What's new

Looking for secondary router/AP for guest house (w/ guest network feature)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

steinj14

Occasional Visitor
Would love some help choosing a secondary router / access point with a WiFi guest network feature. Here's my situation. I have a "primary" router at my house. I have a guest house approximately 250 feet away. I have run an Ethernet cable from my house to the guest house, so I'm able to make a wired connection between the primary and secondary routers.

For the "secondary" router, I want the wired ports to be on my "primary" router's network (i.e., same IP scheme) so I can access the guest house's video surveillance system. Additionally, I want to set up a WiFi guest network on the "secondary" router for people staying at the guest house. I want the WiFi guest network to be isolated from my primary network.

I bought a TP-Link Archer A7 (AC1750) and configured it as an access point, but when I set up the WiFi guest network, I was dismayed to see that it had the same IP scheme as my primary router, so it wasn't isolated!

Is what I described possible? If so, can you recommend a router / access point that can do what I need (preferably low-cost since it doesn't have to be the fastest kid on the block…)?

Thanks!
 
Use VLANs on your primary (only) router, a vlan aware switch in place of “secondary router”, and a vlan capable access point (or wireless router in AP only mode that supports vlans). Set up your guest ssid in the AP and a vlan for it in the router. In the AP assign the ssid to the vlan. assign the same vlan to the port on the switch that the AP plugs into. Since the IP address range assigned to the guest vlan will be different from the IP addresses assigned to the rest of your devices, neither one will talk to the other.

roughly, that is one way to approach it. There is a vlan tutorial on this site and multiple threads that work through what you are wanting to do.

someone else familiar with the specific hardware you have may be able to give you specific configuration advice. Or you may have to change out some hardware to do what you want.
 
Use VLANs on your primary (only) router, a vlan aware switch in place of “secondary router”, and a vlan capable access point (or wireless router in AP only mode that supports vlans). Set up your guest ssid in the AP and a vlan for it in the router. In the AP assign the ssid to the vlan. assign the same vlan to the port on the switch that the AP plugs into. Since the IP address range assigned to the guest vlan will be different from the IP addresses assigned to the rest of your devices, neither one will talk to the other.

Thanks for the reply.

If I understood your response - conceptually, it would look like this?
Primary Router (@ main house) ---> Switch (@ guest house) ---> Surveillance System (@ guest house, VLAN #1)
---> WiFi Access Point (@ guest house, VLAN #2)

My primary router is an ASUS RT-AC68W (Wireless-AC1900 Dual Band Gigabit Router). I didn't see anything in the manual related to VLANs. Could I use a Managed Switch to create the VLANs instead?

Sorry, networking is not my forte and I'm having a hard time wrapping my brain around this.
 
a level 2/3 managed switch with multiple vlans implemented + AP with vlan would work for that end. i think the router (1) would also need to be vlan capable. Maybe an alternate firmware (merlin maybe) would work ? i am not familiar with asus but there are plenty of threads here and a sub-forum asus

i am running cisco smb gear - RV325 and 371APs with multiple vlans.
 
Is what I described possible?

Nothing is impossible. Wires are not smarter than us.

The right way is what @degrub is talking about. He is coming from corporate experience and this is how it should be done for someone else. It may get too expensive though, special skills and equipment is needed. May not be the best option for you. I'm going to exploit something you never mentioned as a requirement: If you don't need WiFi access to your network from the guest house (for your use), but only a WiFi Guest Network (for guests use), the problem can be solved in a non-professional way:

You already have the TP-Link Archer A7 router. Get a $20 8-port dumb switch in addition. Your 250ft cable goes to the switch, your cameras and your Archer WAN port connect to the switch too. Now run the Archer in router mode, setup a Main Network (with your password) and a Guest Network (with guests password) on it. What you get as a result:

- WiFi for you, but no access to your main network*
- WiFi for your guests, isolated from your main network and from your devices on the Archer
- LAN ports for your cameras, on your main network

* - this may be solved too, again in professional (depending on equipment) and non-professional way (with a little more equipment).
 
