Wireless Network - without the network?

This is something I’m having a hard time googling so if anyone knows if this is easy, or at least possible -

My church wants me to set up a wireless internet point for various church groups to use, but they don’t want these people to have access to the shared data on their network. I’m sure its similar to what places with free wifi would have, but what they want is secure wifi internet access (password provided to the groups who need access) on the same internet that their office uses (multiple computers and a remote access hard drive already on their network, but everything they use now is wired).

They don’t want to do much screwing around with their small network (I know this is pretty easy to do on a domain server, but they aren’t running that).

The easiest way to do this is to get a router that supports a “guest” network. Many new routers do this. There will be a setting that completely isolates the guest network from the LAN side of things.

Yes, many new wireless routers support a guest network. The term you’re looking for is wireless with a DMZ. That should help bring up relevant information in your searches. This creates a firewall between the wireless and the rest of your network. So, just because the private and guest parts of the network happen to share the same connection to the outside world, the guest portion does not have access to the private portion. For bonus points, you should be able to configure a secured wireless on the private portion for staff to use.

How about client isolation? It’s a feature of some routers that doesn’t let clients talk to one another.

In the router, under the wireless settings, set the network mode to unbridged. Normally, the wired and wireless sides of the router are bridged so that one side can access the other. In unbridged mode, the wireless side cannot communicate with the wired side. But verify that this is true on your router.

For additional protection, you can also look for something called “AP isolation”. This will prevent one wireless client from talking to another wireless client.

I don’t think DMZ is what the OP is looking for. DMZ circumvents firewall for the specified types of communication (usually by TCP/UDP port number).

“Guest” network is a better search term.

This solution will work only if nobody in the network is currently using a wireless connection. If you do this, everyone on wireless will be essentially on the ‘guest’ network and won’t be able to communicate directly to the church network. Good solution, otherwise!

This is the router I use.
It supports guest networking.

Wireless client isolation prevents wireless devices from communicating with each other. It doesn’t affect traffic between the wired and wireless portions of the network.

I further and strongly support beowulff recommendation to get a router with guest network support. It is purpose-designed to do what the OP wants and is fully manufacturer-supported out of the box. Trying to repurpose an existing router by flashing alternate firmwares like dd-wrt is not a good idea when the device is being used by novices.

Appreciate the help. I’ll have to log into their router to see if it supports a guest network, that seems like what they want. They are using the wireless router/all-in-one solution provided by their ISP, so it may or may not (and the ISP uses so many different pieces of equipment I’ll have to get into it to see which it even is).

If it doesn’t, is it fairly simple to get another wireless router and add it into one of the ports for the one they have, or do I have to replace their whole setup?

Just turn off the wireless on the ISP-supplied router, and plug your own router into one of its ports. Should be trivial.

You might want to physically secure the routers (like behind a padlock) so that people don’t walk in and plug-in to your internet connection, since you’re concerned about security.

You’ll also at least need to turn off DHCP on the ISP device. If you can put it in transparent bridging mode that would be best.