Here is my crude ascii picture of your suggestion to make sure we are on the same page:
| | | |
office1 office2 office3 WAP
That's an interesting suggestion - I hadn't thought of DMZ mode. My impression has been that DMZ mode directs all incoming traffic that doesn't have a predetermined destination from the NAT operations to the DMZ host - which would be important for making sure the NAT on the WAP router works, but it does not block access between the DMZ host and the other local computers. In other words, it is just a "default host for incoming connections" setting. Am I misinterpreting something, or is this impression not valid if I am also using the Public Proxied Subnet option as you describe?
Another complication is the fact that the 2wire modems implement "DMZplus" which appears to keep the DMZ host firewalled - furthering my impression that there will still be residual visibility between the two subnets. And if I keep the firewall active on the WAP router that will be providing the public access then I would think that the office machines hooked to the 2wire would be blocked from accessing the public machines on the wireless network, but not (the all important) vice versa - no?
I can try this tomorrow or Sunday, but I will probably only have one shot to get it right before I have to wait for my next trip.
Also, you recommend switching to a 10.x scheme for the local computers, but since they are all manually assigned to 192.168.1 addresses I'd like to avoid disrupting that and have the new router on a different subnet (probably just using a 192.168.N variant - I'm guessing that won't be a problem, but I'm not familiar with the purpose of the 10.x space...)