Separate Public and Private Wireless Network Using Two Routers

How to create a separate public and private wireless network using 2 routers

Setting up a separate public and private wireless network is not that complicated. It involves basic setup of a router, and its wireless network. In order to create the two separate networks, you set up both routers (R1 and R2), their wireless networks, and plug R2’s WAN port into one of the LAN ports on the back of R1. The networks will essentially be separate, but use a single modem (the same ISP connection for the Internet.)  I created a separate public and private network using this method for a client’s restaurant. The client did not want customers to have access to the private network, yet still wanted to provide a wireless hotspot for patrons.

As far as firmware goes, I recommend using DD-WRT’s firmware and a compatible router, which you can find a list of here: DD-WRT.  Not mandatory by any means, as you should be able to set up separate wireless networks with the stock firmware of just about any router on the market.  By following my setup, you will completely separate the public and private networks, other than access to the private router’s login page from the public network.  Be sure to set a strong password for both routers’ login information, which is mandatory no matter where you’re setting up a network.  If you have a couple of routers on hand and this isn’t clear enough, feel free to shoot me an email describing your setup, and I’ll do the best I can to walk you through that model’s setup screens.

Step 1: First, set up the private router (R1).  I usually do this disconnected from the Internet, by simply plugging an ethernet cable into the switch on the back of the router.  No need to connect to the WAN port yet.  Access your router’s login screen. Login and immediately change the password, make sure it is strong (upper and lowercase letters, at least one number, and a special character or two).

Step 2: Apply your settings, and login using the new password, if necessary.  Next, choose your router name, your IP range (I’m using 10.0.10.x for this setup), and turn on the DHCP server.  You can also set the number of clients, etc.  Set R1′s address to the first addressable host (x.x.x.1) on your IP range, for ease of remembering where it is.  I use for my start range on DHCP because I like to leave a lot open for static IP’s; this allows plenty of room for printers, NAS storage, servers, etc.

Step 3: Next, set up the wireless portion of the R1 ( if you want wireless capability on the private network) This can also be set to “off” should you not require wireless setup.  You absolutely want a very strong passphrase (something like, n0W1rel3$$4U) on your private wireless network (use WPA, not WEP if you can). There’s no sense in going through the trouble of having a second, public router, only to leave your wireless access open.  You can leave the SSID set to broadcast, but this allows people to see the wireless network and attempt to connect.  This shouldn’t be a problem so long as you have a strong password.  Leaving broadcast “off” will not stop someone from finding it if they really want to, however, so the encryption still needs to be on.

Step 4: You can now plug in your WAN port from R1 to your modem, and verify you have access to the internet.  Check your wireless as well, to be sure everything is working as it should.

Step 5: Next, you want to setup your public network on your second router (R2).  Again, leave the router disconnected from the R1, simply plug in your computer to a port on the back of R2 and navigate to its setup screen in your browser.  If you also have a wireless connection (such as setting this up from a laptop) be sure to turn it off for now, as you will not need it.  This is especially true if you used wireless to set up the first router, as it might confuse the network connections and not allow you access to the setup screen on the second router.

Step 6: Set up a new username (if your router allows it) and password, and save your settings.  Next, setup the network address.  If you followed my first router setup and used 10.0.10.x for R1, use 192.0.10.x for R2. Again, set the router’s address to the first addressable host (  Turn DHCP on, and setup your maximum clients, and your DHCP range.  You could probably set this to if you don’t need static IPs on the public network.  If you are going to have a public accessible printer, set it to, so you can have a few static IPs if you ever need them.

Step 7: Apply your settings, and log back into the R2 by going to the router’s new address in your browser.  It is highly recommended to set the R2′s WAN PORT to STATIC IP and set the address to something R1, outside of the DHCP range. See the screenshot below (click to enlarge).  Basically, I set it up to be the second host on the router’s network,  The gateway will be, subnet mask

WAN LAN Setup Screen Public Router

WAN LAN Setup Screen Public Router

Step 8: Apply your settings, and you can now set up the SSID (be sure to pick a name different from the private router) and client type for your public network.  If you want people to be able to access it, leave the encryption off, and broadcast the SSID.  You may want to look into a hotspot server, such as set up a DD-WRT enabled router with Chillispot, but that is out of the scope of this post. To really make this work efficiently, you may want to set the channels of both routers apart (i.e., one to channel 1 and one to channel 11), but you can also leave them on auto.  Another idea might be to have the public network on the 5ghz spectrum, as it would get less interference from surrounding networks and give your clients a better experience.  An Airport Extreme or a TRENDnet TEW-672GR offer dual band functionality, although you sacrifice not being able to run the DD-WRT firmware with either of those.

Step 9: Finally, disconnect your computer from the R2.  Plug R2’s WAN port into one of the switch ports on R1.  You can now use a wireless connection to verify internet connectivity through the public router’s SSID.

Step 10:  You should probably reboot everything at this point.  Power down the modem and both routers. Leave off for 30 seconds, and plug the modem in again.  Allow it to fully boot, then turn on the first router, allow it to fully boot.  Turn on the second router, and you should be good to go.


#1 Jason on 12.04.09 at 09:13

If you are here looking for a Good way to configure you ddwrt router for public and private network Go to this site it is the best so far Donate to this guy.

#2 technohermit on 12.04.09 at 12:29

Thank you for the link.