Friday, August 10, 2007

Connecting two routers wired to create a single LAN

You have one router running in your network. This router connects to the internet. Now you want to hook up a second router (e.g. a wireless router to have wireless access) in your network connecting both with an ethernet cable. The following is in most cases the best approach for home networks. You'll find similar answers with some screenshots in the Linksys Easy Answers, e.g. 4579

The setup:

1. Unplug the second router from anything. Connect a single computer to the router. Do not connect the second router to the first at the moment!

2. Configure the router at http://192.168.1.1/

3. Change the LAN IP address of the second router from 192.168.1.1 to a free address in your LAN (e.g. 192.168.1.2 should be O.K. if the first router is also a Linksys router). The address you change to (192.168.1.2) must not be used by any other device with static IP address in your network nor should be assigned by the DHCP server your network. A default Linksys router uses 192.168.1.1 itself and the DHCP server assigns 192.168.1.100-149.

4. Turn off the DHCP server on the second router.

5. Save the setting.

6. Unplug the computer from the second router.

7. Connect an ethernet cable from a numbered LAN port of the first router to a numbered LAN port of the second router. Do not use the Internet/WAN port on the second router!

8. That's it! If you don't know or don't want to know more about networking you don't have to read the rest here.

What do you have now?

The second router is connected through a LAN port to your existing network. This basically means that the router part of the device is actually not used. So you have a router device that you don't operate as router in your network. Whatever you connect to the second router either through one of the remaining LAN ports or through a wireless if it has one, is directly connected to your LAN. Devices connected to the second router use the DHCP server of the first router to get an IP address. They use the first router directly for internet access. Everything is connected to a single larger ethernet network. Everything is in a single "broadcast" domain.

If the second router is not a wireless one, you basically have a few more ports in your network. In that case it might have been cheaper to get a simple switch/hub instead to extend your network.

Please remember: as the second router is not connected through the Internet/WAN port many configurations and functions of the second router won't work simply because they require an internet connection on the router itself. Some examples are: access restrictions, dynamic DNS service, port forwardings, MAC address clone, the firewall... All these things must be configured on the first router and only there.

Why is this better than connecting the second router with the Internet port?

A router is a separating network element. It separates two networks and allows certain traffic to cross. Sometimes this is necessary in a network setup but for most home networks it only creates a lot of obstacles.

1. In default Gateway mode the second router does network address translation (NAT). This means computers connected to the second router can connect to computers connected to the first router but not in the opposite direction.

2. If you use Router mode on the second router: you have to configure "routes" on the first router and possibly your computer connected to the first router so that IP packets find their way into the subnet of the second router.

3. You have two separate ethernet networks and thus two "broadcast" domains. A broadcast in the first router's subnet reaches all computers connected there. The same applies to the second router. A broadcast will never cross the second router, though. This is an obstacle for applications that depend on broadcasting to locate other computers and services. Windows file and printer sharing is one example here. With the second router in between, computers on one side do not know about computers on the other side. You cannot search your workgroup for the computer on the other side even when they use the identical workgroup name. You will be able to access the other computer using the IP address directly (e.g. \\192.168.1.100\share) but that's usually a hassle and the IP address may change if it is assigned by the DHCP server to the computer. There are ways to deal with some of these issues (e.g. save the host names in lmhosts files...) but all this requires more effort and attention to keep everything up-to-date.

4. Port forwardings become more complicated. If you need a port forwarding (i.e. you want a port on a computer in your network to be accessible from the internet) on a computer connected to the second router you have to setup two forwardings: one on the first router to the second router and one on the second router to the computer.

5. If you have two wireless routers: you cannot roam between both routers without loosing the connection. This is simply because if a wireless computers moves from one router to the other it needs a different IP address.

6. The whole configuration becomes more complicated: you always have to think about where to configure what, e.g. dynamic DNS service, access restrictions, ...

Bottom line: unless you have good reasons why you must have some computers separated from the other computers in your network, there is no good reason to in a home network to do so. For normal home networking with simple to use file and printer sharing it is better to connect the second router as suggested in this post...

70 comments:

Testing Blog! said...

Unfortunetely this method of configuration two Linksys routers in one network segment does not work in my enviroment. I have WRT54G connected directly to modem via Internet port, and BEFSR41 connected on second port to second port of my primary router WRT54G. The only thing that is happening is constantly blinking LED on port two of WRT54G. Which probably means that something is no right. I dont have active DHCP, all computers are configured manualy: 10.0.0.x, and net mask 255.255.255.0. Mayby someone knows whats wrong?

gv said...

It is hard to tell what's wrong without knowing exactly what is not working... The blinking LED could indicate a hardware issue or normal traffic. Does it still blink if the computers are removed?

Testing Blog! said...

