It all depends on how he sets up his network.

He could conceivably put the guest network on his existing ADSL router (without the guest setting being available) and put the shop network on the linksys.

The shop network would be protected, but all users of the "guest" wireless in this set up will be accessible to all other users.

What is important is that any traffic passing from the "guest" network to the shop network passes through a firewall from untrusted to trusted. The guest setting on wireless routers makes the wireless clients untrusted, and as the connection must go through the wireless router (with built in firewall) this protects the LAN segment which is trusted. The WAN segment is typically untrusted, indeed it is typically less trusted than "guest" wireless clients. Hence the issue with the originally suggested set-up using the linksys to provide the guest access.

But the FON router manages this just by plugging it in.

I assume you mean the BT FON router?

As I understand it this presents a wireless access point as a chargeable service and protects it by creating a VPN from the router, past your network, to a central platform from where the wireless hotspot gets it's internet connectivity.

If I am correct, then this would be suitable (in so far as it would protect the local network from hotspot clients) however I am not confident of my understanding of how the FON products work, and would not personally trust them on my network without doing further research and getting reassurance from the makers.

In reply to a post by pmb00cs:

I assume you mean the BT FON router?

No, I mean the FON router which manages this trick which, according to you, the Linksys router cannot - even though it is designed to do this and is manufactured by Cisco, the networking experts.

In reply to a post by BatBoy:

and is manufactured by Cisco, the networking experts.

If you seriously believe that Cisco produce domestic Linksys routers with the same (or even vaguely similar) capabilities to their professional Cisco brand, it explains a great deal about the reliability of your usual advice... and your (totally misplaced) belief in your own infallibility.

You assume the cisco is designed to exist in a multi-subnetted private network. I find this hard to believe. It has too many features to be targeted at the people who would have large enough networks to require separate WAPs, and not enough features to be targeted at businesses that have complex multi-subnetted, multi-firewalled networks.

I believe strongly that it is designed to exist as the sole router on a small network. As such why would it have the features you describe? Particularly as this would tread on the toes of Cisco's much more expensive equipment aimed at big businesses.

The FON is designed to exist within an existing network. As I say however I am not sure if it is safe, and would not trust it myself. But it is conceivable that it could protect the parent network.

It is a matter of designed purpose. Now I also did not say that the linksys could not be made to be safe! However I did say that I doubt doing so would be easy or straightforward.

Your answers are quite right when considered alone.

But put them in the context of the original post. Either what the OP proposed will not work, or there will be security issues.

In reply to a post by Sandgrounder:

Your answers are quite right when considered alone.

But put them in the context of the original post. Either what the OP proposed will not work, or there will be security issues.

Exactly what command will the Guest use to access the main network?

For example if the main network uses 192.168.0.x and has a webserver on 192.168.0.22 then doing http://192.168.0.22 from the guest network would let them see this webservice.

Cisco labelling of Linksys kit is just a marketing exercise, and cisco is not as infalliable as some like to believe.

If the linksys E router supports a guest network that protects an ethernet LAN network on the router, then by moving the shop network onto the LAN side of the linksys E you can achieve what you want. BUT this may mean you are double NAT'ing some things on the shop network.

As for linksys E with ADSL modem built in, don't know. BUT a decent ISP will be able to supply a block of static IP's and you can use NON-NAT on the ADSL modem to supply a real IP address to the WAN side of the linksys.

In reply to a post by MrSaffron:

For example if the main network uses 192.168.0.x and has a webserver on 192.168.0.22 then doing http://192.168.0.22 from the guest network would let them see this webservice.

Even if that were true, how would the guest know about 192.166.0.22? or 192.168.0.x for that matter??