protected subnets
yes it's possible ...
Basically the subnet router#1 for shared usage is attached to the modem and the protected subnet router#2 attaches to router#1
Each router has one default route and no static routes which then forces all outbound traffic on router#1
to the modem and away from router#2. Without a route, subnet#1 can not access subnet#2
Code:
modem====(wan)router[B]#1[/B](lan#1)-----(wan)router[B]#2[/B](lan ports) - - - private systems
| 192.168.1.1 192.168.2.1
V
shared access systems
You can use WiFi on either or both routers; just set different SSID, Channels, and encryption codes
When setting the config's (both of them), be sure to
set a new password which will disallow Internet access to the settings!
Get router#1 running first and test Internet access, then move on to router#2
*Caution* Always change router configurations using ONLY a wired connection!
On router #1
- set the router address specifically to 192.168.1.1
which serves as a note as to which router you're connected to
- set the DHCP range to 2-10
- save the settings
- now setup any wifi changes as applicable
- and change the admin password
- when you save this time, the router will restart and you WILL loose the connection
On router #2
- set the router address specifically to 192.168.2.1
- set the DHCP range again to 2-10
- set the WAN side address to 192.168.1.100 (notice it's above router#1 item (b)
- set the MASK to 255.255.255.0
- set the gateway to 192.168.1.100
- set the DNS to 192.168.1.100
- save the settings (which likely will drop your connection due to the router address change)
just reconnect and continue
- setup the WiFi settings
- change the admin password and save again
Test router#2 connections with the browser. Good results prove you're getting proper routing through router#1 AND that any DNS requests are being resolve.
Now test isolation; connect one system to both routers
from a system connected to router#2
ping 192.168.2.1 (must succeed)
ping 192.168.1.1 (should succeed)
ping 192.168.1.2 (should fail)
from a system connected to router#1
ping 192.168.1.1 (must succeed)
ping 192.168.1.2 (should succeed)
ping 192.168.2.1 (should fail)
ping 192.168.2.2 (should fail)
We can enhance the protection on all systems attached to router#2 with firewall rules, but let's deal with that latter...