How To Securely Configure A Wireless Router As A Public Access Point
There are many reasons for wanting to set up a wireless public access point. You may want to provide your customers with free or paid Internet access or you may want to provide Internet access to your building and its common areas.
The first thing you need to know is that by just adding a wireless router to your network and allowing anyone to connect to it will put your own computers and network at risk. You need to separate your public and private network so that wireless users cannot access your local area network. You will need two routers. One that has a DMZ and one that you will use for your public wireless access point.
There are many ways to do this. One way is to add a expensive router to your network that is meant for this purpose. One example of a router like this is a D-Link Router. This private/public hotspot gateway lets you set up 5 separate networks that cannot access each other but this comes at a price of almost $3000.
So a better and cheaper solution would be to split your Internet connection into two separate networks that use the same Internet line.
Your first step would be to get your hands on a router or firewall with a DMZ (demilitarized zone). I have done this in the past with Sonic Wall Pro but that can be pricey. The good news is that MakeUseOf.com has covered a special router firmware in the past that can turn your old router into a expensive router with this open source firmware. We covered using it to create a wireless bridge but you can follow the steps to set up your DD-Wrt router.
The second step will be to set up one network for your computers using one set of IP addresses and let the wireless router be physically connected to your DMZ port and use another range of IP addresses.
If you already have a router or firewall with a DMZ and you have your home network set up, you are ready to configure your public DMZ network. If not we will want to get our home network going first.
For example you can have your Internet connection coming from your cable modem or router going into your firewall/router. You will need a static IP address for this setup.
Your static IP address gets assigned to your firewall/router. Then you create your internal LAN using a internal subnet like 192.168.1.0/24. In layman’s terms that is a 192.168.1.1 – 192.168.1.254 network.
The firewall will assign the IP’s to your internal network using DHCP. You can use 192.168.1.2 – 192.168.2.254. You will have all your personal or work computers on this network. They will use NAT (or Network Address Translation) to access the Internet.
Then your wireless router that you will be using to share your Internet connection will connect to your DMZ using a IP address of something like 192.168.124.0/24. It’s default gateway will be set using your main routers IP address.
This will let you have 254 connections to your wireless router. Name your wireless network something that will let your potential users know that it is free and they are able to access it. You can do this in your wireless router by looking for a setting called SSID.
The wireless network will be unable to access your computers and machines because they are on a different subnet. There are also other methods of achieving this but this setup has worked for me in the past.
I have seen people use VLANS (or virtual local area networks) to further isolate and secure the two networks as well. By using a VLAN you can set rules limiting the access from one subnet to the other. Check if your router or switch allows this in your settings. Depending on your equipment some of them allow you to set VLANs by port and others by IP address IP range.
This is my VLAN setup page on my HP Pro Curve:
You might want to extend your wireless router’s range by adding a range extending antennae to it like this one I found on eBay. You can increase your range by as much as 200% by simply removing (unscrewing) your current antennae or antenna’s and replacing it with one like I did to mine.
I would also turn on all the logging you possibly can in the beginning to review if and what people are accessing. There can be a lot of trial and error in setting this up. If you are unsure of what you are doing make sure you install software firewalls on your computers to prevent unauthorized access. I recommend Zone Alarm.
| Print article |
about 1 year ago
probably a good tutorial
are there any working tutorials on setting up a ralink based pci card using hostapd and without destroying the operating system?
about 1 year ago
@peter thesing: I have never seen it done but if you figure it out please let us know how!
about 1 year ago
This is a very informative article. I like how you used pictures to help understand the process. Thanks for sharing.
about 9 months ago
I’m currently working to create a public wireless network that must run in parallel with, but be completely isolated from, the existing private business network. There are multiple Linksys WRT54G flashed with DD-WRT firmware attached to three different switches, all connected to the main Endian router. Would this solution require that I buy a second wireless router to plug into each WRT54G’s DMZ port to provide public access? Do you think that I could achieve the same effect by configuring the existing routers to run two VLANs with distinct SSIDs (the private network having a hidden SSID and being encrypted with WEP2)?
I’d truly appreciate your help in this! I’m a lowly student programmer, so I want to make sure I’m reading into this correctly! Thanks so much for your time :)