two router guest network issues

Sxotty

Legend
I want to connect from modem to my router for my lan then use second router to provide guest wifi. However, if I use the 2nd router I also need to use a lan port on 2nd router for htpc. Is there a way to keep lan ports of 2nd router on same subnet as first router and still have the WiFi of 2nd router isolated?

Basic layout:
Modem-router 1 with most of lan and wifi-router 2 with guest wifi and rest of lan

Should I just hook up switch for rest of lan and hook router 2 to switch or is it possible to do what I want with just two routers?

edit:

LOL I apparently forgot that I had set my laptop not to obtain the IP address automatically at some point when I was messing about. The second router said it did not have internet access and I believed it. Upon changing laptop to obtain IP automatically I was able to get on the internet through lan port of the 2nd router which has the AP isolated. I will have to check and see if it actually is later. What is the best way to do this? Will the getmac command alone be sufficient?

Bah I can see all the other computers on my network through WIFI so apparently the set AP isolated command in ASUS routers is ineffective, but the getmac command did not show them.
 
Last edited by a moderator:
don't rely on "security" commands on a consumer POS router ( all consumer kit is a POS).

what do you mean by isolation? at layer 2 (vlans) , at layer 3 (VRF's ) ? . do you want to firewall between layer 3 segments?

Generally speaking you wont find many consumer devices that implement any of this very well if at all. just use WPA2 without WPS and live with everything being on the same segment, WPA2 is likely the thing implemented most securely as the have follow a standard for that to actually work.
 
Is your 2nd router being used as a wireless repeater to connect to the 1st router? If physical distance is not an issue than I would use a small switch to add more ports to the main router and then use a separate "extender/repeater" to add guest WiFi access.

Normally you can't cascade routers unless you turn off the DHCP servers on the cascaded routers and turn them into dumb access points/switches.
 
Last edited by a moderator:
If what you want is to avoid computers on the 2nd router to be able to see other computers on the 1st router, then the best way for a consumer router is to make it a NATed subnet of the 1st router. i.e. you connect it to the 1st router through its "WAN" port, using DHCP. This puts all clients on the 2nd router in a NATed domain. This could cause some problem for a few applications but it should be secure. However, if you do it this way, the HTPC connected to the 2nd router wouldn't be able to see computers on the 1st router.

Using different subnets is not secure because it's easy to manually change IP address.
 
Thanks for the info.
I have an ASUS RT-AC68U for the main router and an ASUS RT-AC66U for the secondary router. It does appear that the functions of the AC66U are not really active if the DHCP server is off. I wanted to use it as a router so I had access to the bandwidth management and so forth. If I make it an AP then I cannot do that anymore. Maybe the problem is that the first router is the DHCP server so anything connecting to the network has to get access through the AC66 to the AC68. I have an old netgear switch lying around that I can plug into the network between the two routers, but it seems wasteful to run a 16port switch just for the HTPC :).

@Pcchen, yes I tried that earlier and it worked to isolate the network, but the HTPC obviously could not get the NAS on the primary network.
Right now I had this
Code:
                ____primary network (NAS and everything else)
               /
MODEM--> AC68U<              HTPC
               LAN of AC66U<
                              - GUEST network

Which was obviously insecure.




So if I do connect it like this

Code:
                ____primary network (NAS and everything else)
               /
MODEM--> AC68U<         HTPC
                SWITCH<
                        WAN of AC66U - GUEST network

Then it should make the GUEST network properly isolated and secure while retaining the ability of the HTPC to access the rest of network. Basically I was just wondering if that was the only easy way to do this. The AC68U should be able to limit the bandwidth of the 66U and thus the guest network, but the switch seems kind of lonely with only two connections :).
 
Back
Top