AP Mode Denied LAN Access

[ColinTaylor]

Router 2 is set as an AP. Do I need to set it in Wireless Router Mode?

Yes. This was in addition to @PunchCardBoss's description of a two router setup.

and, by doing this.. does this mean only router 1 can access router 2, but not the other way around?

It means that clients on the router 1 network can access the GUI of router 2.

Clients on the router 2 network cannot access anything on the router 1 network because they are blocked by your Network Services Filter rule, which would be:

Destination IP: 192.168.1.0/24 Protocol: TCP
Destination IP: 192.168.1.0/24 Protocol: UDP

 

[fotingo]

Destination IP: 192.168.1.0/24 Protocol: TCP
Destination IP: 192.168.1.0/24 Protocol: UDP

so I add this to Network Services Filter on router 2?

 

[fotingo]

I have done what PunchBros said, but I was not able to communicate with router 2 from router 1.

 

[ColinTaylor]

so I add this to Network Services Filter on router 2?

Yes.

I have done what PunchBros said, but I was not able to communicate with router 2 from router 1.

You have to give more detail in your reply. Which of the many things @PunchCardBoss said are you referring to? What exactly do you mean by "communicate", what are you doing exactly?

 

[fotingo]

Just wanted to clarify again.. I need to be able to pull 192.168.2.1 while connected to router 1, but not vice versa.
also, if I set this on router 2, I lose internet connection altogether on router 2.

 

[fotingo]

what are you doing exactly?

All I need is for devices connected to router 1 to "see", "communicate", "talk to"...whatever the technical wording is... with router 2 devices...but router 2 devices should not do the same with devices on router 1.

I apologize if this feels like pulling teeth, but I don't know the correct terminology and I am sure it makes it harder to explain and for you guys to understand what I need.

 

[ColinTaylor]

also, if I set this on router 2, I lose internet connection altogether on router 2.

I don't know why that would happen unless you have made some other changes to router 2's default settings.

All I need is for devices connected to router 1 to "see", "communicate", "talk to"...whatever the technical wording is... with router 2 devices...

As I said earlier, you would need to setup port forwarding rules for each on the devices on the router 2 network you want to talk to.

 

[fotingo]

I don't know why that would happen unless you have made some other changes to router 2's default settings.

Never mind about this.. I do still have internet access...

As I said earlier, you would need to setup port forwarding rules for each on the devices on the router 2 network you want to talk to.

how would that look like?

Also, how can I access router 2 gui from router 1?

 

[ColinTaylor]

Router 2 was reset to factory settings, there are no configurations done to it. Only wifi ssid and setting the LAN IP to 192.168.2.1. Everything else is factory.

Then I have no idea.

how would that look like?

Look at the WAN - Virtual Server / Port Forwarding page. It's self explanatory.

Also, how can I access router 2 gui from router 1?

I told you in post #16.

 

[fotingo]

Look at the WAN - Virtual Server / Port Forwarding page. It's self explanatory.

I looked at that and tried to understand it...it's a bit difficult for someone like me to understand what all those settings mean and do.
The WAN IP on router 2 shows as 192.168.1.88 which is understandable as this router is connected to Router 1 via LAN to WAN.

I'm just having trouble trying to figure out the port forwarding on both routers since they would be different for both no?

I appreciate your time, but I understand it's a bit difficult to help someone with less knowledge. I will wait for someone that has time to guide me... thank you for your time though.

 

[glens]

Put your IOT stuff on the first router and your "main" network on the second router. Just try it.

 

[fotingo]

Put your IOT stuff on the first router and your "main" network on the second router. Just try it.

My IoT stuff are on the main router. The 2nd router is for my POE and wireless security cameras which are on another part of the property.
I had everything on the main router, but the wireless cameras were not getting a solid connection, so it was suggested to move all cameras to a separate router with its own SSID from the main router.

This is how I have it now and it's working fine with solid connection, BUT...I noticed because this 2nd router is set as an AP, it doesn't have the option to isolate devices. I tried setting the router in Wireless Router Mode, but then I cannot view the cameras on my phone anymore because they are connected to a different Network and my phone is connected to the main Router.

