Menu
What's new
By:
Filters Better Search

How to make restricted isolated WLAN/LAN to IOT devices R9000/R7800

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

T

Tume

Occasional Visitor
Hello!

I think that one picture tell you more than thousand words, so take a look:

unknown.png


So, the easy solution should be just create Guest WLAN and Deny them to see each other. But the problem is that R7800 doesn't let me change that settings. It's greyed out.

unknown.png


Why this is forced to be checked and how I can make isolated network to those IoT devices etc?
 
Last edited:
I don't use that router, but given what I know about most routers, the likely problem is that when you enable a guest network on a router in AP mode, it *requires* those guests to be routed through the private network in order to gain internet access. And by denying such access via that option, it would actually prevent internet access. So it's enabled by default and greyed out to reflect that fact.

That's NOT the case in a routed configuration (i.e., active WAN), where the guest network has *direct* access to the WAN, and whether you want to allow/deny access to the private network is entirely up to you. Regardless of the setting, it doesn't affect guests ability to gain internet access.

That's why a change from routed to AP mode makes a difference when it comes to certain features on the router.

Seems to me you'd be better off to define your guest network on the R9000 since that is in routed mode.
 
To make your setup work the way you want and truly isolate IoT devices you need to have them connect to the first Internet facing router and then double NAT your second router behind that router. Any device connected to the second router regardless if it is in AP mode or router mode will be able to see and potentially interact with devices on the first router as the first router sees all devices on the second router as connected via the LAN.

In a double NAT setup where the wired connection goes from LAN first router to WAN second router as long as you disable admin access from the WAN, all devices on the second router will be secure from devices on the first router.

You will have to decide which router to use for the first and the second position. The R9000 running WireGuard will run the VPN fine in either position as long as you are talking about it being a WireGuard client. If you are trying to run a server on the second router it will be difficult/impossible on the second router.
 
My R9000 is WG Client, since it get connection from Mullvad. I have also now useless Archer C7, so which kind of system I need to create, that I can isolate all IoT things behind those and maybe provide VPN also (From R9000)?
 
What internet speed to you get from your ISP? If you connect a PC using an Ethernet cable to the R7800 and then the R7800 directly to your modem or ONT do you get your full ISP speed? If there is a setting for CTF and Jumbo frames be sure it is enabled. Unless you have a gig connection I would guess the R7800 can handle your ISP speeds as my R7000 can do speed tests consistently at 475/22 Mbps all day long as long as I have enabled CTF and jumbo frames.

If you get full speed then you can use the R7800 as the Internet facing router and double NAT the R9000 behind it.
 
CaptainSTX said:
What internet speed to you get from your ISP? If you connect a PC using an Ethernet cable to the R7800 and then the R7800 directly to your modem or ONT do you get your full ISP speed? If there is a setting for CTF and Jumbo frames be sure it is enabled. Unless you have a gig connection I would guess the R7800 can handle your ISP speeds as my R7000 can do speed tests consistently at 475/22 Mbps all day long as long as I have enabled CTF and jumbo frames.

If you get full speed then you can use the R7800 as the Internet facing router and double NAT the R9000 behind it.
Click to expand...

400/100. I get full speed with Wireguard too. My network type is Ethernet, so the network will come from the wall with RJ45 to my R9000 and to R9000 -> R7800 via RJ45 at LAN (R9000) <-> WAN (R7800). Do I need to add Archer C7 some position to make it behind double NAT?
 
Why not putting all IOT restricted devices in a VLAN? They can have their own subnet and be totally separated from the rest of the LAN.

Bonus: in a VLAN, they can be physically connected at different places (first or second router), but still be in their virtual LAN.
 
HELLO_wORLD said:
Why not putting all IOT restricted devices in a VLAN? They can have their own subnet and be totally separated from the rest of the LAN.

Bonus: in a VLAN, they can be physically connected at different places (first or second router), but still be in their virtual LAN.
Click to expand...

How can I do that with R9000 at router mode and R7800 at AP mode?
 
HELLO_wORLD said:
What firmwares are you using?

I don’t think the R7800 in AP can do that with the default Netgear firmware.
It is however apparently possible with third party firmwares: https://community.netgear.com/t5/Nighthawk-WiFi-Routers/VLAN-in-AP-Mode/td-p/450636

I suppose it is possible with @Voxel firmware and a custom script, but I never did this.
Click to expand...

Voxel newest at both devices + kamoj newest beta.

E: I checked, with AP Mode, I can't find "VLAN / Bridge Settings" at R7800. R9000 at Router mode I can use it, but I have to confess that I don't know which port I should check from there if any?
 
Tume said:
Voxel newest at both devices + kamoj newest beta.

E: I checked, with AP Mode, I can't find "VLAN / Bridge Settings" at R7800. R9000 at Router mode I can use it, but I have to confess that I don't know which port I should check from there if any?
Click to expand...
Well, I never setup a VLAN, so someone else could jump and give his/her expertise in that domain.

All I know is VLAN should achieve what you want and increase separation security.

Could you connect R7800 and R9000 with Ethernet? If so you could create the VLAN on R9000 with the port on which the R7800 is connected to. Nothing to do specifically on the R7800.

Now, it should be possible to activate a second WiFi network on the R9000 (guest), and have the VLAN attributed to this guest network, but this brings back to your initial question (grayed out).
Most likely, you won’t be able to set up anything from the web interface, and you will likely have to use command line and scripting.

You will have to dig some in this forum and the rest of internet.

Some links that may help:
https://www.reddit.com/r/openwrt/comments/f1cnwy
netosec.com

Setup Wi-Fi VLAN subnets for home network - NetOSec

Protect your network by segmenting your home network using pfsense firewall and setup VLAN subnets for all your wired and wireless Wi-Fi connections
netosec.com netosec.com
 
I ended ordering new switch to tackle this problem, since Netgear routers have lack of VLAN properties.

NETGEAR GS108E Switch

I will update this thread after I get that device in my house.
 
Tume said:
I ended ordering new switch to tackle this problem, since Netgear routers have lack of VLAN properties.

NETGEAR GS108E Switch

I will update this thread after I get that device in my house.
Click to expand...
Port based VLANs on this router are straight forward. If you need to setup 802.1Q VLANS it is a little less straight forward.
 
CaptainSTX said:
Port based VLANs on this router are straight forward. If you need to setup 802.1Q VLANS it is a little less straight forward.
Click to expand...

The problem was that

unknown.png


unknown.png


After those settings all things behind port 6 is unreachable and without internet also. I have RJ45 now at port 6, which will lead to R7800 WAN port.
 
For me , the option is available and is not activated on R7800. And i use some phones on that wireless and i can not ping the other equipment which are connected on LAN.
Save your settings and reset your R7800 to factory defaults, activate guest network and see now if you dont have that option active.
netgear.JPG
 
You must log in or register to reply here.

Similar threads

HELLO_wORLD
Tutorial Adding custom SSID and specific VLAN (for IOT for example)
Replies
14
Views
821
alexnev
A
T
Make IoT devices on one-way-to-guest YazFi VLANs discoverable on main LAN
Replies
5
Views
919
fotingo
F
G
RT-AC86U VLAN-like modifications to guest network
Replies
19
Views
2K
pjd50
P
torstein
How exactly do IoT smart devices pose a threat to home networks?
Replies
9
Views
1K
Clark Griswald
Clark Griswald
Mogsy
Solved AX86U/S WLAN IoTs Guest wifi interactions
Replies
1
Views
939
Mogsy
Mogsy

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 831 (members: 20, guests: 811)
Top