Is it possible to allow guests wi-fi access without breaching security?

[sgould]

I've not got much of a clue on networking other than just using it, plugging things in and hoping they work.

I have been asked a question by a relative about wi-fi connection for guests at a Bed & Breakfast / Guest House. UK based.

The person has a normal computer system with a desktop wired in via ethernet through a modem or router. I think it's a modem with an early Apple Extreme base station. There is also a laptop that is used wirelessly, with all the WAP2 security. What they want to do is allow their guests access to the internet via wi-fi with WAP2 security, but without disclosing their own wi-fi password. And still using their existing broadband connection.

I'm lost with this.

Could it be done with an Airport Express linked into the network as an extension, but with a different access name and password?

Could it be done with a second wireless router in the network?

Or could it be done much more simply?

[sgould]

Oh! *****! This was supposed to have gone in the Networking section....

[Giaguara]

Moved to networking.

When we've got friends or guests home (not a b&b so doesn't happen that often but still) if they need access, we just give them the details. Network name, and a user password to enter it (never the same password that is used to administer the network or base station).

We've had sometimes the hardware ACL set in the base station, but that means registering each MAC address of each device connecting. Which will be a long list, and the base station needs a restart every time it's updated. The ACL list isn't going to be too practical for your friends.

It will be a good practice, if using just the password for them, to change the user password regularly (weekly, if not more often. Or at least cycle between a few, or have a logic in them - like somepassword+something in them, like A17 where A would be for January and 17 for day or A3 where similarly 3 for week).

[Satcomer]

I would invest money in dual wireless router this way you can keep you private network separate from the guests network. Then you could extend mini wireless routers to spread that network to the upstairs (or downstairs) (think like a Airport Express). IMHO this would be the best way.

Plus some users might only have older equipment so you might will have to spread a B only network too.

[Mikuro]

I've used the dual-router approach in the past as well. The way I set it up is like this:

First you have your cable/DSL/whatever modem, and you plug that into your "guest" router. Then you take your "private" router and plug it into the guest router. Set the private router to have a static IP address. On the guest router, configure the DMZ to point to the private router's IP address. This avoids some headaches when configuring the firewall, since you'll only need to go through one, not two.

Then simply configure the private router as you normally would, and connect your own PCs to that. Give everyone else the password to the guest network (or leave it with no password if you prefer). This ensures that there is a firewall between you and anyone on the guest network, just as if they were coming from the big bad Internet.

Some routers, particularly high-end ones, will allow you to manage two separate networks in one device. I've seen some cheaper models that had this feature, but off the top of my head I can't remember the brand/model.

You might have problems with interference with running two wireless networks. Make sure they are running on different channels, preferably at least 5 numbers apart (e.g, 1 and 6, or 6 and 11), and physically separate them as much as is practical.

[sgould]

Thanks for all the info!

I had a look around and got confused and sidetracked by thinking the new dual frequency Apple Airport was a dual wi-fi unit....

I'm going to lend them a spare Airport Extreme that I have and we'll see if I can get that working on a different frequency alongside the current router.