I have a user behind a 871w router in their home that we want to create a separate wireless network for the kids and guests. The user's pc whether it is connected to the 871 wired or wireless will be on vlan1 and get its ip address from the router. Any other user will strictly be wireless on a separate vlan with a separate ip address range. Both ssids will use encryption on join the wireless networks. Do I need to create two separate bridge groups? Two separate dot11 interfaces? I believe so. However I am confused with nat? Do I also have nat on the second bvi interface that is for the guest network? It's been a long time since I done this and a not clear about the procedure.
yes, you need to create a new dot11 subinterface, as it's only going to be wireless, you don't need hte BVI, you can put the IP address right on the dot11 subinterface. Then teh ip nat inside statement goes there. And you'll want to add that new subnet to the NAT ACL so that it is allowed to get to the interwebz.