If you don't need WiFi access to your network from the guest house (for your use), but only a WiFi Guest Network (for guests use),

- WiFi for you, but no access to your main network*
- WiFi for your guests, isolated from your main network and from your devices on the Archer
- LAN ports for your cameras, on your main network
Yes, what you described will work for my needs! It didn't dawn on me to use a switch in between the two routers.

Questions:
1) Do I turn off DHCP on the Archer router or leave it on?
3) Do I change the IP address of the Archer router? For example, my main Asus router is 192.168.1.1, so do I make the Archer 192.168.1.2 (out of range from what my main router hands out)?

Thanks!
 
OK, this is what I would do, with simple explanations:

Step 1:
a) Put the switch in the guest house, connect all LAN cables for devices on your network - the one from your house, cables for the cameras, etc.
b) Turn the switch ON ans test if everything looks good from your house. You should see your cameras with IP addresses 192.168.1.x. The switch won't show up as a device on your network map, don't worry about it.

Step 2:
a) Reset the Archer router to defaults (see how in the manual)
b) Connect the WAN port of the A7 to the switch, turn the A7 ON. You are lucky the default IP address of A7 is 192.168.0.1, different than the IP address 192.168.1.1 of your main router, it saves some work. Wait for A7 to boot, connect to one of the default SSIDs (TP-Link_XYZ usually), get to the WebUI, complete the Quick Setup:

> Internet Connection - Dynamic IP -> Next
> Do not clone MAC Address -> Next
> Disable Smart Connect (if available in your firmware), set separate SSIDs (steinj24/steinj50) for 2.4GHz and 5GHz networks, put passwords -> Next
> Verify your choices -> Save

The router will reboot.

Step 3:
a) Connect to the new 2.4GHz SSID (steinj24), log back in the WebUI (192.168.0.1)
b) Go to Wireless -> Wireless settings. Disable 5GHz radio, leave only 2.4GHz enabled (guests should be fine with 2.4GHz WiFi). Select Channel Width 20MHz, Select Channel number different than your own 2.4GHz network; if yours is on channel 1, fix A7 radio on channel 11, for example -> Save
c) Go to Guest Network, enable it, select SSID (steinj-guest), select Security, put an easy to remember password ("need internet please") -> Save

Reboot the router just in case. You should see now two SSIDs: steinj24 and steinj-guest. Test both, see if everything is working properly, you should have Internet access on both. Give your guests only SSID steinj-guest and Password "need internet please".

What you have now:
- A7 router has created it's own network with IP addresses 192.168.0.x
- The Guest Network has no access to devices connected to steinj24 SSID
- The Guest Network has no access to devices connected to your main router
- You see your cameras from your house AND the A7 router with assigned 192.168.1.x WAN IP addresses
- Your guests have up to 30Mbps Internet throughput (2.4GHz, 20MHz channel), should be more than enough
- Guest Network on 2.4GHz, 20MHz channel acts like bandwidth limiter, your guests won't saturate your ISP line

SSIDs and passwords above as an example, to make things more clear. You can set the A7 firmware options as you like, the way you prefer to set your own router. Changes will affect only devices connected to A7. You can enable WAN Administration on A7, select specific IP, put one of your computers IP there. This way you can change A7 settings from your home, if you need to. No expected guests for a month - turn the Guest Network off from your house. Your guests stay for too long - cut the Internet off, LOL. You can set Static IP to your A7 router on your main router, 192.168.1.2, for example, unused IP on your network. This way your router will always assign 192.168.1.2 to your A7. Reboot A7 after the change.

My eyes are a bit tired after work, may have missed something... sorry.

Yes... channel numbers... as per your local WiFi battlefield situation, see what works best in your case. In general you'll see recommendations for 1-6-11 on 2.4GHz band. Not mandatory though with newer models routers. I don't have Archer A7 router and I don't know what your main router is. Some details may need adjustment.
 