After speaking with very helpfull people at Linksys Tech Support via Live Chat I've managed to get my problems with this two routers (BEFSR41 and WRT54G) partly resolved (they advise me to reset devices to factory defaults and reconfigure them again). So now I have one network segment, and all computers connected two this routers answer ping command, at least you can say that, because there are some strange conflicts, and they are loosing approximately 80% of transmited packets. So I thought that cables are faulty, but after testing them manualy connecting directly to computers, and automaticly via network cable tester they are fine. And this LED still blinking like mad. ;)

amiel said...

my problem in this situation is that whenever i shut down the routers (unplug them) the next day when i open it the linksys router (wrt350n)goes back to its default ip address which is 192.168.1.1. So i cannot view the web configuration of my Linksys the only web configuration i see is with my first router.

gv said...

If the WRT350N is back to factory defaults the next day it is defect. Return the router.

Robert said...

GV, your solution is elegant in it's simplicity. It works fine. However, since it's not a proper WDS, and Windows Zero-Config manager isn't very smart, then setting up both SSIDs to be identical probably won't do what I want. Namely, having the laptop automatically hop to the stronger AP as it moves from one "cell" to another. Right now, I've got each AP setup with different SSIDs and on different channels. Is that the best way, in your experience? thanks....!

gv said...

Robert, I have 3 APs running here for a roaming wireless network. All APs have identical SSIDs and identical wireless security settings and broadcast SSID. Only the channels are different to avoid interference. This works fine with most of my wireless computers. If one signal gets too weak it connects to another AP. This is basically handled in the wireless card and driver. Due to that, in my experience, Windows does not notice the change. As all APs bridge into the same LAN the assigned DHCP IP address is still valid. The connection never breaks. You only notice it if you have some live streaming due to the lag.

But probably not all wireless clients work that well. I have one wireless SIP phone which has problems. But I think this is more because they set the signal threshold to attempt a handover too low. It works better if all APs are on the same channel but then, due to interference, the overall throughput suffers.

srikanth said...

the is awsome working good, and the process is very easy to work on

tyler said...

i have configured both routers as suggested with router two having DHCP and UPnP disabled.....all works fine wirelessly.....when i hook my laptop to the second router with a wire I am able to access the network but have no internet connection....what have I done wrong...any ideas

gv said...

tyler, run "ipconfig /all" in a command prompt window and check that your computer has 192.168.1.1 as gateway address.

tyler said...

gv thanks for the response,,,,here are the settings

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Tyler>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Tyler-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : chessa

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : chessa
Description . . . . . . . . . . . : Linksys Wireless-G PCI Adapter
Physical Address. . . . . . . . . : 00-16-B6-57-64-28
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::98c2:cc84:5b79:9860%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.187(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : May-20-08 9:20:29 PM
Lease Expires . . . . . . . . . . : May-21-08 9:20:29 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 234886838
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8168B/8111B Family PCI-E Gigab
it Ethernet NIC (NDIS 6.0)
Physical Address. . . . . . . . . : 00-19-21-40-C5-A8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::1d6f:fce5:3662:b66f%8(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{8F4C10CE-035E-47C1-AB44-0478DC6F1
8B1}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.10%12(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Connection-specific DNS Suffix . : chessa
Description . . . . . . . . . . . : isatap.chessa
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.187%11(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Users\Tyler>

gv said...

tyler, you have two active network connections, a wireless and a wired one. Always use only one connection at a time, in particular during troubleshooting. Otherwise you never know which connection is really used and which causes problems.

Moreover, your wired connection has a static IP address configured. Why did you do that?

Is 192.168.0.1 the IP address of your main router which has the internet connection?

Which IP address did you assign to the second router?

Did you really connect both routers by LAN ports? You cannot use the internet/WAN port on the second router.

Brian said...

Regarding your comment about the wireless device "failing over" from a weaker signal to another stronger one, is there anything special that must be done for this to work? Do you just give them the same SSID, different channels and check the "Always connect to this network" in Windows for it to work? Or, is it also dependant upon what your hardware supports?

Thanks for the great posts!!!

gv said...

Brian, you have to use identical SSID and wireless security settings. Channel should differ. I also depends on the hardware. I have one wireless VoIP phone here which cannot handle it whatever I do. I only works if I would use the same channel on both APs which of course would cause interference. I think this device has a threshold too low for the handover, i.e. it stays with the weak signal too long until it looses connection instead of roaming earlier.

tyler said...

tyler, you have two active network connections, a wireless and a wired one. Always use only one connection at a time, in particular during troubleshooting. Otherwise you never know which connection is really used and which causes problems.

i disconnect the wireless when troubleshootig...itm is hooked up right now for posting on the forums


Moreover, your wired connection has a static IP address configured. Why did you do that?

It was the only way to get on the network...