I just don't want to have to keep switching from one network to another and thought there was a simple way of having the two routers on different networks and for me to configure them in a way so I can decide which devices would have get access to the MAIN LAN and which don't.

Apparently there is a way, but it's way beyond my capabilities unfortunately.

 

[fotingo]

If there was a way to keep the 2nd Router in AP mode as it is right now and maybe via iptables deny or allow certain devices connected to Router 2 to have LAN access would be great as well.

Is there a way via iptables that for example.. Router 1 can "see" or "communicate" with a device on Router 2, but only way one..meaning that Router 2 device would not be able to communicate with any devices on Router 1?

 

[ColinTaylor]

If there was a way to keep the 2nd Router in AP mode as it is right now and maybe via iptables deny or allow certain devices connected to Router 2 to have LAN access would be great as well.

Is there a way via iptables that for example.. Router 1 can "see" or "communicate" with a device on Router 2, but only way one..meaning that Router 2 device would not be able to communicate with any devices on Router 1?

No that's not possible with AP mode.

 

[fotingo]

No that's not possible with AP mode.

So this cannot be done at the main router?
Meaning, even if the iptable is set on the main router to block LAN access to devices connected on router 2 which are on the same network?

or are you saying that because router 2 is set as AP mode, Router 1 has no control over it?

 

[ColinTaylor]

or are you saying that because router 2 is set as AP mode, Router 1 has no control over it?

This. iptables effects routing between networks. In AP there is no routing taking place (because you only have a single network) therefore iptables is not applicable.

 

[fotingo]

oh ok. I thought maybe via iptables I can deny access to the LAN to certain devices using their respective IPs.

 

[glens]

I noticed because this 2nd router is set as an AP, it doesn't have the option to isolate devices. I tried setting the router in Wireless Router Mode, but then I cannot view the cameras on my phone anymore because they are connected to a different Network and my phone is connected to the main Router.

I just don't want to have to keep switching from one network to another and thought there was a simple way of having the two routers on different networks and for me to configure them in a way so I can decide which devices would have get access to the MAIN LAN and which don't.

It's like I've said. When you put the second broadcaster as a router instead of AP, you created another network for whatever connects to the second router. By default, anything using the second router's network can initiate contact with anything on either network but stuff on the first network cannot initiate contact with anything on the second. This is exactly the reverse of what you're trying to achieve and the simplest remedy is to reverse the roles of the routers (which network of stuff they're hosting). That way, your phone, for example, connected to the second router will be able to query all the cameras, doorbells, or whatever on the first router's network, but none of them will be able to start a connection on their own to the phone.

 

[fotingo]

@glens The way my setup is now is... Router 1 is where the modem is. So from the modem, I connected the ETH cable to the WAN port of the router which makes it the main one... so, I would have to instead of connecting the modem to the WAN port of router 1, I would need to connect it to the LAN port, then from another LAN port of the router, run another ETH cable to Router 2's WAN port and make that one the main Router.

Is that OK? going from LAN to WAN. The ISP modem is set to bridge mode so I can only use port 1, all other ports of the ISP modem become useless. That's why the only way for me to do this is to go from Router 1 LAN to the WAN on Router 2.. making Router 1 the AP and router 2 the Main.

This sounds so confusing, but this is the only way for me to do this because I only have ONE Ethernet cable going from one side of the house to the other.

 

[glens]

I didn't try to decipher the whole post as you rather lost me in the first paragraph.

Modem connects via ethernet cable to the first router WAN as usual. This router would be hosting all your peripheral stuff you want isolated from your main network, but which stuff you want able to access the Internet. As well, the first router will be hosting your second router and /its/ network. From first router LAN port to second router WAN port. Computers, phones, etc. connect to second router and its network. Everything system-wide gets Internet access. Everything on second router can also reach and start a connection to anything on the first router network (i.e. use your phone to view images from a camera, or your laptop to adjust thermostat temperature). Things on the first router network can only communicate with things on the second router network when the second-router-network-thing /starts/ the communication.

This will be the situation with everything set to defaults on both routers, the second of which must be using a different network address range (which it should by default so long as it's the second router configured; connected in this manner).

You'll be able to mess things up from there, but at the start, with both routers newly-set-up it can be expected to act as I've described.