View Full Version : Seperating part of a network for hotspot access

06-08-2012, 09:53 AM
Looking at the best way to do this - Was thinking about a Vlan, but with the router we're using (TP-Link TD-W8960N) the Vlan itself works great, but there is no internet access to machines on the Vlan. They can all talk to the router fine, but not get out on the net. I assume this is by design, but can't find any settings to adjust that behaviour.

So was thinking about just using a separate router, plug the it into the rest of the network using the WAN port then configure as necessary, but then the issue becomes how to manage that router from inside the network, as generally getting access to the router from behind the WAN port isn't going to be very easy, and it also needs to be totally secure - no access to parts of the network behind the WAN port on this hypothetical router, which I'm not sure is easily doable either.


Thanks. :)

06-08-2012, 05:50 PM
There are some routers that have a " guest" networks built in.

06-08-2012, 10:17 PM
Sounds to me something like the pfSense Firewall/NAT system would do the job?

06-08-2012, 10:33 PM
Some routers have the "wireless client isolation" option that means each device can only talk to the router, not other computers on the network. Does your router have that option?
Another easy way to do it is to connect the hotspot clients to the ADSL router & hang another router off it for your private network.

Speedy Gonzales
06-08-2012, 10:42 PM
Is that the same as set AP isolated? If it is, this modem has this option (ASUS DSL-N12U B1). I think that Tp-link modem does have the option

06-08-2012, 10:48 PM
Managing most routers through the WAN port is not that hard now. But you don't want your 'guest' network going through the main LAN if trying to maintain security.


The 2nd option is pretty easy to achieve if you have a modem/router with built in wireless, then just separate the two networks with another wireless router or firewall.

07-08-2012, 10:16 AM
Thanks for the thoughts guys. After a bit of playing around, it looks like we'll run the bit of the network that needs to be private through a separate router.