Is 192.168.0.1 the IP address of your main router which has the internet connection?
yes

Which IP address did you assign to the second router?

192.168.0.2

Did you really connect both routers by LAN ports? You cannot use the internet/WAN port on the second router.

yes lan ports ... I am NOT using the wan port on router 2

gv said...

tyler, what do you mean exactly with "I am able to access the network" or "It was the only way to get on the network"? Are you able to connect to other computers in side your LAN from a wired computer? Are you able to connect to the router interface http://192.168.0.1/ from a wired computer?

Please set the computer back to obtain the IP address and DNS servers automatically, reboot the computer and then check "ipconfig /all" again whether it is different.

If you have "limited connectivity" try a different computer, different cable, different port, port on the other router.

Benjamin said...

Hello,

Thanks for this detailed instruction; I think I have my two wireless routers functioning appropriately, in your suggested configuration with the LAN ethernet port one into the similar one on the second. First, I named them differently, and went to a spot where one worked and the other didn't. I verified I could switch to the stronger at this point. Then, I named them identically, with different channels. The stronger one, in another point of the home, had 4 bars in windows. I would have expected with them unified that I would hop to the stronger at this point, but it is one bar (indicating the weaker) at this point. Is it the case that it only hops when the weaker signal goes away entirely? Are there any settings I can use to manage this, and how can I tell which router is being employed at a current time, since I named the SSIDs the same, with the same password, and the different channel?

Thanks!
Ben

gv said...

It is my understanding that WLAN roaming (from one AP to another AP with the identical SSID) is basically configured and handled by the wireless card. Most wireless cards/drivers don't offer you any options to configure it. I have found that some devices work very nicely while others have trouble or even fail to switch. Some devices/drivers seem to stay connected to the same AP as long as possible until the connection cuts and then look for a new one. Thus for many parts the roaming depends on the network card and the driver.

In addition you have to see that the signal strength shown is only a very limited indication for the possible throughput or the roaming strategy. The signal strength shown is usually measured from the reception of the beacon signal from the AP. The beacon signal is sent in fixed intervals (e.g. 50ms). The measurement only says how strong the signal received is.

The signal strength does not really say how much throughput you may have if you would really transfer something (as the beacon does not show you how much interference there is if you would transfer data).

Similarly, as long as the wireless device is passive but has reception of the beacon there is no immediate need to roam. The device/driver may roam once it finds that there are a lot of errors during actual transmission and only then starts looking for another AP to roam to.

Thus, to do reliable tests how your device works requires you to transfer some data, preferably larger files as fast as possible, i.e. from a LAN computer to a LAN computer. Then you should be better able to see the roaming characteristics of the device. And at the same time you have a simple mean to see to which router you are connected: check the lights on the router.

I think there is no easy way to see to which AP you are actually connected with standard Windows. If I remember correctly, you are able to enable a log function in Windows which will log a variety of wireless parameters including the AP to which you are connected. I think the log is related to 802.1x but I am not sure right now. I guess, transferring files and checking the lights will be a easier way to check the current association of the device.

Will said...

This is great. Thank you so much. For the past 8 hours today ive been trying to work it out. In the last 2 hours i figured out that i needed to turn off dhcp and change the ip... but i had been plugging the ethernet cord into the internet port not a numbered port... none of the other tutorials suggested this. worked perfect and i can no sleep. Thanks mate.

rayner said...

This is probably the best ever blog I came across! By the 2nd paragraph I was suer this was the one I was looking for. And it explained the concept as well so pretty much new knowledge for me. You have no idea how frustrating it is trying to figure out why the 2nd router won't work. Thanks!

iniabasi said...

This spot gives me about the best real life situation. I have one I am considering, I want to connecting two routers to a switch then connect the switch to the modem. This is what I have in mind. the first router is given this IP addy - 10.xxx.xxx.2, mask - 255.255.255.xxx, gateway - 10.xxx.xxx.1, then the second one is given,10.xxx.xxx.3, mask - 255.255.255.xxx, gateway - 10.xxx.xxx.1, that way, the modem sees to routers. Both routers have the same SSID, IP addy but different frequency. I will like to have your opinion concerning this arrangement.

gv said...

It is unclear whether you assign the 10.xxx.xxx.2/3 to the LAN or internet port. It is also unclear whether your modem is really just simple modem or also operates as router. It seems as if 10.xxx.xxx.1 is the IP of your modem/router/internet gateway.

The suggested setup is about the LAN side. For instance, you assign 10.0.0.2/255.255.255.0 to the LAN IP of the second router. If your router supports setting the default gateway on the LAN side then you can set the IP address of your main router/modem (e.g. 10.0.0.1) which connects to the internet.

