This is the last posting in a trilogy about adding a second router to a Local Area Network to provide an additional layer of protection for high value computers.
The first thing I noticed after setting up a network as described in the previous posting was that a newly protected computer, plugged into the second router just worked. All the hard work is in configuring the new router. Any computer using DHCP, which is the norm, shouldn't need any changes to enable the additional protection.
One side effect of the new LAN segregation is remote control. On the network I tested with, I sometimes use Real VNC to remotely control another computer on the LAN. This is no longer possible across the divide that the second router was brought in to create. To continue with the adult/kid scenario from before, it is no longer possible for an adult to remotely control the computer of a child.
The newly created digital divide also prevents file sharing between an adult and a child. Of course, that's by design.
Also by design, an adults computer can no longer connect to the kids router to make configuration changes. Or so I thought. While this is true when dealing with private IP addresses, the kids router also has a public IP address (you can see your public IP address using www.ipchicken.com). I was surprised to find that entering the public IP address into the Web browser on an adults computer, brought up the internal Web site in the kids router.
From a kids computer, the Web site in the kids router could also be accessed by its public IP address. The router in question was a Belkin Wi-Fi G F5D7230. I'm not sure that other routers will also act this way.
From outside the LAN, the website in the kids router is not reachable. This was expected as the remote administration feature was purposely turned off--a recommended Defensive Computing step.
I use an SSL VPN from WiTopia.net whenever I access an untrusted network. The VPN worked just fine from an adults computer. In fact, it worked so well, that I could no longer see the Web site in the kids router using its public IP address. Thanks to the VPN, I was accessing the Internet from WiTopia rather than from the LAN.
Leo Notenboom, whose article "How do I protect myself from my children?" prompted this trilogy, uses Hamachi, another type of VPN. He said it works fine in this type of network configuration. There are other types of VPNs, such as IPsec, which I can't test.
Wi-Fi should present no problem in a double-router LAN. In fact, each router can have its own Wi-Fi network.
In the best case, one wireless network would use the crowded 2.4GHz band (Wi-Fi B, G and N) and another would use the 5GHz band (Wi-Fi A and N) to avoid stepping on each others feet. But most consumer routers only use the 2.4GHz band, so, if possible, configure each router to use a different Wi-Fi channel.
In my case, the adults router was a Ruckus 2825 which has a "Smart select" option for the Wi-Fi channel. Testing it on different days, it did indeed chose different channels. So far, the Ruckus router has shown excellent range, but I haven't yet put it to the acid test.
Another way to avoid having the two wireless networks interfere with each other is to turn off the wireless radio in a router when not in use. This is done using the internal Web site in the router and, as noted above, an adults computer can configure both routers. I've yet to see a Wi-Fi router with a physical switch for turning off the radio, if you know of one please leave a comment below.
All in all, the cost and inconvenience seem pretty small for the extra protection a second router can offer adult/high-value computers.
Update: September 29, 2008.The point about remote control needs to be clarified. There are two approaches to establishing the connection between the two computers: direct and with a middle-man. On a normal LAN, you can use the direct approach by entering the IP address of the controllee from the controller machine. Adding a second router limits this option to adults controlling adults or children controlling children. However, since all computers can still access the Internet, the middle-man approach still works. With this scheme, each computer first connects to a middle-man website. GoToMyPC is an example of the middle-man approach whereas Real VNC is an example of the direct approach.