Which router should i buy?

[javidr]

Hi

I have a pretty old router and i want to buy a new one. The main reason for that is that i want to create two independent networks at home and this router doesnt support this

I have been recommended Asus RT-NT66U and Netgear R6400. Both of them look good for me. Maybe the R6400 is better as it supports AC, but both to their job

Which one would you recommend? Would you also suggest another option?

Thanks

 

[L&LD]

The (correct) model number is RT-N66U, but I would not recommend either of those options today.

If you have a Best Buy available in your area the best bang for the buck right now is the RT-AC1900P which I would recommend with RMerlin's firmware (you would use the RT-AC68U firmware on it).

If budget is an issue, the RT-AC56U is also considerably better than your initial options too. Can be found on sale in the $50 range.

If budget is not an issue, the RT-AC3100 or the RT-AC88U is what I would suggest you consider.

With any of the choices above, I can't emphasis enough how important it is to flash with RMerlin's firmware on any of them for the most features (without losing any features from the stock firmware) and the highest stability.

With two routers, you can create your two networks easily. Simply use the new router with one private IP range (i.e. 192.168.1.xxx) and plug in to the WAN port of your current router (from the new router's LAN port) and use a different private IP range (i.e. 10.0.8.xxx).

Anything connected to either router should be now isolated to anything connected to the other.

 

[crazyontech]

If you like tinkering with a router, you can also buy T-Mobile, TM-AC1900 (Actually AC68U hardware) for about $90 and flash it over to Merlin firmware.

 

[RMerlin]

Hi

I have a pretty old router and i want to buy a new one. The main reason for that is that i want to create two independent networks at home and this router doesnt support this

I have been recommended Asus RT-NT66U and Netgear R6400. Both of them look good for me. Maybe the R6400 is better as it supports AC, but both to their job

Which one would you recommend? Would you also suggest another option?

Thanks

Depends what you mean by "independent networks". If you're thinking VLANs, then you will need to either rely on a managed switch instead (look at the Netgear GS108Tv2 for a nice affordable one), or a router with more advanced capabilities than offered by the stock firmware of these two models.

If you just want to have wireless clients limited to Internet access, any recent Asus router will do the job. I would consider the RT-AC56U or RT-AC55U then. I'm not familiar enough with Netgear's product to know if they could do the job.

 

[RMerlin]

With two routers, you can create your two networks easily. Simply use the new router with one private IP range (i.e. 192.168.1.xxx) and plug in to the WAN port of your current router (from the new router's LAN port) and use a different private IP range (i.e. 10.0.8.xxx).

Anything connected to either router should be now isolated to anything connected to the other.

That's not exactly true. Anything connected to the second router can access everything that's connected to the first router, upstream.

The only way to secure networks with multiple routers would require three routers: one fronting the Internet, and the two others connected to it. Not really an economical setup, unless your ISP-provided modem has a decent enough router mode to handle the primary upstream duties.

 

[L&LD]

That's not exactly true. Anything connected to the second router can access everything that's connected to the first router, upstream.

The only way to secure networks with multiple routers would require three routers: one fronting the Internet, and the two others connected to it. Not really an economical setup, unless your ISP-provided modem has a decent enough router mode to handle the primary upstream duties.

Not in a default configuration as I explained? Without explicitly giving access?

If it did, what would make the use of three routers work then? Just the fact that the main router is only handling the internet?

 

[Nullity]

Not in a default configuration as I explained? Without explicitly giving access?

If it did, what would make the use of three routers work then? Just the fact that the main router is only handling the internet?

With the default (NAT, no port-forwards) 3 router setup, neither of the leaf routers can access the other leaf router's networks.

If only 2 are used then the 2nd network can access the entire upstream network.


IPv6 likely makes things more complex because of the possible lack of NAT.

 

[RMerlin]

Not in a default configuration as I explained? Without explicitly giving access?

Yes, it will. Once the traffic leaves the second router's WAN port, the primary router LAN port is going to see a request for an IP within its own LAN, which means it will get routed to that destination. Only traffic not intended for itself gets forwarded to the default gateway (which is its own WAN port).

Look at it this way: traffic that reaches a LAN port has the destination IP checked. If it's within the same subnet as that LAN, then the packet is sent to that destination within the local subnet. If not, it's sent to the default gateway on the WAN port. From that first router's point of view, the second router is just like any regular client, with a source and a destination IP within each packets.

I use that very configuration for a customer, because I just want to isolate downstream. I have two PCs behind the second router that are able to access a printer upstream of that second router. People between the two routers however are unable to access downstream of the second router.

 

[L&LD]

Yes, it will. Once the traffic leaves the second router's WAN port, the primary router LAN port is going to see a request for an IP within its own LAN, which means it will get routed to that destination. Only traffic not intended for itself gets forwarded to the default gateway (which is its own WAN port).

Look at it this way: traffic that reaches a LAN port has the destination IP checked. If it's within the same subnet as that LAN, then the packet is sent to that destination within the local subnet. If not, it's sent to the default gateway on the WAN port. From that first router's point of view, the second router is just like any regular client, with a source and a destination IP within each packets.

