Dual WiFi Hotspots on a single broadband

Most offices today are WiFi enabled, given the ubiquity of broadband Internet and mobile computing. However, these WiFi networks are intended for internal use, since they typically would provide access to company network resources such as printers, servers, shared folders and the like.

So, when a visitor or a client drops by the office and would like to hook up to the WiFi to check his/her email, a potential security risk is created. The risk is not only limited to malicious users with the intention to abuse network resources, it could also cause viruses to creep into the company’s network over the wireless connection.

Now consider a scenario of someone who would like to share their broadband connection at home with the people living around the block, much like a neighborhood hotspot. Despite the noble intention, a huge security risk is created if they were to allow anyone to access their network.

So the question now becomes how to go about sharing a single broadband connection wirelessly, while maintaining the security and integrity of the network? When I came across this need some time ago, I searched high and low on the Internet without much help.  After a bit of experimenting, I discovered the perfect solution to this problem, and is known as Double NAT.

The first thing that has to happen is that you will need two WiFi routers. The reason for this is that you want to ensure your internal network is secure and accessible only to people whom you specifically allow. The other WiFi router will serve as your Public Hotspot. You can even choose to leave this unencrypted if you want to allow anyone at all to use your wireless connection.

Next, you would set up each WiFi router with different SSIDs, so that they serve as distinct wireless networks. It is highly recommended to encrypt your primary (or internal WiFi) connection with WPA, you may even choose to hide the SSID if its purely for internal use and you do not intend to make your internal WiFi discoverable.

Also ensure that the two routers are on different channels so that their signals do not interfere with each other (especially if they are going to be placed within each other’s wireless range). Next, set the LAN IP addresses of both these routers to different subnets. For example, if your primary WiFi router’s IP address is in the range of 192.168.0.xxx, you could set up your secondary WiFi router in the range or 192.168.1.xxx. Finally, ensure that the DHCP server function on both routers is enabled.

Usually, in a typical PPPoE setup, the WiFi router is connected to the ADSL modem on the “WAN” or “Internet” port. The WiFi router is then configured to ‘dial’ the PPPoE connection using a username or password. In this scenario, we are going to extend this network setup by linking the “WAN” port of the second WiFi router to a vacant “LAN” port on the primary WiFi router.

The Internet connection of the second WiFi router should be configured not as PPPoE, but with DHCP, usually with a setting called “Obtain an IP address automatically from my ISP”, or “Dynamic IP address”. Using the IP address ranges in the example above, with this setup, the primary WiFi router will assign an IP address in the range of 192.168.0.xxx to the WAN port of the secondary router, while the secondary router will further assign IP address in the range of 192.168.1.xxx to its clients.

Therefore, you have effectively separated the two wireless networks on different subnets using different encryption keys, while sharing the same broadband connection.

While some people feel that this approach (known as Double NAT) is not good, I personally have set this up in two different locations with perfect results. The wireless clients on the secondary WiFi are able to run all Internet-enabled applications such as Skype, MSN Messenger and the like in addition to surfing the web and accessing emails without any problems or extra configuration.