For a wireless roaming network assign identical wireless settings (SSID, wireless security, etc.), enable SSID broadcast, and use different channels.

iniabasi said...

gv, thanks for your reply. The 10.xxx.xxx.2/3 is for the internet port. This is manually given since the modem is a simple one. The 10.xxx.xxx.1 is the IP of the modem. What is am talking about here, is connecting two routers to a switch then the switch is connected to the modem. so looking at the switch, it is three lights blinking. I actually want a wireless roaming, so that if at anytime there is a drop on one router, the other can keep the network running.

gv said...

If you modem has a private IP address 10.*.*.*. then it is not a simple modem. It is also a router. 10.*.*.* addresses won't go into the internet. With a simple modem and standard ISP policies your setup would not work because most ISPs only allow you to connect a single device at a time to the internet. Connecting two routers through a switch would not work with most consumer ISPs.

Moreover, if you want wireless roaming the wireless access points must be connected to the same LAN. A wireless router consists of multiple devices. The access point inside the router connects to the LAN side of the router. The internet port of the router is a different side. It is not part of the same ethernet LAN.

If you set it up the way you have posted you won't have smooth wireless roaming. You have two routers with two access points which connect to two different ethernet LAN. Roaming in this case requires to change the IP address. An IP address from the first router's LAN is not valid in the second router's LAN.

It is important to connect those wireless routers through their LAN ports, turn off the DHCP server. Only then the access points inside those routers connect to the same ethernet LAN. Only then the IP address of a wireless client remains valid after roaming.

With your setup you should use two different SSIDs. If the client changes SSID then it knows that it is connected to a different LAN and requests a new IP address.

iniabasi said...

wow! gv, you are good! I just did the connection I told you about and it is working but... as you said, it gives me two access points! which was not what i wanted. Why I decided on this method was because while browsing, I noticed that the internet and wireless connection is still on, but I can't browse. I have to switch off and on the router before I can continue browsing. This really affects my clients. so I was look for a situation that even when there is drop and I have to turn off and on, my clients will not notice the change in connection.

Connecting to the same LAN makes me prone to the breaks. So is there an alternative connection that I use that will not give me two access points? considering the problem i have.

gv said...

The LAN setup of a wireless router works fine. You have to figure out why you are not able to browse. Which router do you turn off and on to fix it? The main router or one of the wireless routers? Is it an intermittent problem, only? Any indication when it happens? Is it any different if you connect the wireless routers through their internet ports?

If you want a proper roaming network you must connect the access points to the same LAN. There is no other option.

Red Dawn said...

Hi, I was able to get this wired setup of two routers working thanks to the instructions. My only problem is that I can barely use the connection for a week before the connection goes bad i.e. no internet access through the second wired router. I can be able to log onto the router but there is no data flow in a browser. The interesting thing is that I can be able to get data flow with a direct wired connection from the modem so obviously the problem is in the router setup. I have 4 routers connected through the LAN port and so far every time the only solution that I have come up with is power cycling. I turn off the 4 routers, then the router they are connected to after which I turn it back on, and after a few minutes I turn back on the other 4. I don't mess with the modem end of the connection and every time I get it working, but obviously this is not a very practical or efficient solution. Any clues as to what might be the problem? My current thinking is that they are being assigned a DHCP lease which expires without being renewed at which point the connection goes bad. Any help guys and girls?

gv said...

To find out the exact cause of the problem, you should check with "ipconfig /all" if you still have a valid IP address. Also try to ping the main router and see if LAN works.

With this setup, you basically only use the hardware switch in the router and maybe the wireless bridge. There is not much you can configure. If it stops working it could indicate a hardware issue. But I guess that would be difficult to troubleshoot. If those other routers don't have wireless you may consider replacing them with ethernet switches. See if this helps.

magurochan said...

Thanks so much for this post. I couldn't find clear and concise info anywhere on the web like this. I have a PR-S300NE which is a NTT (Japan) GE-ONU all in one device combining internet modem via fiber and 4 port gigabit router and IP phone. I wanted to add wirless capabilities by making my Linksys WRT610n as an access point. Worked perfectly!

john928 said...

I just purchased a WRT54G and debating if I should use the router function or set it up as a wireless bridge as described by gv. I currently run a Sonicwall Tel2 with a 3com wired hub. Seems like the older Tel2 has more robust router features than the linksys. Thoughts?

gv said...

To compare two routers I always suggest to just test it. There are so many different versions of the WRT54G with so many different firmware versions and some are stable while some a not. Very often, some problems only appear with certain traffic patterns (e.g. with torrents). Just try the other router for a few weeks and see if you run into any issues...

And just to clarify: the setup I have suggested is not a wireless bridge. A wireless bridge is generally considered a device which bridges two wired LANs together through a wireless link joining both LANs. The setup above uses the wireless access point in the wireless router. Internally, the wireless access point bridges the wireless clients into the wired LAN. But it remains a simple wireless access point and not a wireless bridge.