I use that very configuration for a customer, because I just want to isolate downstream. I have two PCs behind the second router that are able to access a printer upstream of that second router. People between the two routers however are unable to access downstream of the second router.

RMerlin, thank you for expanding on this. Is a diagram available that would summarize your post quoted above (I'll admit I'm getting a little lost with the 'upstream' and 'downstream' of first and second router flows).

It seems I've obviously wrong, but I could have sworn I had this working as I described for a customer a fairly long time ago.

 

[RMerlin]

<modem> === <Router1> === <Router2>    <---upstream is this way

 

[L&LD]

<modem> === <Router1> === <Router2>    <---upstream is this way

Short, concise and clear! Thank you.

 

[pete y testing]

<modem> === <Router1> === <Router2>    <---upstream is this way

i think this also depends on the router and firmware as it works by passing forward unknown ip addresses thus allowing access to ip addresses on the primary router from behind the secondary router

some routers and firmware just dont handle unknown ip addresses , where others seem to pass forward unknown ip addresses through the wan port

eg case in point , with some routers you can have say

router 2 subnet 192.168.0.1

router 1 subnet 192.168.1.1

if your connected to router 2 and get a subnet address 192.168.0.xxx and try 192.168.1.1 you will still have access to the primary routers gui even through you are on a separate subnet and thus you can also access any other device on the other subnet the same way

i think its all in how the coding is done however as not all routers passforward unknown ip addresses

pete

edit - this is the method we use to access a modems gui once its placed in bridge mode from behind the router

 

[RMerlin]

eg case in point , with some routers you can have say

router 2 subnet 192.168.0.1

router 1 subnet 192.168.1.1

if your connected to router 2 and get a subnet address 192.168.0.xxx and try 192.168.1.1 you will still have access to the primary routers gui even through you are on a separate subnet and thus you can also access any other device on the other subnet the same way

This is precisely the setup I provided, and this works due to how TCP/IP routing works, not due to any special code level trick.

Modems are a different case, because your router typically does not have an IP within the modem's subnet, so the traffic gets sent to your WAN's default gateway, which lies at your ISP (who will discard it as not having any route to that subnet), not in your modem. In this dual router setup, router 2 does have an IP (its WAN interface) within router 1's LAN, so just straight routing handles everything.

When any router gets a packet, it checks first if it's for itself. If not, it gets matched against routing table (that's why it's called a router - it sends traffic according to routing tables). In Asuswrt's case, LAN subnet is tied to the br0 interface (the LAN bridge), so it gets sent there. If no route matches (i.e. not a VPN tunnel IP), the default gateway gets the packet (which means the gateway defined on the WAN interface).

 

[pete y testing]

This is precisely the setup I provided, and this works due to how TCP/IP routing works,

however not all routers do this , some just ignore unknown ip requests and dont forward them to the wan port

 

[RMerlin]

however not all routers do this , some just ignore unknown ip requests and dont forward them to the wan port

Then how do they route Internet traffic?

 

[pete y testing]

Then how do they route Internet traffic?

lol well above my pay grade

all im saying is that , if you bridge say a modem and leave its lan ip address at say 192.168.0.1 and run a wireless router behind it with a lan ip address of 192.168.1.1
only some routers will pass forward the 192.168.0.1 request so that you can open the gui of the bridged modem at 192.168.0.1 , i believe its a private ip address thing but not 100% sure

so it must be something in the coding that allows some routers to pass forward these unknown private ip addresses where other routers dont

 

[RMerlin]

so it must be something in the coding that allows some routers to pass forward these unknown private ip addresses where other routers dont

For this to work, your WAN interface needs an IP within the same subnet. It probably works for some because the modem has a DHCP server running, and the router obtains a lease from that subnet. This mostly happens with PPPoE - some routers like Asus will run both DHCP and PPPoE on the WAN interface.

This is a very specific scenario, unrelated to the previous discussions of a double NAT network setup however.

 

[pete y testing]

This is a very specific scenario, unrelated to the previous discussions of a double NAT network setup however.

im not sure it is

i have the orbi system on a lan ip address of 10.0.0.1 ( running in router mode ) and its connected to the asus rt-ac88u lan port , the asus rt-ac88u is running a lan ip address of 192.168.1.1

my comp is connected to the orbi router via wifi and has an ip address of 10.0.0.5

i have a gigaset c610a connected to the asus ethernet lan port and has an address of 192.168.1.239

if i put 192.168.1.239 in the browser of the comp connected to the orbi i can open and access the gui of the gigaset voip device even though its on a different subnet

so a router behind a router does not isolate the devices behind the secondary router from accessing those devices connected to the primary router

it will however isolate one secondary router from another

pete

 

[Nullity]

so a router behind a router does not isolate the devices behind the secondary router from accessing those devices connected to the primary router

it will however isolate one secondary router from another

pete

That's precisely what RMerlin has been talking about... and that's why he advised the 3 router setup.

NAT requires port-forwarding for external hosts to access internal hosts.