dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2239
share rss forum feed

jeb54321

join:2002-06-05

Chaining wireless routers safely

I'd like to add a new WAP to my home network, without making any wiring changes, but isolate the guest account feature of it from my home network.

My WNR3500 is all the way at the other end of the house from my "playroom" near the FIOS equipment. As a result, the signal is very weak. I bought a second WAP, a WNDR3700. It has a "guest" access feature. I'd like to enable it so that visitors connected as guests in the playroom can access the internet, but not my home network.

However, I need to connect the WNDR3700 to the internet way on the far side of the house to my broadband hardware.

Since the house is wired, its a simple matter to plug in the WNDR3700 in the playroom.

But that means my new WNDR3700 is effectively plugged in to one of the ports on my WNR3500 which services the house through a number of gigabit switches, so whatever the WNR3500 can see, the WNDR3700 can see also, because it's on the same LAN (10.0.0.*).

The "worst" case scenario is that I could switch the copper port for the playroom from the WNR3500 directly to the FIOS modem, and basically run two completely separate networks, which will likely present it's own problems with gaming, etc. (I'm also not sure if FIOS allows that - I know back in the day that you were only allowed a single connection, and had to use NAT to pretend your other computers were all the same one).

But I'm wondering if I can't perform some magic with NAT forwarding, the guest feature, static routes, etc. such that the WNDR3700 is still plugged in to the WNR3500, but basically has a a "tunnel" through the WNR3500 so it can see the internet, but not the other things that the WNR3500 can see, like my NAS and other hardwired devices and PCs.

The WNDR3700 has a "WiFi isolation mode", but since it's a part of the 10.0.0.* network, it doesn't prevent the WNDR3700 from seeing anything that the WNR3500 sees.

I might have more flexibility if I swap the two, but the WNDR3700 is much faster with more options, and that's what I'd like to have in the playroom.

It may even be that the WNDR3700 has better reception and transmission, and I might just be able to completely replace the WNR3500 way at the other side of the house, and still get good reception out over the garage. I haven't tried that yet.

But the geek in me demands I investigate a much more complex technical solution before I actually try the obvious, and simpler approach.

So, is there a way with these seemingly sophisticated and capable devices to run one WAP through another, yet not see the other network devices on the WAP that the WNDR3700 is passing through? I don't think using the WNDR3700 as a range extender would do what I want.

I *think* that this is the sort of thing that a VPN is designed to solve, but I don't have any VPN hardware, nor enough experience with the VPN to know if it would help. But I'm guessing if the WNDR3700 doesn't understand VPNs, I couldn't get that to work anyway.

Here's a picture, hopefully worth more than my 1000 words:

. . . . . . . . . . . . . - - - - - NAS
. . . . . . . . . . . . /
internet - FIOS modem - WNR3500 - - WNDR3700 (dots are just for spacing)
. . . . . . . . . . . . \
. . . . . . . . . . . . . - - - - - Other PCs and such

In this picture, the NAS and PCs all talk to each other through the WNR3500, but clients coming in to the WNDR3700 Guest WiFi network can not, and can only see the internet.

Thanks for entertaining my impossible whim.

Jim



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

1 recommendation

There are routers which support a separate guest network. That is probably the best approach.

Your plans are probably enough for your needs. However, at least in principle, users on the guest LAN could see anything on the WAN connection to that LAN, which includes all of your PCs. You would actually have better isolation if the guest computers were at the top level, and the NAS and other PCs were behind that additional router.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.1; firefox 14.0.1



antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

said by nwrickert:

There are routers which support a separate guest network. That is probably the best approach...

Do these guest network still have password/key prompts to use it? I don't want neighbors/outside strangers to use my wifi.
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

said by antdude:

Do these guest network still have password/key prompts to use it? I don't want neighbors/outside strangers to use my wifi.

I suppose it depends on the router.

The one I am using (no longer available) does. I can setup encryption, SSID, etc, just as for the regular network. Both guest and regular network are on the same WiFi channel (since they use the same chip). The guest network has a different range of private IPs (configurable), and cannot connect to the regular network, but it can see the Internet.

I think the dd-wrt alternate firmware, available for some routers, has guest network support.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.1; firefox 14.0.1


SoonerAl
Premium,MVM
join:2002-07-23
Norman, OK
kudos:5
reply to antdude

said by antdude:

said by nwrickert:

There are routers which support a separate guest network. That is probably the best approach...

Do these guest network still have password/key prompts to use it? I don't want neighbors/outside strangers to use my wifi.

I happen to use an older ZyXEL NBG334W router with a separate guest network function. It works very well for my usage...

»theillustratednetwork.mvps.org/L···eLan.png

The guest WLAN and private LAN/WLAN are completely isolated from one another and both are password/passphrase protected. In my case I use WPA2-Personal (aka WPA2-PSK [AES]) on both networks.
--
"When all else fails read the instructions..."
MS-MVP Windows Expert - Consumer