Many people try to set up routers like Linksys WRT as wireless bridge but that is not possible. Linksys WRTs with Linksys firmware do not connect wireless to other routers, they don't operate as wireless bridge.

john928 said...

Thanks gv.
I was able to setup my Linksys WRT150N as a wireless access point, leaving the Sonicwall Tele2 router in place using your instructions. Works just fine. I'll just leave it like that since this Sonicwall has been a solid device for me over the years and see no technical advantage of using the linksys router instead.

Judge said...

This is just what I was looking for. In my case I have three routers (two of which are also wireless A/Ps). Made the one connected to the internet the DHCP server and connected the third to the second and the second to the master. Works like a charm. For the record the master is a Netgear Rangemax 240, the second is a Leviton and the third is a Linksys BEFW11S4. Frankly I'm amazed it works at all.

iniabasi said...

Hey GV, I really found your blog helpful, that is why I am back. I have a project at hand,i am supposed to network a complex that is on a 500 square metre plot. one of the conditions is that there must be wireless network access in any part of the complex. it just has ground floor and first floor. so what kind of wireless AP can I use. thanks

gv said...

That's hard to tell. You should get a company which can do some measurements of the building. There are a lot of factors which affect the coverage of a wireless network. Only with measurements you can get reliably data and develop a plan where to place access points to get a sufficient coverage.

Alan said...

You've outlined (here and on the Linksys forum) at least three different methods for using two routers. Can you help me choose between them?
I have an internet radio (ie a dedicated computer-like device that just tunes into internet radio). It connects wirelessly only, and it works much better with wireless security disabled. So I've disabled the WPA security on my wrt54g. But I find that my laptop's wireless connection works better with WPA enabled and I'd like to have the security for the normal reasons too. So I'd like to setup two wireless networks in the house, one with security disabled to be used only by the internet radio (and perhaps some of my neighbors) and with WPA to be accessed by my laptops. What I can't figure out from your articles is which of the setups would give me privacy from neighbors who might use the open wireless network.
I have a second wrt54gs. I also have a long cable currently connecting a downstairs desktop machine to the router upstairs.
Thanks for any help you can offer.

gv said...

I would highly recommend to get the wireless internet radio working properly with encryption enabled. If is advertised to work with encryption is should do so properly.

If you want to setup two routers with one "public" unprotected WLAN and one protected LAN. Then you have to connect the unprotected LAN first to the modem. On the first router, leave IP address 192.168.1.1 and connect the internet port to the modem. Make sure you have a working internet connection. Also make sure to pick a very good, strong router password (the one to connect to the web interface, Linksys default "admin"), because there is no other protection of the web interface except this password. Anyone who connects to your router can try to crack the router password.

Change the LAN IP address of the second router to 192.168.2.1. Leave the DHCP server enabled. Wire the internet port of the second router to the first router. Protect the LAN on the second router. Make sure the router has NAT enabled/gateway mode on the Advanced Routing tab. That's it.

Your second router protects the LAN from outside access just like any other internet router protects the LAN from the internet due to NAT.

There are certain potential problems:

1. As mentioned the web interface of the first router is only protected by a password. Someone hacking in the first router is able to install 3rd party firmware and then capture all your network traffic as all internet traffic of your protected LAN crosses through the first router.

2. You have to share the available bandwidth with anyone connecting to your first router. If someone does larger downloads through the unprotected WLAN you may experience a slow connection for all your devices.

3. If there are teenagers in your proximity their parents may not like it very much if you run a open access point. It severely hampers parents from limiting and controlling internet access if their kids simply can use your internet connection.

Alan said...

gv: Thanks very much for your response. You're right that the radio is supposed to work with encryption, but it doesn't; others have made the same discovery. If I do use the two-lan solution is there any way to limit traffic on the open network to the type used by the radio?
In any case I appreciate your thoughtful explanations.
Alan.

gv said...

You cannot reliably limit the traffic on an open access point.

You can setup the Wireless MAC Filter. You have to enter the MAC address of the internet radio. The access point won't accept connections from other MAC addresses. It is easy to detect the MAC address of your internet radio while connected and MAC addresses are quickly modified.

You could set up Access Restrictions, but they are not easy to configure and sometimes buggy. Only allow internet access for the MAC addresses of your internet radio and your second router. Anyone connecting at first won't have internet. But again, it is easy to find out which other MAC addresses are used in your LAN.

You can also turn off the SSID broadcast. But this, too, will not really keep of anyone desperate enough and it may also affect how well your internet radio connects to the access point. The unencrypted SSID is part of several 802.11 frames even with SSID broadcast disabled. A simple network sniffer will be able to pick the SSID up quickly.

