Guest Access LAN and WAN Question

[smudgesmith]

Hi folks, not terribly technical but have managed to achieve the following so far:

Main router and broadband modem is a Netgear DGND3700 which serves the house.

Attached via powerline networking are 2 DGN1000s with DHCP turned off and reserved addresses outside of the DGND3700 IP range (192.168.0.253 and 254). Each DGN1000 has its own distinct wifi SSID/password. I'm using 2 APs in the cottage as the walls are very thick. This allows any guest in the cottage internet access, but also access to anything on my LAN.

Now, I need to find a way to stop users of the cottage wi-fi accessing anything else on my home LAN (NAS, Mac, iPad, Printer etc...) and I have absolutely no idea how to do that. I've spent most of the day on google but I don't really know the terms I am googling for so have drawn a blank.

There is a complication though. There is a wireless room thermostat in the cottage which I need to access from my LAN in the house so that I can control/limit the heating settings available to the guests. I could do this over the internet from the house, but that seems a bit pointless when it is on the same network. However, if the only way to secure my LAN is to deny all guest wi-fi users (including the room thermostat) access to my LAN, then so be it and I'll just have to go over the internet even when I'm next door.

Can anybody give me an idea what to do please? Bear in mind I have a vague idea but I'm no network techie so an ssh tunnel into my router and unpackaging some bespoke code isn't going to work for me - I need to do this with the existing settings of the routers, or change the routers for ones that will let me do it.

Thanks in advance.

 

[thiggins]

The simplest non-techie way is to use a second router connected as described in this article. You would then move the "house" computers to the second router.

Another way is to add a managed/smart switch that has VLAN capability. But it can be a pain to set up, mainly because VLAN user interfaces tend to be different from switch to switch and bit obscure. Here's one example.

 

[smudgesmith]

Still confused

Thanks Tim, read the article but don't really get it.
I think it is saying that each of my second routers should be using dhcp but on a different subnet range than the house router and in that way devices on the different subnets can't see each other. Am I on the right lines? On that basis, putting the house stuff on a second router on it's own subnet ringfences it from being seen by other second routers.

My biggest problem is that I have no laptop so I can't easily use trial and error to test that I can't see my house network when connected to the cottage network. Are there any iPad Apps that will allow me to see the network I am connected to that you know of?

Thanks very much

Nick

 

[smudgesmith]

adding another message so I get instant email notifications

 

[thiggins]

No. I'm saying you need to add one more router so that you have a firewall between your LAN clients and the cottage APs. Right now, everthing is on the LAN side of the DGND3700 main router, so they are all on the same network.

 

[smudgesmith]

No. I'm saying you need to add one more router so that you have a firewall between your LAN clients and the cottage APs. Right now, everthing is on the LAN side of the DGND3700 main router, so they are all on the same network.

I'm afraid I remain completely stymied.

My main house router which is connected to my incoming phone line and therefore provides my broadband is set up as the LAN DHCP server with IP address 192.168.0.1 and subnet mask 255.255.255.0. DHCP start address is 192.168.0.2 and end address is 192.168.0.240. This works fine for anything connected to the main house router, such devices appearing in the routers 'attached devices' list.

One of the distant routers (in the cottage) is wired by ethernet cable to the main house router via a 50 meter ethernet cable). This cottage router has DHCP turned off and has been assigned an IP address of 192.168.0.254. Anything connected to the cottage router does not appear in the main house router 'attached devices' list which is fine. However, when I am connected to the Cottage router, I am able to see other devices connected to the main house router such as my NAS for example and it is this I want to stop. I just don't know how. I still want to be able to manage the cottage router from my Mac connected to the main house router by logging into the admin interface on the cottage router IP of 192.168.0.254.

I tried setting up the cottage router with a different IP of 192.168.1.254 but I simply lost connection to the router from Mac and had to reset the cottage router.

I am at a complete loss as to how to do it and can't seem to find a step by step tutorial anywhere.

Any help much appreciated.

 

[remixedcat]

If you double NAT and have the other router on another IP range it will be isolated.

I've done this before to isolate and it works.

It also works that way on my Cisco Meraki AP as well since it has two different IP configuration options. It can use your LANs DHCP and pass the IP requests thru the LAN or it can act as its own DHCP server and give out its own range of IPs.

for example my Amped Wireless router has the IP Range of 192.168.3.x
my Meraki MR12 AP has the IP range on one of the SSIDs of 10.0.0.x

You would need to give the 2nd router a different IP range.

 

[CaptainSTX]

The isolation between the two LANs is fairly straight forward, however managing the cottage LAN without being connected becomes more involved and depending on your router's firmware may require a script. You can try setting up the cottage router to allow it to be administered from the WAN. This may work, however it is a security hazard if it does so use a very strong password and if possible allow only your MAC to have remote access.

