What's new

Help with my network configuration

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

dani1720

Occasional Visitor
Hello,

I live in a building where there is my house and 4 apartments. The apartments are vacation rentals and I control the internet connection.

At the moment it is distributed like this:

Nokia g-010g-p ---> Asus RTAC66U (DHCP activated 192.168.1.x) ----> Switch TP Link TL SG108E -----> 4 router in acces point mode 1 in each apartment.

All is connected with ethernet cable.

I want to isolate the apartments in a different subnet from my home network because I have some problems, like the guests connected to the apartments APs can see my chromecast. The Asus router is in my home giving me WIFI.

How can I do this without causing double NAT problems? I read something about using Vlans, is this possible with my hardware? What is the best option? Will I still be able to access and configure the APs from my PC if it is on a different subnet?

Thank you.

Dani
 
You could probably use the switch to isolate each AP from each other using VLANs but you can't isolate them from your RT-AC66U because it does not have VLAN support. EDIT: corrected typo.

You don't state what make/model the APs are.

Put each AP in router mode and enable "WAN access" on each of them. That way you can access them from you own network. Don't worry about double NAT, that's not normally a problem. The only time that's an issue is if the person behind it is trying to run a server of some sort. That's probably something you don't want them to be doing any way. Besides, you wouldn't expect that kind of setup in a hotel so why would a vacation rental be any different.
 
Last edited:
Thanks for the answer.

I tried to do what you suggested.
I did a test with one of the access points, this one is a TP Link Archer C2.
I configured it like this:

WAN :

Static IP
IP 192.168.1.2
Subnet mask 255.255.255.0
Gateway: 192.168.1.1
Primary DNS 192.168.1.1

LAN:

IP 192.168.2.1
Subnet Mask 255.255.255.0

DHCP is activated and WAN access is enabled.

Asus router 192.168.1.1 ------>TP Link Switch 192.168.1.3 -----> TP Link router 192.168.2.1

If I connect my laptop to the 192.168.1.1 subnet I have internet connection but I cannot access the TP Link router.
But if I connect to the 192.168.2.1 subnet I have internet connection and I can access both the TP Link and the Asus router even though the WAN access is disabled on the Asus router.
Why can´t I access the TP Link router when connected to the Asus?

Another question, can I give the Asus RT-AC66U Vlan support if I install it an alternative firmware? If so, would it be better to do it this way or should I keep it simple and just put the APs in router mode and don´t worry about double NAT?
 
It is only a partial solution. If you connect to the 192.168.2.x subnet you will be able to connect to devices on the 192.168.1.x subnet if you know what to connect to (or you experiment). But because it's a different subnet devices like your Chromecast or your PCs won't appear in the guest's "My Network Places", etc. So it's security (of a sort) through obscurity.

To completely stop devices on 192.168.2.x accessing 192.168.1.x you would have to see whether there's a feature to do that on the TP-Link router (Asus routers have this feature) as you can't block it on the RT-AC66U.

I'm not familiar with your TP Link router but assuming it has an option to enable remote access to it from "the internet" you should be able to do that by using its 192.168.1.2 address.

I believe FreshTomato has VLAN support although I've not used it myself. It depends how much effort you want to spend on this. Personally I don't think double NAT is an issue but you might want to properly block access to your 192.168.1.1 network from the guests.
 
What "double nat problems" are you experiencing or expect to experience? I've been running double/triple nat for decades without issue. I'm not saying vlans isn't appropriate, just wonder what your issue with double nat is?
 
I still don´t know if I will have double NAT problems. I just read that with that configuration I will have double NAT, and that it might be a problem.
If I put all 4 APs in different subnets will I have 4xNAT? Or can all 4 be on the same subnet and have only one different subnet for my home network?

I´m also considering getting a Mikrotik router, they are inexpensive and have Vlan support, is this a better option?
 
@dani1720 - Attaining your goal with the current hardware is likely going to be more trouble than it's worth, as you would need full iptables firewall capability on the AC66U, available via FreshTomato, but you'd probably have to delve into the command line to setup the level of rule granularity required to identify and properly act on the traffic from each apartment. Instead, I would proceed with your idea of replacing at least the AC66U with an SMB-grade alternative that is more firewall-feature-rich right from the GUI (and is also natively VLAN-aware).

