dslreports logo

    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»


how-to block ads

6.0 Miscellaneous Help

How do I isolate my wired network from my wireless network while both are allowed to share one Internet connection?

Using two routers to secure a subnet without double NAT

Doing NAT in two routers is undesirable because it tends to break some software such as VPN and online games. By purchasing the correct equipment you can eliminate double NAT.

Router one must support NAT for IP addresses that are not on the same subnet as the router and support static routes. If router one is providing wireless access, it needs to support WPA to be secure. Router one should also have SPI firewall for security. You could also use a wired router and a separate wireless access point. For testing this I used a Netgear WGR614 version 5 wireless router ($20 after rebate). As far as I know, all the Zyxel routers, firewalls, and DSL modem/routers support all of these requirements except wireless/WPA and some of them support WPA. Router one will support the DMZ/wireless subnet.

The second router must support a SPI firewall with NAT disabled to secure the protected LAN. To use DHCP on the protected LAN, the second router must support manually assigning DNS servers (which will be given to the DHCP clients). I used a Zyxel P334WT for the second router (less than $62 shipped). As far as I know, all the Zyxel routers and firewalls currently in production support these requirements. Router two will provide Internet access to the secure LAN through router one.

You must use two subnets. For this example I use for the DMZ and for the LAN both with masks of
(172.30 is a class B block under the now obsolete IP class rules and the normal mask for a class B is but you could always subnet a class B)
You can use your existing subnet for the LAN as long as you use a different subnet for the DMZ.

    • Assign Router One a LAN IP address of mask
    • Create a static route in with a destination of mask gateway
    • Set the DHCP server -start- address to and -end- address to (or any range you want as long as it doesnt include .1 and .2 and is part of the same subnet)
    • Optionally Set the default DMZ server to if you want to see port probes in the P334WTs logs.
    • If you are going to be using wireless, setup and enable Router one's wireless LAN
    • Connect the WAN port of Router one to your DSL or cable modem.

    • Disable Router Two's wireless LAN if it has one.
    • Assign router two a LAN IP address of mask
    • Set the DHCP -start- address to and -end- address to (or any range you want as long as it doesnt include .1 and is part of the same subnet)
    • Set the first DNS server to IP address assigned by your ISP as first choice (You can get these from Router one's status)
    • Set the second DNS server to IP address assigned by your ISP as second choice (You can get these from Router one's status)
    • Set the third DNS server to (LAN IP of router one)
    • Set Windows networking Netbios over TCP/IP to allow between LAN and WAN (on the LAN setup page)
    • Assign Router two a WAN IP address of mask gateway
    • Set address translation to NONE on a Zyxel P334WT (uncheck -enable NAT- on a Zywall 5)
    • Set Windows networking (Netbios over TCP/IP to allow between LAN and WAN (on the WAN setup page)

• Connect the WAN port of Router two to a LAN port of Router one.
You should install a software firewall on all the wireless and DMZ PCs. I use the free version of Zone Alarm and set it to trust the LAN subnet.
• Connect any wired DMZ PCs to LAN ports on Router One (use a switch if you need more ports).
Connect your secure LAN PCs to LAN ports on Router Two (use a switch if you need more ports).

If you need to access shares on a PC attached that connects to the DMZ subnet (wired or wireless), go to the PC and at a cmd prompt enter:
Route add mask gateway 
Route -p add mask gateway 
if you want the route to be semi permanent (you can delete it).
Then use find compute to find the DMZ PC. If you share a folder read/write on the PC, you can transfer files in both directions.

If you need to access share on the LAN from a DMZ PC, the cheap way is to temporarily disconnect the PC from the DMZ ane connect it to the LAN.

Since the P334WT has a limited VPN server the other option to access the LAN from the DMZ is to setup a VPN rule on the P334WT and install VPN client software on the DMZ PC(s). I use this method to access a shared printer from my wireless notebook PC. You can download a free (but old) VPN client here:

»ftp.up.ac.za/pub/linux/ssh/pub/s ··· entinel/

This link is from the top of the VPN forum here.

If you are using P2P software, you may want to consider a more robust router than the Netgear WGR614 such as a second P334WT for Router One. I did a second successful test using my P334T as Router one and my Zywall 5 as Router Two.

This entry is from a post by janderso1 See Profile
»Using two routers for securtity without double NAT

Although this method can be used to isolate any two network segments, a wireless network is the most frequent reason for a home user to want to isolate a network segment.

Feedback received on this FAQ entry:
  • That is totally nerd language, and There is no way someone will go trough all that mumbo jumbo garbled to do it. Thanks anyway

    2014-09-06 10:55:25

by janderso1 See Profile edited by KeysCapt See Profile
last modified: 2005-12-24 08:12:52

The purpose of these steps is to give a hardware and software independent method of resolving the issue of repeated communication lockouts between a wireless Access Point and a wireless client computer.

- You repeatedly get a message from a wireless computer about Limited Connectivity because you did not get an IP address, or you are assigned an APIPA 169.254 address.
- If you have set a manual IP address, the wireless client says it is connected, but it repeatedly is not communicating or it stops communicating within 5 minutes of connecting every time
- Even though you have saved profiles for your wireless Access Point (AP), some clients repeatedly refuse to attempt to connect
- In Event Viewer, DHCP and TCPIP appear in the system event logs over and over, and rebooting has not solved the problem

- Reboot your wireless computers and power-cycle your AP.
- Turn off any options to hide your SSID from broadcasts.
- Turn off any proprietary speed-enhancing technologies.
- On your wireless client, delete and re-create your saved profile.

1. On your wireless AP, change your SSID to something that you have never used before.
2. Unplug power to your AP, take note of the time
3. Remove all saved profiles for that AP from your wireless computers
4. Reboot your wireless computers
5. After 65+ minutes from step 2, plug in your router
6. Using your wireless computers, associate with the new SSID
7. Leave the client connected for 65+ minutes. There may or may not be indications of up to two brief reconnections during this time. Do not reboot the AP during this time.
8. Shut down or reboot your wireless client computer normally (do not sleep, hibernate, or abruptly power-cycle).

TIP: The 65+ minute wait in step 5 may not be necessary for your hardware or software. If you only have one or two clients, you may wish to first try these steps without that wait. If they are not successful, then try all of the steps again with the wait.

WHY THIS WOULD WORK (IF IT WORKS): Setting up a new SSID causes the clients to create a new, clean, and correct profile for the access point. Rebooting the hardware is one attempt at clearing authentication failure lockouts. Waiting 65 minutes with the router off is another. Leaving the client online for 65 minutes is to ensure at least one successful key exchange after the initial successful authentication. Shutting down normally allows the software or OS to save configuration or registry information so that you can successfully connect in the future.

- WPA-PSK is a key-exchanging encryption and authentication method. The correct keys must be exchanged within a certain time and order.
- If this is not completed, the process ends by interrupting communications. Both the client and AP perform this checking and either one (or both) may be the side with the problem.
- This communications interruption is a possible cause for the DHCP failure.
- This problem can affect wireless products that are not configured to use WPA-PSK or 802.1X. Use these same steps if you are having the described problems and are using WEP or no encryption.
- Some 802.11 software and hardware products are more robust than others. Some products may not tolerate unexpected issues like an AP changing security methods, a frequently rebooting AP or client, or multiple security profiles for a single access point.

This entry from a post by funchords See Profile
»WPA-PSK Communications Lockout or DHCP Failure Tip

by KeysCapt See Profile