As an example:

Set the Primary router to automatically get an IP from your ISP

Set your primary router's LAN IP to 192.168.1.1

Set your DHCP range to 192.168.1.100 -149

Assign your second cottage router a static WAN IP in the first router's range which in this case would be 192.168.1.2 or any address not in the DHCP server's range of the primary router.

Set the WAN gateway on the cottage's router to 192.168.1.1 (or what ever the LAN IP is for your primary router.)

Assign your cottage router a static LAN IP say 192.168.199.1

Set the DHCP server on the cottage router to say 192.168.199.100 -119.

Then connect the Ethernet cable from your main router to the WAN port on the cottage router.

Reboot everything including connected devices and see if this works for you. You may have to play around a lot to gain the ability to administer the cottage router remotely.

Good luck.

 

[stevech]

suggest one router and add Access Point(s). Don't double-NAT it's a PITA.

 

[smudgesmith]

suggest one router and add Access Point(s). Don't double-NAT it's a PITA.

This is what I have in place already and it works absolutely fine in extending access to my LAN over wi-fi to distant areas of the property, but clients connected to the AP can see clients connected to the main router which is no good for my network security. I need to stop AP connected clients seeing anything else on the network.

 

[smudgesmith]

The isolation between the two LANs is fairly straight forward, however managing the cottage LAN without being connected becomes more involved and depending on your router's firmware may require a script. You can try setting up the cottage router to allow it to be administered from the WAN. This may work, however it is a security hazard if it does so use a very strong password and if possible allow only your MAC to have remote access.

As an example:

Set the Primary router to automatically get an IP from your ISP

Set your primary router's LAN IP to 192.168.1.1

Set your DHCP range to 192.168.1.100 -149

Assign your second cottage router a static WAN IP in the first router's range which in this case would be 192.168.1.2 or any address not in the DHCP server's range of the primary router.

Set the WAN gateway on the cottage's router to 192.168.1.1 (or what ever the LAN IP is for your primary router.)

Assign your cottage router a static LAN IP say 192.168.199.1

Set the DHCP server on the cottage router to say 192.168.199.100 -119.

Then connect the Ethernet cable from your main router to the WAN port on the cottage router.

Reboot everything including connected devices and see if this works for you. You may have to play around a lot to gain the ability to administer the cottage router remotely.

Good luck.

Thanks Captain! I'll give this a go and let you know how I get on.....

 

[smudgesmith]

I have set the Primary router to automatically get an IP from the ISP

I have set the primary router's LAN IP to 192.168.0.1

I have set the primary router DHCP range to 192.168.0.2 - 240 (because I already have clients connected with assigned IPs at both ends of this range and don't want to change them all)

I have set the cottage router LAN IP as 192.168.0.252 but I don't know how to set a static WAN IP - is this something different to the LAN IP and how do I find that in router settings?

I've searched the manual for WAN Gateway but nothing comes up so am stuck from this point on.

If it helps, my primary router is a Netgear DGND3700 and the cottage router is a Netgear DGN1000.

Sorry - networking is new to me!

 

[coxhaus]

To set a static entry on your WAN IP address you will need to know the Mac address of the wan interface on the second router. I think the simple way is to set the second router to receive a static DHCP IP address on the WAN interface is to connect the second router up and have the WAN interface (internet setting) set to receive DHCP for an IP address. Look in your first router for the IP address assigned to the WAN on the second router. Create a static IP address on the first router for the second router. There you have it.

 

[CaptainSTX]

You are going to have to search for the appropriate settings. On my ASUS running Tomato the necessary settings/ pull downs are all on the basic setup page.

On some older routers changing the DHCP range to something other than 192.168.1.xxx may not be possible but other than that this set up is fairly basic. I have done it using Linksys routers, ASUS routers and routers flashed with DD_WRT.

The remote administration from the main to the cottage maybe more of a challenge. I usually just sign on to my downstream routers using WiFi and make any changes I need that way.

Keep trying.

 

[smudgesmith]

No. I'm saying you need to add one more router so that you have a firewall between your LAN clients and the cottage APs. Right now, everthing is on the LAN side of the DGND3700 main router, so they are all on the same network.

Tim, are you saying:

1. Add a new router into the network which provides the broadband connection
2. Connect my existing house router to the new router and hang my home LAN off the existing router as I do now
3. Connect the cottage router to the new router

How do I set up the new router so that the existing router and the cottage router cant see each other?

I'm not sure I can achieve this though as I am using powerline to get a connection into the cottage and the same powerline to provide my home LAN services, so I'm guessing that I am going to have yet more trouble with this set up.

I did try setting up the cottage router with a guest network, but I could not connect to the guest network without enabling access for the guest network to my LAN, which obviously defeats the object.

Any other bright ideas as I am at a loss as to how on earth I'm going to set up 2 LANs that can't see each other over the same powerline.

Thanks,

Nick