I am working for a business owner that has a side-by-side pizza place slash photography studio. He has an existing network consisting of a wired router leading to a switch with several computers hooked up to it. He bought a wireless access point in hopes of making the restaurant into a hotspot.

The issue is that when the access point is hooked up, wireless users are able to browse the internal office network as well, which is not acceptable. Its a linksys WAP54g access point.

Ideally, I would like to use internet connection sharing on a computer that is hooked up to the switch through one net card and to the access point through another net card. That way there would be no file sharing between the two networks. When I try this, the connections work out all right, but there is no internet service on the wireless network.

If I bridge the two networks, I gain internet access, but can also browse to other computers on the network, which is exactly what I DON'T want.

so the point is... AHHHHHHHHH!!!!!!!!

Can anybody out there help me??

I guess you can accomplish your task as follows:

1. Set up Network topology:

Internet
|
a
|
WAP54g --c-- switch --d-- intranet computers.
|
b (wireless)
|
customers.

2. Configure WAP54g access point to:

2.1 pass-through path ab (Internet - customers).

2.2 pass-through path acd (Internet - intranet).

2.3 close path bcd (customers - intranet).

How to close "bcd" path? Use MAC filtering in such manner (cf. <a target="_blank" href=http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1126536803676&pagename=Linksys%2FCommon%2FVisitorWrapper> User guide (PDF), Figure 7-19: Wireless - Wireless MAC Filter Screen</a>):
- click Prevent PCs listed below from accessing the wireless network,
- into MAC table enter the MAC addresses of the computers whose access you want to deny to the wireless network, i.e. all your intranet computer's MAC addresses.

If you deny a computer access to the wireless network, then, vice versa, will be denied the wireless network acces to this computer!

Q.E.D.

I have set up a system before for similar reasons. A business has two departments - one is accounting and therefore sensitive, and one is sales and full of guys that regularly infect their computers with spyware/worms/viruses.

The topology I used was:

Internet
|
|
router1-------router2------sales computers
|
|
router3
|
|
accounting
computers

Either routers 2 or 3 could have been wireless. The effect here is that the accounting computers were protected from snooping because the sales computers would have had to come through the router1-3 link, which as far as router3 is concerned is "The Internet". The same goes for sales and router2. So each of the departments were as isolated from one another as the entire network is from the actual internet connection. The only configuration you have to do is to make the WAN of routers 2 and 3 members of the LAN of router1, and make the LANs of 1, 2, and 3 different subnets to avoid any possibility of cooperation. (Use the 10.x.x.x scheme instead of the default 192.168.x.x scheme.)

There were actually 5 departments, but for the sake of simplicity I just used 2. But in your 2 department situation then one of the routers wouldn't even be necessary.

Internet
|
|
router1--------AP--(· ~~~~~ ·)--public computers
|
|
router2
|
|
switch
|
|
business
computers

You would need to buy router2. This way your business computers are behind router2 and protected from the public computers just as they would be protected from the internet. Just make sure the router1 LAN and router2 WAN are a different subnet than the router2 LAN. Remember, you are going for distinct networks - the addressing from one network to the next should be different.

Or, if you can return the AP and swap it for a wireless AP you could simplify to this:

Internet
|
|
wireless
router----(· ~~~~~~ ·)--public computers
|
|
wired
router
|
|
switch
|
|
business
computers

Be sure to turn on the firewalls on the routers for added security.

Josh

Yet another site soon to be neglected:<font color=green>
<a target="_blank" href=http://www.zachmax.com>www.zachmax.com</a></font color=green>

Yup. That was my thought too -- to use two routers. If the WAN of Router-1 is connected to the Internet, with the WAP on the LAN... and Router-2 WAN connected to the LAN of ROuter-1..... then computers connected to the LAN of router-2 will be invisible to the ones connected to Router-1...

Internet
|
|
Router#1 ---- WAP
|
|
|
Router #2
|
|
Office computers

In respect of jdharm's and Brf's replies, let me put Network topology draft more precisely:

1. I guess your network topology is currently as follows:

{Internet} -- router (wired) -- switch -- intranet computers.

2. If WAP54g acces point was simply added (hooked up) to the switch, then every wireless client becomes one of intranet computers at same time. This behaviour is not acceptable, as well as next topology:

{Internet}
|
router (wired)
|
switch -- WAP54g -- customers
|
intranet computers.

3. Maybe there is another topology (and probably is), but nobody can draft it properly without knowing more about all its constituent parts. We can assume Internet, intranet computers and WAP54g acces point are well-known (or at least enough-known) portions of your network.
On the other hand, for the present we know absolutely nothing about your router (wired) and switch used - except of they are working.
The best aim to know is manufacturer and model, but (in fact) we need to understand at least about router (wired) and about switch (severally) a lot of questions: is it manageable? Allows NAT? Built-in firewall? ...

Under above assumptions I have written my first reply, and I can affirm it again and again.

The only mistake: I have identified (mismashed) "Internet" and "Internet connection". So the network topology draft should be as follows:

{Internet}
|
a1
|
router (wired)
|
a2
|
WAP54g --c-- switch --d-- intranet computers.
|
b (wireless)
|
customers. <P ID="edit"><FONT class="small">Edited by josefz on 08/18/06 08:07.</FONT></P>

I wasn't contradicting you dude, or saying my way was the best way. I was just sharing one of the solutions I've used out of the dozens of possible solutions to this particular problem.



Josh

Yet another site soon to be neglected:<font color=green>
<a target="_blank" href=http://www.zachmax.com>www.zachmax.com</a></font color=green>

Yup. I wasnt contradicting either... just suggesting a solution that didnt require locking out specific computers by IP or MAC address... A solution which locks out computers that way has to be constantly maintained as new computers are added to the network.

I agree with both of you, Brf and Jdharm, did not attempt to pick a flame war.
I had ventured on "given component parts assembly" only.

Your solution seems to be more common, unattended in posterity.