All those things are kind of "pseudo"-security. These options are available because it makes people feel more secure to have them and a quick test makes them think they really work efficiently. But in reality anyone with a little bit technical understanding or anyone desperate enough can download some easy-to-use tools which will quickly show you the SSID and the MAC addresses of computers on the wireless network.

Thus, this may keep someone from accidentally connecting to your wireless, but the teenager next doors desperate to get an internet connection will surf on your internet connection the whole night through...

JEMC said...

thanks a lot, I've been looking for this a long time!

Alan said...

gv:
I'm wondering what I have to do to ensure that NAT is enabled.

On 17 November you said:

***begin quote**********
Make sure the router has NAT enabled/gateway mode on the Advanced Routing tab.
...
Your second router protects the LAN from outside access just like any other internet router protects the LAN from the internet due to NAT.
***end quote***********

The Advanced tab doesn't mention NAT.
The help screen for the Security tab says:
"Filter Internet NAT Redirection: This feature uses Port Forwarding to prevent access to local servers from your local networked computers."
I'm wondering about the 'local'.
So my questions are:
a) in a normal, one router configuration with wireless security enabled, is it necessary/advisable to enable the 'Filter Internet NAT Redirection'?
b) what about in my special case 2 router setup described by you here where the wireless on the first router is not secure?
Thanks again.
alan

gv said...

If this is a Linksys router you probably have a very old router with a very old firmware. The old ones had an advanced setting sections on which there should be a "Dynamic Routing" which has the gateway/router setting. If not, please check the user guide or click through all tabs of the web interface.

Alan said...

Sorry, I didn't make myself clear.
Yes the router has a Gateway/Router setting under Setup|Advanced. I assume they should both be set to Gateway (under my two router setup). But there's also an option, under Security|Firewall, to enable Filter Internet NAT Redirection. I was wondering how to set that option on the two routers, since you said it was important that NAT was enabled. On re-reading your post I'm thinking that maybe choosing Gateway means that NAT is enabled; is that right? In any case, what about the Filter NAT Redirection choice? Please recall my setup is the one where router one is going to be running an unencrypted wireless setup.
Thanks again.

gv said...

On a Linksys router "gateway mode" means nat enabled. "router mode" means nat disabled. Only in the latest models they have changed it and now they simply call it what it does NAT enable or disable.

The filtering nat redirection options affects if you are able to access your port forwardings from inside your LAN by accessing the WAN IP address of the router. If you set up port forwarding on a router people on the outside (i.e. on the WAN/internet side) can access the forwarded port on the WAN IP address of the router. However, if filter nat redirection enabled, you are not able to access the same forwarded port and server using the WAN IP address. Instead you must use the LAN IP address of the server. This prevents people in your LAN consuming all your router bandwidth while accessing LAN servers.

If you disable the filter, then you can access the server using the WAN IP address of the router. Any access to the server will then be sent to the router, translated on the router and then sent back into the LAN and to the server. As you can see all server traffic goes to the router and back into the LAN and thus requires bandwidth which would not be required if the client contacted the server directly on the LAN IP address in which case the traffic would not go through the router but only through the hardware switch in the router.

-hoovdaddy said...

THANK YOU!!!
I've had a time with my DirectTV DVR and connecting it to a second router with my PS3. Thanks for the instruction!

David said...

I have been working on a problem for a couple of days that maybe you can help me with.
DSL comes into the building with a Static IP address. THe owner wants to have a secure wireless network AND a unsecure wireless network for his customers to use. He had this all set up and it was working, not sure who set it up, but it stopped working and there have been a couple of people who have " looked at it" for him and have connected and reconnected wires between the WAN and LAN ports of the two routers. To complicate things more, there were actually 3 routers serving the un-secured wireless. I am assuming they are access points. ( Buffalo WHR-HP-54G)

He asked me if I knew anything about networks, and I have toyed around with "simple" stuff, but this stretches me working knowledge and complete understanding of what is doing what and when....

Thanks for your time

David said...

I am sorry,
I forgot to mention that the currentset up is using the router that is secured as the primary and the unsecured is linking to the primary.

I seen where you said the unsecured should be first, then add the secured....

Thanks

The Keeper of The Vole said...

Wow, this is just fabulous. I messed around with a ton of other "helpful" hints on the web, but this is the first one that made everything work perfectly. Thank you! The tip about NOT plugging the wire into the "internet port" but the other router port was worth its weight in gold alone.

Bruce said...

This blog did the job!! Awesome work. I have only one question. If the first router is 192.168.1.1 and the second is 192.168.1.2 is there a way to connect to the second router's web setup? ie: http://192.168.1.2/ ? I tried to, but I could only reach the first router using the 1.1 IP.

gv said...