Also, leaving VLANs out of the picture would allow for the least amount of config/hardware changes, because using them would require VLAN-aware switching and wireless in the apartments (via custom firmware and technical configuration on each all-in-one router, or replacement SMB hardware). So, presuming we leave VLANs out, you would have to set each apartment all-in-one back into router mode, giving each a static IP reservation (from the house firewall) for its WAN IP, plus a unique LAN subnet (192.168.1.x for apartment 1, 192.168.2.x for apartment 2, etc.), in order to properly identify and act on each apartment's traffic from the house firewall. This setup would institute double-NAT (in the apartment networks, NOT your private house network), but basic internet from the apartments should still work just fine. You can always add VLAN support via replacement hardware in each apartment once you stabilize this first batch of changes and have a chance to learn VLANs properly on your own.

Looking at a choice for your main (house) firewall, I would probably stay away from Mikrotik; their hardware and RouterOS are mostly excellent, but the learning curve is STEEP and support, while decently documented, is next to non-existent for direct, end-user help. Instead, I would look at something like a Cisco RV small-business router, which has all the firewall functionality right in the web GUI and has much more well supported overall. If your internet is only a few-hundred Mb/s, or slower, an RV260W (~$260) would be a good replacement for not only the AC66U but also the TP-Link TL-SG108E switch, removing that extra layer of traffic obfuscation and making control of the apartment traffic that much more simple overall.

Just a few thoughts to mull over. Happy to help further if/where needed.
 
Last edited:
@Trip Your direct download link for FreshTomato is incorrect in this in this case. He never said he had an RT-AC66U_B1 only an RT-AC66U so I'm assuming it's the original model. The link to that would be here (or via the link I posted in #4).
 
@ColinTaylor - Good catch; my fault for assuming it was the "_B1" variant. I generalized that link to point to just the FT website for now.
 
Last edited:
Thanks for the replies.

At the moment I did some tests with the hardware that I have. I put all the AP in the apartments in router mode, each in a different subnet (apartment 1 in 192.168.2.1, apartment 2 in 192.168.3.1, etc).
It is working fine at the moment and the apartments can't see each other, which was my main goal. For example sometimes a guest would accidentalt cast to my chromecast and I wanted to solve that. Also you can cast directly to the TVs in the apartments and now the clients can't see each others TVs.

At the moment the problem that I have is that I cannot access the routers in the apartments from my home subnet. I enabled internet access to the routers but I cannot access them. Any ideas why?
The models of the Routers are: 1x TP Link TL-WR841N, 2x TP-Link Archer C2 and 1× TP-Link Archer C20. But if I am connected to any of the Routers in the apartments I can access my Asus router.

Also thank you for the hardware recommendations. I have a symetrical 600Mb internet connection. And the Asus router is a RT-AC66U B1, sorry I I didn't specify that before.
 
At the moment the problem that I have is that I cannot access the routers in the apartments from my home subnet. I enabled internet access to the routers but I cannot access them. Any ideas why?
What are you doing that is not working? What "internet access" option did you enable? If it's "Access Control" that only effects LAN to WAN access not remote access.

Do these routers have the option to access them remotely from the internet side, as I mentioned in post #4? I've had a quick look on the TP-Link web site and couldn't see anything like that so maybe they don't. In which case you would have to create a forwarding rule on each router that pointed to it's internal (LAN side) IP address.

Of course if you're close enough you could just connect to each router's WiFi and access the router from there.
 
Last edited:
Yes, I enabled the internet access control option.
Could you please help me to configure the forwarding rule to access the router from my PC? I only have some basic network knowledge.

At the moment I am accessing the router conecting connecting to the WIFI, but I have to go upstairs with my phone for that and it would be much more convenient to have access from my PC.
Screenshot_20200922-193813_Samsung Internet.jpg
 
Experimenting with the TP-Link emulator some more I found that the remote management is located under Security. It needs to be set like this: Untitled.png
 
Experimenting with the TP-Link emulator some more I found that the remote management is located under Security. It needs to be set like this: View attachment 26404

Yes, it worked! Thank you!

Also instead of 255.255.255.255 I put my PCs IP address, so its only accessible from there. I guess that adds some security.

I will try with this hardware and configuration for some time and see if it doesn't give me any problems.

Thank you all for the help!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top