Networking – Setting up a WLAN Access Point Behind a Proxy


I currently have a home network that does not use any WLAN. Coming from outside, there's a DSL modem, a bridge/proxy connecting to the DSL modem, and a bunch of workstations accessing the internet through the proxy (or each other in the internal network, say for file servers).

Now, sometimes WLAN would be handy. However, I am very happy with my (non-caching) proxy and instead of putting a WLAN router in front of the proxy, and having the proxy access the internet through the router, I would still like to make every machine use the proxy, including any WLAN client. If I understand the terminology right, what I need is a WLAN access point (requirement #1).

This, of course, would be a security risk if someone broke into the WLAN, because this person would gain access to my internal home network. Therefore, requirement #2 is using a modern type of WLAN encryption like WPA2.

To make this setup easiest for guests, I figure I should set up the WLAN access point such that is acts as a DHCP server, offering IP addresses in, say, the range, bridging routing the traffic to the existing home network (, and accessing the proxy at Ideally, a guest would not even have to tell the browser to use a proxy, because the access point acts as an internal router and takes care of forwarding any traffic to the proxy, but this would be optional. Alternativeley, a range of IP addresses on the subnet could be offered dynamically (DHCP), while the static addresses remain as they are, allwoing the access point to act as a mere switch on one subnet.

Does this make sense and is this a reasonable way to extend my existing home network for WLAN?

Just for reference, some links to somewhat related problems I would like to keep; not identical to my problem, but as a good source for further reading:

Linux box acting as wireless access point to share the internet connection

Can I set up an EeePc as a WLAN Access Point?

Setting up Remote access home LAN behind multiple routers?

Can a Linux machine act as both a wireless client and access point simultaneously using a single physical WLAN interface?

Is it possible to connect a wireless router to another access point?

Best Answer

Yes, this makes sense and is - generally - a reasonable way of setting up your network. A few observations -

  1. Look for a WLAN router which will work with DD-WRT (or OpenWRT). In order to have any realistic chance of doing transparent proxying without expensive hardware you will need something like DD-Wrt or openwrt, and presumably some interesting setup with iptables and tproxyd or equivalent.

  2. Is your proxy actually doing that much for you ? I know that 15 years ago, a proxy made a worthwhile difference, but I believe that - in general - they will cause more problems then they solve, and depending on the type of content may well make things slower in some cases, and provide very little bandwidth saving (particularly if storing to a slow hard drive and because of caching built into browsers)

  3. WPA2 should be pretty standard on most newish consumer gear.

  4. I'd leave the DHCP addressing to the router - I believe this is more appropriate, however technically you can do it on the proxy server - I assume from your post you are aware you generally only run 1 DHCP server per network segment.

  5. Technically you can't bridge traffic between and - you would need to route it. A decent router could do this, and firewall it. Alternatively (and less securely), you could set up everything on the same subnet - this would be a typical home user config. (You could extend the netmask out to to cover a larger range if thats really required, but you will still need a way of handling DHCP as it would all come in on 1 subnet - so this could prove cumbersome (eg dynamically assigning static IP's based on MAC)

  6. It's not clear from your post if you are aware, but a WLAN Access Point acts like a switch/hub (think of wifi clients as just additional devices on the same network segment). In order to do seperation you need a router. [ In reality most switches capable of running *WRT have got 5 ports each which can be individually controlled - eg - like a router - and are typically bridged together in software to make them behave like a switch - but *WRT can change this behaviour - although doing so may be non-trivial.

Related Question