If the first router is correctly set to LAN address 192.168.1.1/255.255.255.0 and the second router is correctly set to LAN address 192.168.1.2/255.255.255.0 and both are connected through LAN ports then the web interface of the first is accessible through http://192.168.1.1/ and the second through http://192.168.1.2/

If the second is not accessible it is most likely either because you have set a differnet IP address on the second (e.g. 192.168.2.1 instead of 192.168.1.2) or you have connected the internet port of the second to the first.

sammy said...

hi gv. i came across your article while i was trying to set up a connection for a friend of mine.

okay, here's how the connection currently works. first off, we have a main router which has been provided by the ISP. it basically takes a cable from the wall socket and connects it to the first router. its a D-Link router and isn't a wireless router by the way.

5 ethernet cables go out from this router. 4 of them are used on the ground floor, while one goes to the first floor. on the first floor, this cable goes into a US Robotics router, with 4 ethernet ports being used.

out of these 4 connections, my friend would like to connect one to a wireless router to use on his laptop. he's purchased a Linksys WRT54G2 wireless router for this.

2 questions here. first off, would it be possible to get a wireless connections this way?

secondly, i would greatly appreciate it, keeping in mind ofcourse that the answer to the above question is positive and that this type of connection is possible, if you could kindly guide me (or us rather) on how to go about setting up this connection.

specifically, i would like to know if we would need to change the default gateway address, whether we would need to play with the IP/DNS settings, and what ports exactly do we use on the wireless Linksys router itself.

we had tried following the guide posted here, but were not successful in connecting to the internet. the "internet" light on the router does light up, but when we try and connect to the network, either wirelessly or wired, we are unable to load up any site or ping them.

i hope i was able to explain the issue clearly. any help in this matter will be highly appreciated. thank you for your time.

diaLogist said...

Thanks gv, your blog is perhaps the most clear about how to connect routers together.

After some and some more reading and trying I still have a problem. I have a Linksys BEFSX41 as a firewall and WRT54GS (v5.1, which I've learned is perhaps not that good box). Firewall gets IP from ISP and is working well. Attached to LAN ports there is a server (files and so for my own use outsihde home) and a wireless access point to serve computers at home.

I can make Wireless to obey Firewall-DHCP, but after doing so it seems I have no other way to connect to Wireless web interface (to setup anything, if required later) but to restore a previous settings-backup-file and use it offline.

Firewall: 10.0.113.1/255.255.255.224
DHCP is on, between 10.0.113.10-10.0.113.29

Wireless: static ip 10.0.113.2/255.255.255.224
Gateway 10.0.113.1
NAT on (=Gateway-mode)
Local IP 10.0.113.50 (or anything outside of Firewall subnet mask)

It seems like this local IP is another address to Wirewall and it is the only way to connect to Wireless and change setup.

Can this really be like this? I've seen many posts which suggest that Wireless web interface should be accessible through its IP, which - as I understand - would be 10.0.113.2 at this case.

gv said...

sammy, if the internet light of the second router light up this means you have connected the internet port of the second router to the first router. The internet light would not light up if you did not use the internet port as I have suggested in this post. If you use the internet port on the second router you do not follow the suggested setup in this post.

gv said...

diaLogist, you did not follow the suggested setup in this post. If you want to use a wireless router as simple access point and connect one of its LAN ports to the main router (nothing connected to the internet port of the wireless router) you should

1. not set internet connection setting to anything else then DHCP, in particular do not use static IP address and do not set it to an IP address inside the main LAN IP address. The internet port is not used. Leave it on DHCP. Your setting 10.0.113.2 will not work and will only create conflicts at best.

2. With the internet connection setting left on DHCP you must use a LAN IP address inside your main LAN on the LAN IP setup. You have set a LAN IP address outside of your main LAN. Due to that you are not able to access the web interface anymore. With a LAN port of the wireless router connected to your main router you always access the wireless router through its LAN IP address. This IP address must be accessible from your main LAN. If not, you have to manually configure an IP address inside the wireless routers LAN IP subnet to regain access.

With your IP addresses you should use the following IP setup on the wireless router to set it up like I have suggested in this post:

a. set the internet connection to DHCP.
b. set a LAN IP address of 10.0.133.2 and LAN subnet mask 255.255.255.224.
c. wire a LAN port of the wireless router to the main router (or some part of the wired LAN).

Now you have a wireless access point in your LAN. You can access the web interface at any time through http://10.0.133.2/

diaLogist said...

gv, thanks! That solved it. Sorry for not reading carefully enough (I was distracted by an idea that I need to configure wireless device to have ip-address inside main LAN - bad idea).

I got also confused since I managed to make things work with Wireless having static ip (it did work!) inside main LAN ip-area. And I never got Wireless web-interface Status-page to show what ip-address did it get through DHCP (like Firewall BEFSX41's status page does show). It still does not, but I give up - wired and wireless is working as them should and I can manage both through web-interface.

