AP Mode Denied LAN Access

[fotingo]

Hello,
Is there a way to have wireless clients connected to 2nd router in AP mode to not have access to the LAN?


I have the 2nd router in AP mode connected to main router via Ethernet. This AP is providing wireless access to some clients, but I do not want them to access to the LAN.
Is that possible?

Thanks.

 

[PunchCardBoss]

but I do not want them to access to the LAN.
Is that possible?

YES.
Check out Firewall > Network Services Filter. But you may need to place your 2nd router in "Wireless Router mode".

Deny your 2nd router's subnet clients from accessing your 1st router's subnet.

Example:
1st router subnet: 192.168.80.X
2nd router subnet: 192.168.50.X

• IF 1st router LAN port is plugged into the WAN port of the 2nd router (piggy-back)
• AND your want to keep 2nd router clients from accessing the 1st router LAN,
• THEN, Add this to your Network Services Filter on the 2nd router

Destination IP: [192.168.77.*] Protocol: [TCP]​

Destination IP: [192.168.77.*] Protocol: [UDP]​

​

(no need to enter "Source IP" or "Port Range" fields.​

​

This setup will permit your 2nd router clients to access your 1st router's gateway and internet access.​

 

[fotingo]

Thanks for the reply. I should clarify.. the wireless devices connected to the AP are wireless cameras, therefore, I need them to be on the same subnet so I can view them on its respective app and NVR because my phone and NVR are connected to the main router, which is on 192.168.1.1 Network.

I had them connected to the main router which I have YazFi enabled, but it was causing issues and disconnects. So it was recommended to keep the wireless cameras on a separate Router and with its own SSID and channel different than the Main router.

I have done that and it's working much better than before, but I realized that because the 2nd router is in AP mode, the firewall is disabled and I cannot block access to the LAN anymore...unless I do what you suggest...is there any other way like via script?

 

[Clambier]

would this work for isolating IoT devices on an access point or second router so that it would not see or connect to any device on my main router? and would this only work for devices that are wirelessly connected to the second router or owuld it work for wired devices too?

 

[PunchCardBoss]

in AP mode, the firewall is disabled and I cannot block access to the LAN anymore

Yep.

I too have several wired cameras. In my case, my Synology NAS has 2 LAN ports. I can configure my 2nd LAN port on my NAS to a sub-net different than my primary LAN. Then, I connect my 2nd NAS LAN port to a L2 switch and then connect all cameras with static IPs of the same sub-net to the switch.

This approach keeps all my camera communications on a "simple" LAN that is totally separate from my primary LAN. None of the camera communications go through my router.

My NAS LAN port #1 is connected directly to my router so that the NAS can push notifications to my mobile app either locally or remotely.

Does your NVR have 1 or 2 LAN ports? If just one, I think you are out of luck. If 2, then consider configuring as I have above.

 

[fotingo]

I use Blue Iris NVR and the PC running it has 2 NICS. This is the way I have it running now. I have POE cameras connected to the 2nd NIC and the 1st NIC is connected to the main network.

To clarify, I have 3 POE cameras and 6 wireless cameras..and a wireless network for Guests.. Those wireless cameras and the Guest network are connected to the 2nd router (AP mode) as it was suggested on another forum. But, the issue I have now is that I lost the capability of controlling who can access the main LAN and who cannot.

So you're saying the only way is to set 2nd router as Wireless Router Mode?
I will try that then...but I have a question...

Once I do that.. will I be able to set a device to have LAN access one way only like with YazFi, but via the firewall?
What I mean is.. I don't want the clients to have full access to the LAN...only the main LAN to have access to the clients, not vice versa...if that makes sense.

 

[PunchCardBoss]

would this work for isolating IoT devices on an access point or second router so that it would not see or connect to any device on my main router? and would this only work for devices that are wirelessly connected to the second router or owuld it work for wired devices too?

If you have 2 routers and the LAN port of router #1 is connected to the WAN port of router #2 (piggy-back), AND both routers are in "Wireless Router Mode", then you can have ALL devices connected to router #2 (wired or wireless) completely isolated from ALL devices connected to Router #1.

Remember, router #2 LAN must be on a separate subnet. AND, you must configure WAN settings on router #2 to a static IP of router #1 subnet.

 

[fotingo]

Remember, router #2 LAN must be on a separate subnet. AND, you must configure WAN settings on router #2 to a static IP of router #1 subnet.

so it would be something like..

Router 1 is 192.168.1.1 Network

Router 2 LAN is 192.168.2.1
Router 2 WAN is 192.168.1.2?

 

[PunchCardBoss]

Once I do that.. will I be able to set a device to have LAN access one way only like with YazFi, but via the firewall?
What I mean is.. I don't want the clients to have full access to the LAN...only the main LAN to have access to the clients, not vice versa...if that makes sense.

Not sure about YazFi That is above my pay grade. Perhaps someone else with more experience can help.

 

[PunchCardBoss]

so it would be something like..

