What's new

Best way to configure intranet "levels of trust" on both ethernet and WLAN? (with multiple routers)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


New Around Here
I currently have two RT-AX88U devices. The basement one has Asuswrt-Merlin, the other is stock (but I could easily put Merlin on it, too).
The RT-AX88U ("Router 1") in the basement is directly connected to the WAN (and a number of rooms in the house by ethernet).
The RT-AX88U ("Router 2") on the main floor is connected to the basement router directly via ethernet. A few devices are connected via ethernet to Router 2.
There's an older UniFi UAP-AC-Lite ("Router 3") in the attic, connected directly to Router 1 via ethernet.

I have roommates that don't have the best tech literacy, and I generally don't trust other devices (doorbell cameras, thermostats, thermostat sensors, rokus), and I own all the networking gear.

My goal is mostly to protect privacy and protect against viruses (etc) on my devices.
I want a layer between devices under my control and devices I don't fully control (roommate/visitor/work/Roku/doorbell/thermostat), without cutting off roommate ethernet LAN access in their rooms.
Most of the ways of isolating clients prevent things like controlling Roku devices from WiFi devices, and my roommates' ethernet-connected devices are not isolated.

My current setup is such that my roommates have full intranet ethernet access on the same subnet, but the 'main' wifi network is only used when I want to act in "privileged" mode (i.e. reach a trusted ethernet device for a short time, since I don't trust most of the android apps on phones or work devices not to snoop). My phone, IoT devices, and any roommate/work owned wireless devices, generally use a guest network that has device isolation turned on. Router 1+2 are in an AiMesh network and provide these networks. Router 3 is a separate WiFi network so my roommate (whose office is up in the attic) can control his wireless Roku from his phone.

The problem with this setup is we need Router 3 as a "guest" network that lets my roommate's phone and roku talk to each other, while still being isolated from the rest of the intranet, and that means he's using older, less performant/reliable WiFi hardware. I figure I could break up the AiMesh, and use the 3 routers individually to have 3 different layers of subnets, but this level of setup is not really very well documented for people who aren't experts with linux networking, and would reduce WiFi coverage range. Assigning the ethernet ports to VLANs (or a new hardware device layer) could help with this, but then there would be communication issues between layers (for example, I want limited interoperability between subnets, so we can share files or control rokus or IoT devices without an internet hop, etc)

I'm potentially willing to buy additional hardware as long as it isn't super expensive and doesn't add much latency. The RT-AX88Us cost a pretty penny, so I don't want to replace them, but I figure using an additional, cheaper router as a NAT layer might be an option.

I've read about the YazFi plugin for Merlin, and the wl01_ONEWAYTOGUEST setting like ALMOST what I'm looking for ("LAN is able to initiate connections to Guest Network clients (but not the opposite)"). Unfortunately, it doesn't look like you can 'nest' guest networks in YazFi without custom firewall rules that aren't documented thoroughly, and YazFi doesn't do anything about ethernet connected devices.

I'm not sure, for example, how to extend that "one way" logic to ethernet NATs, such that specific interactivity is possible in specific directions between layers. Most of this seems requires complicated routing configs that take a lot of tweaking to get right, and it might be possible to accomplish what I want with properly configured hardware/software layers and subnets. I bet with complex routing tables, or different subnets and the right UPnP settings, something could be configured such that everyone can use their phones as remotes, and do LAN-related functions, while otherwise isolating all of my hardware from untrusted network devices (potential compromised devices or a work laptops trying to snoop on traffic or spread infections). There may even be a more straightforward approach I'm missing, like something that functions like a firewall for intranet traffic.

Thank you for any guidance!

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!