I look after the network for a small educational establishment, and we wish to make wireless internet access available for teaching staff but not for students. We do, however, want to allow the students wireless access to our internal network so that they can download lecture notes, etc.
I have two wireless routers (both Netgear routers – a WGR614v9 and a WPN824) set up with different wireless keys: the students have the key for the first router and the teaching staff have the key for the second. Internet access itself comes from a third (non-wireless) Netgear router/modem which is connected to the ADSL line.
I've tried various DHCP configurations: having DHCP enabled only on the second router, only on the first, and enabled on both. In general, all computers (student or teacher) end up using the same router as their DHCP server, regardless of which wireless key/router they're using to connect. Right now they're always getting their details assigned by the teachers' router. When I set up port blocking on the students' router (to block HTTP/HTTPS/POP3/SMTP/IMAP/etc. ports) it doesn't seem to make any difference – the student computers still seem to be able to connect to the internet quite happily via the second router (the one that they have as their 'default gateway' because it's the DHCP server).
Does anybody know how I can set this up so that people who connect to our network via the first router won't have internet access but people who connect to our network via the second router will?
Best Answer
You are right to not want to run multiple DHCP servers on the same network, that can end up giving very random results.
Right now it sounds like you have both wireless routers plugged into your main router by their internal ports, using them basically as access points instead of routers (just getting the wireless users connected into the main network and letting the main router do the real thinking).
If the wireless router the students are on allows you to setup your port blocking rules to specific addresses, you may be able to on that one set it to block all communication, then allow specific rules to your internal servers. Then connect that router to your main network by the Internet/WAN port on the router and enable DHCP on it. That will make it so that the students are segmented on their own network and can only access your main network routing through the wireless router, which has the rules setup on it.
So, you would have:
Internet Connection <-> Main Router WAN Port
Main Router Internal Port <-> Teacher Wireless Router Internal Port
Main Router Internal Port <-> Student Wireless Router WAN Port
Anyone connected to the main router or the teacher wireless will be in one network and have normal access. Anyone connected to the student wireless will be in another network behind the student wireless router and be subjected to the rules setup on that router.
Otherwise, you'd want to look into setting up a DMZ to separate the students from everyone else, then setup your specific rules they are allowed to do. Your current equipment may not support this, your main wired router would be the one to look at.