How to mimic WISP (WiFi uplink) with 2 routers?

[venkman]

Looking for suggestions on how to possibly configure an RT-AC86U and RT-AC66U router together to mimic WISP mode.

The reason the RT-AC86U alone isn’t adequate is that the WAN uplink is WiFi, instead of wired. For context, this LAN would be in a small apartment in a senior living center, where the landlord provides WiFi only (no wired connections). There will be a mix of wired (PC, VoIP ATA, printer) and wireless (laptop, phone) devices that need to communicate with each other on a private LAN, and have internet access through the provider WiFi uplink. I already have an existing RT-AC86U and RT-AC66U, so I’d like to leverage these instead of buying a new travel router with potentially worse WiFi range. If I'm able to position the uplink device where it can best communicate with the landlord's WiFi, yet plug wired devices into either of the two different routers (depending on which is closer to the device), then all the better.

In particular, it’s not clear to me how this use case maps to the various Asus router “modes” or AiMesh features. Is such a configuration possible? If so, what modes should each router use?

The included picture hopefully clarifies:

1. the goal (for reference), and
2. a hypothetical implementation using my two ASUS routers (but am asking for help in understanding how to configure this).

 

[SoFluffy]

You're on the right path here. Set the first device connected to ISP as Media Bridge like your pic shows, then of course you have some options. While you could set the 2nd device as AP, that configuration would mean you'd be using the DHCP from the ISP, and thus no NAT/firewall between your clients and all the other jack wagons using that same connection. For that reason, I'd suggest the 2nd device to be in normal Router mode. This will put you in a double NAT scenario, but this doesn't cause issues for most people, especially if you don't have control over what we're calling the ISP and you cannot open/forward ports anyway.

Edit: If going the double NAT path as I would personally do, make sure to use a different subnet on the LAN than the ISP router. Also, your pic shows a computer connected to the Media Bridge. If going Router mode and double NAT, only connect your clients to that second router. (If you decide to go with AP mode and use upstream DHCP, then connecting clients to the Media Bridge would be fine.)

 

[venkman]

Yes, I think the media bridge and router approach will work just fine--with all the clients connected to the router, as you suggest. Really appreciate your help with that!

After playing a bit with a device in media bridge mode on my own home network (as a client of my router's WiFi), it appears the media bridge function does exactly what the name describes (bridging media at layer 2), plus it grabs an IP address for access to its management application. Any suggestions on securing access to this UI beyond the access credentials? There is a setting for "Remote Access Config: Allow only specified IP address" but I'm not sure how I would use it when the bridge is external to the router:

• accessing it from the ISP WiFi (including from a LAN device behind the router) would mean I'm using an IP address obtained from the ISP WiFi DHCP server which could change,
• accessing it from outside with ISP WiFi might not be possible if there is an ISP firewall preventing such connections (and makes it harder to locally troubleshoot regardless)

Edit: If the ISP WiFi has access point isolation configured, then leaving the "Remote Access Config" section unconfigured would be a solution. I should still be able to access the management application from another LAN port on the media bridge (with whatever address it is assigned). This local access would be sufficient.

 

[SoFluffy]

I don’t think you have many options for securing the Media Bridge as that device is LAN-only (on the ISP side). So for this device, remote access and all that are moot. It is merely taking an ISP LAN address and giving the second device (router) the ability to grab an ISP LAN address for its WAN.

For your Router device, I will bet you don’t need “remote” access to it, and enabling such would just provide an attack surface from within the ISP LAN. This remote access would only make the web GUI accessible from the ISP LAN. As I said, you probably don’t want all those jack wagons on the ISP LAN poking around if there is no legitimate reason for such.