure away from the lan? internal lan has 10.0.0.x ip range - subnet mask - 255.0.0.0 Router 2 has 192.168.0.x range - subnet mask 255.255.255.0 Timez

Sorry, been in and out this week. With this design, you'll need a firewall, preferably on the router. Visit: anITKB.com, an IT Knowledge Base.

it does come with one - it has an option - enable spi firewall - its enabled but as i say i can still ping the internal lan from that router

That firewall may be limited. I assume that it is probably firewalling the WAN port from the internal ports. In your case you would need to be able to filter at each port. Other options: turn on the OS firewalls on each of the systems and configure them accordingly. Or place a dedicated firewall and connect the private networks behind the firewall. As I indicated in my first posting, your design will have this inherit issue without additional filtering. I don't see any other options based on your design.Visit: anITKB.com, an IT Knowledge Base.

The way I've set this up in the past is to use your 'public' firewall/router as the device just inside your modem, running as a DHCP server and giving public users internet access. From a LAN port on this firewall, plug the first router/firewall into the WAN/Internet port of your next firewall, which would be used to host your private/domain network. Configurations will be required on your first router to allow traffic through the first LAN into the next, including any port forwarding for any services you will be using, but when I've done this, the private network loses connectivity (can't ping) the servers in your private LAN.