For some other googlers here is the topology of my home network:

ADSL (BRIDGED)
|
|----Firewall [connected ADSL modem LAN-port to Internet-port of Firewall]
|
|--- Wireless as access point [connected LAN-port to LAN-port (!)]
|--- some other devices here also

IP-setup used by Firewall
* INTERNET-SETUP
* Internet connection type: "Obtain an IP automatically" ie. use DHCP (I do not have static ip provided by ISP)
* NETWORK SETUP
* Router IP / local ip-address 10.0.113.1
* subnet mask 255.255.255.224
* DHCP Server: ON
* DHCP start-ip 10.0.113.10
* number of DHCP addresses 20
* Client lease time 10080 min (a week, to prevent clients getting an ip used by other, sleeping clients)
* NAT ON (in my Linksys GUI: Setup > Advanced routing / NAT)
* NOTE: if you use bridged ADSL make sure to setup firewall properly (to block unwanted traffic & intruders)

IP-setup used by Wireless
* INTERNET-SETUP
* Internet connection type: Automatic configuration - DHCP
* NETWORK SETUP
* Router IP / Local IP address: 10.0.113.2 (below DHCP-range, inside main IP range)
* gateway 255.255.255.224 (as in Firewall)
* DHCP Server: OFF
* NAT OFF (in my Linksys GUI: Setup > Advanced routing: Operating mode set to 'Router')
* NOTE: if you are having wireless access point make sure you have strongest possible wireless security (WPA2 if possible) since it is the only thing that keeps your neighbours not seeing your what-ever-you-have in your network.

I also made sure that Remote Management and Remote Upgrade were turned off in both devices for additional security and wireless remote management is beeing made through https.

Again, thanks gv for helping!

Eli said...

This blog is wonderful! Thanks for all this info. I have a twist on this setup...
I have a verizon wireless router which replaced my WRT54Gx2. I just bought a Bravia TV with web capability, and hooked in into the network with a Cisco WET-610N wireless bridge. I want to know if it is possible to use my WRT54G as a switch with the signal coming out of the wireless bridge. In other words, can I take the ethernet cable coming out of the wireless bridge and connect it to the WRT54G to create 3 more ports?
Thanks!

gv said...

Eli, you should be able to connect the second WRT to your WET just the same way as I have described in this blog and that way use the 3 remaining switch ports and even the wireless access point if you like.

Eli said...

One more clarification...do I need to turn off Gateway mode?

gv said...

It does not matter which mode you use on the second (internal) router: as you do not use the internet port of the router the setting is irrelevant. It only affects traffic between the internet port and the LAN.

support said...

is that possible the second router (wrt54GL) not connected to first router but we can access internet ? can it be wireless connected to the first router ?

if can please help me how to set it up.

because i don't want to pull long cable to 3rd floor just because the wrt54GL have to connected by wire to the first router.

gv said...

"support": you don't want a wireless router, you want a wireless bridge or wireless repeater. Linksys routers can't be configured as bridge or repeater. Linksys routers with Linksys firmware don't connect wireless to other routers.

You can check 3rd party firmware like dd-wrt or tomato. That may support what you want to do.

Worm said...

hi,

I have been searching high and low for some answers to my network setup, and came across your post.

My set up is basically wireless router + wired router for protected lan. Everything works fine, router A (wireless) is DHCP with IP 192.168.0.1 while router B (wired) is also a DHCP with IP 192.168.1.1

Internet works great from router B going through router A as gateway. Now, my question is can I share printers and access NAS which is connected to router A?

Thanks.

gv said...

Yes. You can access everything connected to the first router A from the LAN of router B. The opposite direction is not possible.

However, name resolution won't work, i.e. you must enter the IP address of the printer/NAS instead of the host name. But with the IP address you should be able to connect.

Kanabeanz said...

Great post! Like several others, this is what I have been trying to do for over a year. I am about to try it on my Netgear WGR614 & BT Homehub. Thank you!

Mark said...

thanks a bunch! your tutorial worked great. i was having a hard time setting up my home network and couldn't believe it was that easy thanks to the instructions. Big help :)

Mark said...

Thanks, worked perfect!

arty said...

Thanks a ton for the clear and concise instructions as well as the details behind it for those of us that wanted to know the whys! It was invaluable in letting me set it up the way I wanted - finally! The piece I was missing, was to use a LAN port in the new router, instead of the WAN port. With the WAN port, no matter what I tried, I could not get the two routers to work on the same segment. Thanks again.

Ravi

Luis Fernando said...

Thank you it worked perfectly...

jakid said...

Thank you for the wealth of valuable information that you provide on your blog! Figuratively speaking, you were a life saver!

Modem quang | Phụ kiện quang said...

Thank you good entry