Router 1 is 192.168.1.1 Network

Router 2 LAN is 192.168.2.1
Router 2 WAN is 192.168.1.2?

YES. I believe that is what you would need. My notes on how this was done is for a different model router than I currently have. So I am not sure which menu items need changing. But in general, you want to configure router #2 is such a way that its WAN connection points to Router #1....

LAN IP: 192.168.2.1 [corrected]
Subnet Mask: 255.255.255.0
DNS: 192.168.1.1
Gateway: 192.168.1.1

UPDATE...
On WAN UI page, select "Static IP" and input 192.168.1.2. For DNS setting, input 192.168.1.1.

On LAN > LAN IP screen, input your Router #2 info:
LAN IP: 192.168.2.1
Subnet Mask: 255.255.255.0

These steps will allow router #2 to connect (piggy back) to router #1. AND at this point, devices connected to Router #2 can access devices connected to Router #1. To isolate devices on router #2 from accessing router #1, add the "Network Services Filter" Deny settings to router #2.

 

[fotingo]

Unfortunately it didn't work. I wasn't able to access the second router from the 1st one

 

[fotingo]

I think I am over complicating things. There has to be an easy way of doing this.
I just need to have Router 2 to have internet access, but on a different network 192.168.2.1.

but, I also need to have able to connect to that AP router from the main router, but not vice versa.
So, the AP router should not have two way access to the LAN.

In other words, the main LAN can communicate with the AP, but not the other way around.

 

[PunchCardBoss]

I think I am over complicating things. There has to be an easy way of doing this.
I just need to have Router 2 to have internet access, but on a different network 192.168.2.1.

but, I also need to have able to connect to that AP router from the main router, but not vice versa.
So, the AP router should not have two way access to the LAN.

In other words, the main LAN can communicate with the AP, but not the other way around.

Sorry it did not work for you. I agree with your observations: clients connected to router #1 will not be able to connect to clients on router #2 when both routers are "Wireless Router Mode". Each subnet clients are isolated from one another AND YET, router #2 clients can access the internet through router #1.

Even in my setup, I will not be able to access my cameras with my PC by IP address if my PC is not on the alternative (camera) subnet. However, in my case, my NVR (surveillance station) running on my Synology NAS has 2 LAN ports, each of which can be configured with static IPs.

Everything works as it should in my case. My mobile devices with a Synology Surveillance Station app can receive push notifications from my NAS and my NAS can manage the cameras trough its 2nd LAN port.

If I need to access cameras by IP for maintenance purposes , I simply change my PC to an IP address on my alternate subnet and plug into an extra port on my switch.

I have complete isolation of all devices that are on the alt subnet from my primary LAN.

 

[ColinTaylor]

Unfortunately it didn't work. I wasn't able to access the second router from the 1st one

What kind of "access" do you need exactly? If you just need to access a specific server on a specific port on the second router's network you can do that with a port forwarding rule on the second router.

 

[fotingo]

What kind of "access" do you need exactly?

All I need is this....
Router 1 - 192.168.1.1 network
Router 2 - 192.168.2.1, with internet access.

I would like to have access to router 2 from router 1 (meaning, while connected to router 1, I could type 192.168.2.1 and enter the GUI )
Also, I need to be able to view the wireless cameras connected to router 2.

but, I don't want router 2 to have full access to the LAN.. only one way, meaning, Router 1 can access router 2, but no vice versa.

 

[ColinTaylor]

All I need is this....
Router 1 - 192.168.1.1 network
Router 2 - 192.168.2.1, with internet access.

I would like to have access to router 2 from router 1 (meaning, while connected to router 1, I could type 192.168.2.1 and enter the GUI )
but, I don't want router 2 to have full access to the LAN.. only one way, meaning, Router 1 can access router 2, but no vice versa.

Then on router 2 go to Administration - System > Remote Access Config and set Enable Web Access from WAN = Yes.

You would then access router 2's GUI using it's WAN IP address, e.g. https://192.168.1.2:8443/

 

[fotingo]

Router 2 is set as an AP. Do I need to set it in Wireless Router Mode?

and, by doing this.. does this mean only router 1 can access router 2, but not the other way around?

 

[fotingo]

so, the ethernet cable would go from router 1 LAN to router 2 LAN or WAN?

 

[fotingo]

Well, let me ask this...
Is it better for router 2 to assign IPs or to let router 1 do it?

Router 2 will have security cameras (wired/wireless), but on a different network 192.168.2.1.
I thought I could have Router 2 connected LAN to LAN to router 1 while in different networks and both routers would have internet access.

 

[glens]

If you daisy-chain two routers, by default the first router (and its clients) will not be able to initiate traffic with clients connected to the second router, but the 2nd router/clients will be able to initiate traffic with the first router's clients.

The very simplest thing you can do is swap routers or at least their clients (cameras / smart devices on router 1, your "main" network on router 2). Though if having another level of NAT is problematic for your "main network" then you'll have to explore a less-simple solution.