1 Modem, 2 Routers, 2 Separate Networks

[ruumee]

I could use a little guidance on this one. My roommate and I share a single internet connection through a cable modem but need to setup 2 separate wireless networks.

- He has an Apple Airport Extreme.

- I have an Asus RT-AC66U B1 with OpenVPN.

- These 2 networks and the devices connected to each should not talk to each other.

Any ideas on the best setup? Thanks!

 

[HeMaN]

First thought, add a small managed switch between the modem and the routers and use vlans. Say vlans 10 and 20.
Add both vlans (tagged) to the switchport connected to the modemrouter (pvid default: vlan 1) .
Vlan 10 pvid (default Vlan for untagged packets) on switchport connected to one router, Vlan 20 pvid on switchport connected to the other router.
Connect the routers with their Wan port to the switch and let them get their ip from the modem (probably in the 192.168.1.1/24 range).
Enable the dhcp server on the routers and let them give ip addresses to devices connecting to that router. For example one router 192.168.10.1/24 and the other 192.168.20/24.
You will have double nat this way, but networks completely separated.


Verstuurd vanaf mijn A0001 met Tapatalk

 

[HeMaN]

Or forget the switch, connect the Wan of the routers to the modem and set up different networks on both routers. Let the firewalls on the routers handle the separation of the networks by not allowing the incoming connections on their Wan (default behavior). Less secure i think as vlans but more than sufficient maybe)

Verstuurd vanaf mijn A0001 met Tapatalk

 

[CaptainSTX]

First thought, add a small managed switch between the modem and the routers and use vlans. Say vlans 10 and 20.
Add both vlans (tagged) to the switchport connected to the modemrouter (pvid default: vlan 1) .
Vlan 10 pvid (default Vlan for untagged packets) on switchport connected to one router, Vlan 20 pvid on switchport connected to the other router.
Connect the routers with their Wan port to the switch and let them get their ip from the modem (probably in the 192.168.1.1/24 range).
Enable the dhcp server on the routers and let them give ip addresses to devices connecting to that router. For example one router 192.168.10.1/24 and the other 192.168.20/24.
You will have double nat this way, but networks completely separated.


Verstuurd vanaf mijn A0001 met Tapatalk

Double NAT will work but the first network (router connected to the cable modem ) will not be totally isolated from the second network since the connection from the first router originates from a LAN port and connects to the WAN port of the second router. This means that devices on the second network will be able to see resources on the first network. Not a problem if these devices, especially the router are password protected where possible. Since you are setting this up with a roomate I assume you trust him to some extent but you both just want to maintain privacy. This setup should be OK.

The second network's router will be secure as long as you don't allow access from the WAN.

 

[HeMaN]

Double NAT will work but the first network (router connected to the cable modem ) will not be totally isolated from the second network since the connection from the first router originates from a LAN port and connects to the WAN port of the second router. This means that devices on the second network will be able to see resources on the first network. Not a problem if these devices, especially the router are password protected where possible. Since you are setting this up with a roomate I assume you trust him to some extent but you both just want to maintain privacy. This setup should be OK.

The second network's router will be secure as long as you don't allow access from the WAN.

This is a complete different setup then I described above
The way you described it they will indeed not be completely separated.

My assumption is that the modem is in fact a modem with build in router and issues private ip's to the connected devices.
First post is when the modemrouter has at least one Lan port.
Second post can only be used if the modemrouter has 2 or more Lan ports.

If it is a true modem without router, post 1 will only work when your provider can give you more than 1 public ip adress (both routers then get a public ip adress).

If the modem is only a modem and you get only one public ip from your provider, then you must add an extra router in front on the 2 already present or go for a totally different solution like pfSense and access points that can handle multiple ssid's and vlans tagging (like ubiquiti).
I think it must be even possible to tweak one of the existing routers to handle vlans traffic and routing

Verstuurd vanaf mijn A0001 met Tapatalk

 

[CaptainSTX]

Not many modems for home use have two LAN ports so you can have them provisioned to provide two public IPs. You could accomplish the same thing, more complete isolation/ seperation, by using three routers in a triple NAT setup. I have a triple NAT setup so I can have three seperate VPN clients working. Are there better ways to handle it, probably but the wife likes to look at certain web sites in the land of her birth in her native language and it is simpler for her just to connect using a SSID on "her special network" versus starting a VPN on her IPad. No big deal as I had the hardware sitting around.

