How to configure AirPort Express to access Internet but not local network

Hi Harpist,

The short answer is that such a function is beyond the capability of an Express. You would need an "enterprise wireless gateway" that includes that specific feature. Cisco calls it "Public Secure Packet Forwarding (PSPF)" or peer-to-peer blocking.

The longer answer is that anything that connects to the Express must be on its wireless LAN, by definition. Then, for the Express to communicate beyond that network, whatever the Express connects to must also be accessible to those clients. Therefore if the Express is deriving its Internet connection from your City Hall's LAN, it will be available to anything connecting to the Express's wireless network.

To keep wireless clients separated from one another is a function of those wireless clients. Anyone can elect to make his or her computer hidden from the network by disabling its "sharing" ability. The same holds true for other devices on the City Hall LAN - that is the responsibility of each network client.

Many people elect to enable their computer's "sharing" feature, but this ought not be a concern. A user name and password is still required to do anything with them.

It's very easily doable. The "guest" feature enables people to enjoy a wireless connection without giving them your personal wireless network's name and password, which you ought to keep to yourself. The ability for "guests" to communicate with each other is turned off by default anyway:

If you would like to allow your Guest network clients to communicate with each other via File Sharing, open AirPort Utility and enable the "Allow guest network clients to communicate with each other" option under the Guest Network tab.

(From About the Guest network feature)

That is different from what you asked though. The ability to keep those wireless clients completely segregated from each other is an esoteric feature that probably is not worth you or your mayor's concern. Is your paranoid mayor concerned about City Hall's present network (wired or wireless)? If not, what you propose is no justification for any additional concern. If so, she needs to implement some basic network security, in the very unlikely event that has been overlooked all these years. Your proposal has no effect on that subject either.

The guest network can have its own name, password, and security, so you can give those credentials to your attendees. Once they leave, you can disable that network, change its name or password, or as you implied, simply remove your Express from City Hall.

The Guest network is designed to do exactly what you want. I thought you were concerned about something much more extreme than that.

Maybe. I never use the AirPort iOS app because it either appears to be limited in its abilities, or it really is. It's one of the few apps I actually deleted. Whenever I need to administer an AirPort Base Station I use AirPort Utility 5.6 for OS X.

The iOS AirPort Utility does have the ability to manage a guest network for a late-model AirPort Extreme, but it does not give you the checkbox to "Allow guests network clients to communicate with each other that is available in Mac OS X AirPort Utility 5.6.1; neither does OS X AirPort Utility 6.1.

The problem is, I can't find it. I am using the AirPort App on my ipad and I can't find any Guest configuration. Am I looking in the wrong place?

Apple assumes that you will be connecting the AirPort Express to a simple modem....not a modem/router or gateway type of device, or network server.

The Guest Network feature can only be enabled when the AirPort is set as the router controlling DHCP and NAT for the network.

If the AirPort is in Bridge Mode, the option to enable the Guest Network will not even appear in AirPort Utility.

On your iPad.....

Tap to open AirPort Utility

Tap the AirPort Express, then tap Edit

Is there a setting for Guest Network here?

If yes, tap to continue the set up

If no, tap the Advanced tab at the bottom

Tap DHCP and NAT

Tap Router Mode

If the setting for DHCP and NAT is set to Off (Bridge Mode), the Guest Network feature cannot be enabled in this setting.....which is the correct setting for the AirPort on your network. It's a Catch 22.

You might be able to configure the AirPort to operate in DHCP and NAT mode on the network, but there will be challenges to overcome....namely DHCP conflicts and Double NAT issues.

"With AirPort Express you can: ... Create a guest network with or without password protection, to give wireless Internet access to friendship and visitors. Devices that connect to the guest network only have access to th Internet."

Unfortunately, Apple left out the part about...IF..you have a simple modem.

Maybe you could use the wireless on the Motorola gateway as a "guest" network?

Or swap the modem/router you have now for a simple modem.

Otherwise, you have to try to "break the rules", which I do not recommend.