The following is taken from an article on CNET entitled How to be an ISP: Build your own hot spot
(Note: I have informed CNET of the mistake and the writer has since updated his article)
"The easiest way to do this is to use two routers. The first router is used for your home to create a private network. With most existing Internet providers, this router will act as a gateway with NAT. You don't need to worry about what passwords or data travel over this network (you can allow Windows file sharing, or you might telnet from one local machine to another) because only trusted people have physical access to the network. If this router is wireless-capable, you will need to encrypt the connection to make sure only trusted people can connect to the network.
The second router is the wireless router that you want to use to offer access to the public. This router needs, in turn, to have NAT function of its own. This means once plugged in the first router, the second router will take the connection to the Internet from the first router and create a captive local network of its own, separate from that of the first router. In short, the NAT function of the second router acts as a firewall that separates the two networks"
There were no topology in his guide but if I understand the writer correctly, based on a typical home setup, what he suggested should look like the following
If I am right, then the above mentioned part of his article is totally wrong.
By having another network behind a router and NAT does not protect the network in front of it. In fact, the protection is the other way round. This is the case with any typical home network where being behind the NAT provides somewhat of a 'protection' from the Internet, and not the other way round.
Building two totally separate and secured network is not that hard but not as simply as relying on NAT. But based on this article, the right way is to actually reverse the function of the two routers. In other words, the first router is the wireless router that you want to use to offer access to the public and the second router is used for your home to create a private network. The NAT on the second router will provide the private network protection from the hot spot network.
The only problem then is the double NAT which makes hosting services in the private network a real pain in the ass.