 

[Xentrk]

I could use a little guidance on this one. My roommate and I share a single internet connection through a cable modem but need to setup 2 separate wireless networks.

- He has an Apple Airport Extreme.

- I have an Asus RT-AC66U B1 with OpenVPN.

- These 2 networks and the devices connected to each should not talk to each other.

Any ideas on the best setup? Thanks!

Many moons ago, when I had DSL, I took the combo modem/router and used it to make a LAN to WAN connection to a second router. This provided me with two WIFI networks. The second router was VPN Client and the first one was native WAN. This article describes the setup: http://www.linksys.com/ca/support-article?articleNum=132275

When I changed to fiber, the ISP gave me a GPON modem/router combo. I turned it into bridge mode. I disabled the radios as well and DHCP server. When I need to connect now, I have to set static ip of the router in my client so I can connect. I then connected the two routers to the GPON modem/router. One with Native LAN and a VPN policy rules for one client. The other with VPN all traffic. I use the same account credentials to connect to the ISP. The issue may be with the ISP allowing two router connections using the same account credentials. In my opinion, this is the best way if they allow it. But LAN to WAN works okay as a second option. If you have a cable modem, you will need to place a switch between it and the two routers as I doubt it has more than one ETH port.

 

[sfx2000]

Not many modems for home use have two LAN ports so you can have them provisioned to provide two public IPs. You could accomplish the same thing, more complete isolation/ seperation, by using three routers in a triple NAT setup.

Many of the small business setups out here in San Diego - Cox/Spectrum (ex-TWC)/ATT - they'll provide x number of IP's on a single drop with a managed switch - each IP then assigned a VLAN ID that the premises IT can do whatever they need...

 

[ruumee]

Many moons ago, when I had DSL, I took the combo modem/router and used it to make a LAN to WAN connection to a second router. This provided me with two WIFI networks. The second router was VPN Client and the first one was native WAN. This article describes the setup: http://www.linksys.com/ca/support-article?articleNum=132275

I followed the instructions for "Cascading LAN to WAN," and everything seems to work. It was almost too easy—am I missing something?

The Airport serves as the main router, connected directly to the cable modem through the Airport's WAN port. The Asus router's WAN connects to one of the Airport's LAN ports. Devices successfully join the routers' wireless networks. When I go to to PIA's main page on an Asus-connected device (the Asus uses OpenVPN with PIA), "You are protected by PIA" appears at the top, but Airport-connected devices say "You are not protected" (the Airport does not subscribe to PIA).

Are there any other settings or tests I should try to make sure these two networks are truly separate?

 

[Xentrk]

I followed the instructions for "Cascading LAN to WAN," and everything seems to work. It was almost too easy—am I missing something?

The Airport serves as the main router, connected directly to the cable modem through the Airport's WAN port. The Asus router's WAN connects to one of the Airport's LAN ports. Devices successfully join the routers' wireless networks. When I go to to PIA's main page on an Asus-connected device (the Asus uses OpenVPN with PIA), "You are protected by PIA" appears at the top, but Airport-connected devices say "You are not protected" (the Airport does not subscribe to PIA).

Are there any other settings or tests I should try to make sure these two networks are truly separate?

Been awhile since I did this. My ideas is as follows:

Have one client connected to the airport and another to the asus router. Obtain their IP address. When connected to the airport, try to ping the client IP address of the device connected to the asus router and vice versa.

 

[martinr]

I followed the instructions for "Cascading LAN to WAN," and everything seems to work.....

To help others coming across this in future, could you give a link to those "Cascading LAN to WAN" instructions? Thanks.

