Using a second router: A techie how-to

A detailed accounting of the steps to take when adding a second router to a LAN for the purpose of protecting adult computers from those of children

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.


Michael Horowitz
3 min read

Previously, I wrote about using a second router to provide additional protection to high-value computers--specifically, to protect computers used by adults from those used by children on a shared Local Area Network (LAN).

That article was mostly conceptual, this one covers the nitty-gritty technical details.

First, the good news. Adding a second router has no effect on the first router and no effect on the untrusted (kids) computers. Each is blissfully ignorant of the following changes.

In describing the steps, the existing/first router will be referred to as the kids router since the untrusted kids computers connect to it. The new, second router will be referred to as the adults router since its job is to protect the computers used by adults.

For the sake of simplicity, I'll start with wired Ethernet connections and assume, as is usually the case, that the kids router is handing out private IP addresses* in the range 192.168.1.x using DHCP. The steps below apply regardless of the operating system employed on any particular computer.

Here's what needs to be done:

  • The high-value (adults) computers are unplugged from the kids router and plugged into the LAN ports of the adults router.
  • The WAN port of the adults router is plugged into a LAN port on the kids router. WAN stands for Wide Area Network, and refers to the Internet. From the perspective of the adults router, the kids router is the Internet. On some routers, the Ethernet WAN port is a different color from the LAN ports, but not always.
  • What the adults router thinks is its public IP address is really a private IP address (192.168.1.x) used by the kids router. This is configured in the adults router using the type of Internet connection option. The easiest thing is to set the adults router to DHCP or dynamic. It can, alternatively, be configured for a static IP address, but this requires a knowledge of the private IP address range used by the kids computers and router. Also, if the configuration of the kids router were ever to change in the future, the static IP address may no longer be valid and thus knock the adults computers offline.
  • On the WAN/Internet side, the default gateway and the primary DNS server for the adults router is the kids router (probably If you opted for dynamic in the prior step, this should happen automatically, after rebooting the adults router. If you opted for a static IP address, you'll have to set this manually.
  • On the LAN side, the adults router can use DHCP to hand out IP addresses in any private address range other than that used by the kids router. For example, it could use 192.168.2.x or 192.168.8.x. To make things as obvious as possible, however, I suggest configuring the adults router to issue IP addresses in the 10.x.x.x range with the default subnet mask of Along with this, set the LAN side IP address of the adults router to
  • Each adults computer needs to use an IP address in the 10.x.x.x range. Most likely the computer(s) will already be configured to get an IP address using DHCP, in which case nothing needs to be changed. If, however, one was using a static IP address, a new one probably needs to be assigned, one that is outside the DHCP range handed out by the adults router.

Once this is done, an adults computer, which used to have a TCP/IP default gateway of, will now have a default gateway of Likewise, the DNS server and DHCP server for an adults computer will now also be

Not to switch subjects, but elsewhere I've written that I'm a big fan of OpenDNS. Any computer can be manually set up for OpenDNS, but another approach is to configure the router to use the OpenDNS servers and the router will then pass along this setting to computers that connect to it with DHCP.

More about living with this setup, and about Wi-Fi, next time.

*For more on public vs. private IP address, see What does your IP address say about you?
See also How to check if a computer is using OpenDNS
See a summary of all my Defensive Computing postings.