 

[Xentrk]

Article Links on How To Cascade Routers:

http://www.linksys.com/us/support-article?articleNum=132275

http://www.wikihow.com/Cascade-Routers

 

[thiggins]

https://www.smallnetbuilder.com/lanwan/lanwan-howto/24428-howtotwoprivlan

 

[Alienontherun]

First thought, add a small managed switch between the modem and the routers and use vlans. Say vlans 10 and 20.
Add both vlans (tagged) to the switchport connected to the modemrouter (pvid default: vlan 1) .
Vlan 10 pvid (default Vlan for untagged packets) on switchport connected to one router, Vlan 20 pvid on switchport connected to the other router.
Connect the routers with their Wan port to the switch and let them get their ip from the modem (probably in the 192.168.1.1/24 range).
Enable the dhcp server on the routers and let them give ip addresses to devices connecting to that router. For example one router 192.168.10.1/24 and the other 192.168.20/24.
You will have double nat this way, but networks completely separated.


Verstuurd vanaf mijn A0001 met Tapatalk

Hi

I know this is an old thread, but it seems to address my predicament and I would like to ask some further questions, if I may, please.

I have an Asus router which I have been trying to connect to a Virgin Media Modem/Wireless router. However, I have not been successful. My aim is to have the option to choose either the Virgin Media router or the Asus dual band one - two separate networks.

You mention the use of a smart switch to do this job. So, if I understand your instructions, the set up would be:

1) Virgin Media Modem/Wireless router → Switch → Asus Dual Band router (is that correct?)

"Connect the routers with their Wan port to the switch and let them get their ip from the modem (probably in the 192.168.1.1/24 range)."

Do you mean:

Virgin Media Modem/Router → connected to the Switch via Ethernet port → then Switch connects to Asus via Switch ethernet port to Router Wan port ?


Also, you state:


"Add both vlans (tagged) to the switchport connected to the modemrouter (pvid default: vlan 1) ." I coulldn't understand this. Please comment.

Thank you in advance for your time and generosity.

 

[HeMaN]

Hi

I know this is an old thread, but it seems to address my predicament and I would like to ask some further questions, if I may, please.

I have an Asus router which I have been trying to connect to a Virgin Media Modem/Wireless router. However, I have not been successful. My aim is to have the option to choose either the Virgin Media router or the Asus dual band one - two separate networks.

You mention the use of a smart switch to do this job. So, if I understand your instructions, the set up would be:

1) Virgin Media Modem/Wireless router → Switch → Asus Dual Band router (is that correct?)

"Connect the routers with their Wan port to the switch and let them get their ip from the modem (probably in the 192.168.1.1/24 range)."

Do you mean:

Virgin Media Modem/Router → connected to the Switch via Ethernet port → then Switch connects to Asus via Switch ethernet port to Router Wan port ?


Also, you state:


"Add both vlans (tagged) to the switchport connected to the modemrouter (pvid default: vlan 1) ." I coulldn't understand this. Please comment.

Thank you in advance for your time and generosity.

the setup I described is not the setup you mention.

in my setup are four devices;
- one modemrouter for internet
- one managed switch
- two routers for internal networks

modemrouter connects to the switch to provide internet connection, both routers connect to the switch to create the separate internal networks.

Verstuurd vanaf mijn SM-G955F met Tapatalk

 

[HeMaN]

Hi

I know this is an old thread, but it seems to address my predicament and I would like to ask some further questions, if I may, please.

I have an Asus router which I have been trying to connect to a Virgin Media Modem/Wireless router. However, I have not been successful. My aim is to have the option to choose either the Virgin Media router or the Asus dual band one - two separate networks.

You mention the use of a smart switch to do this job. So, if I understand your instructions, the set up would be:

1) Virgin Media Modem/Wireless router → Switch → Asus Dual Band router (is that correct?)

"Connect the routers with their Wan port to the switch and let them get their ip from the modem (probably in the 192.168.1.1/24 range)."

Do you mean:

Virgin Media Modem/Router → connected to the Switch via Ethernet port → then Switch connects to Asus via Switch ethernet port to Router Wan port ?


Also, you state:


"Add both vlans (tagged) to the switchport connected to the modemrouter (pvid default: vlan 1) ." I coulldn't understand this. Please comment.

Thank you in advance for your time and generosity.

you can have a look at the two last posts before yours and check those links.
think that will suit you more

Verstuurd vanaf mijn SM-G955F met Tapatalk