Last edited:
What you have now:
- The Guest Network has no access to devices connected to your main router
This is not quite true.

While the guest network does have its own subnet and broadcast domain there's nothing preventing it* from accessing devices (wired or wireless) connected to the main router's LAN. That includes the cameras attached to the switch.

Of course the guests don't know what devices are connected to the main LAN, but an nmap scan is trivial. OTOH if the "guests" are prepared to do that sort of thing then they'd probably just plug their own device directly into the dumb switch (if it's accessible).

* Unless those devices have their own individual firewall/ACL that prevents access from a different subnet, like Windows Firewall.
 
This is not quite true.

Not quite true is exactly the correct description, some people may know. Let @steinj14 come back and share how many of the potential guests may know what to do. It's not that obvious if you're not familiar with the setup. Physical access to the switch/router should be restricted, no question about it, plugging in a cable requires no knowledge. Again, the professional way is clear, but expensive (new equipment) and it's going to be hard to explain how to set it up. You know same things are called differently with different manufacturers.
 
@Val D. Thanks for the detailed instructions, that helps.

If I understand correctly, using IP address 192.168.0.1 on the guest house router will create a subnet, thus isolating its network from my main network (IP address 192.168.1.1).

I had actually returned the Archer router, so I need to purchase a switch and router and then I'll proceed with the configuration as you outlined.

My current router is an ASUS RT-AC68W (Wireless-AC1900 Dual Band Gigabit Router), so I may get another ASUS since I'm familiar with their interface. Since ASUS defaults to 192.168.1.1, I'll manually change the guest house one to 192.168.0.1 and should be to go, I think.

Thanks so much for sharing your knowledge and time, I appreciate your help.

@ColinTaylor Thanks for your input and explanations. I now recognize that the "isolation" is not foolproof, but it suffices for my situation. The only people who stay at the guest house are family and friends, most of whom are not technically savvy or inclined. The equipment is in a cabinet, though I may consider adding a lock on the cabinet just in case any of them are smarter than I think they are - LOL!
 
If I understand correctly, using IP address 192.168.0.1 on the guest house router will create a subnet, thus isolating its network from my main network (IP address 192.168.1.1).

A locked door with a key under the floor mat. If you want true isolation with no VLANs involved, then you'll need another cable to the guest house. If you have more than one public IPs from your ISP, the ISP device runs as a modem (bridge mode) and you connect 2 routers to it (this is what I have for my pfSense box + backup router). If you have one public IP only, the ISP device runs as a router (modem/router mode) and you connect 2 routers to it in Double NAT (as described in this post https://www.snbforums.com/threads/configure-lan-port-as-guest-network.62551/#post-558363).

so I may get another ASUS since I'm familiar with their interface

If the budget allows, you may use the situation and upgrade your main router to something like RT-AC86U (around $170) and move the older RT-AC68W to the guest house. RT-AC86U is a much newer faster hardware device with better WiFi range and throughput. If you don't want to spend much on the project, get RT-AC66U B1 (under $100). It's a very similar hardware to your's RT-AC68W, just in a different package. You can change the LAN IP address of the second router to 192.168.2.1, if you like. Your LAN ports at the guest house are the complication, you'll still need a switch before the second router.

If you plan to invite @ColinTaylor to your guest house, better cut the cable in two different places. :)
 
Many thanks to all who responded. I have been able to implement the steps that @Val D. outlined and now have the setup I need.

I have two last questions related to my configuration:

I've configured the Primary router (main house - 192.168.1.1) to use OpenDNS, and enabled Web Content Filtering via the OpenDNS web interface. On the Secondary router (guest house - 192.168.50.1), the WAN DNS Setting is currently configured to connect to the DNS Server automatically. I connected my laptop to the Secondary router's WiFi, then ran the ipconfig command -- it shows "DNS Servers . . . . . . . . . . . : 192.168.50.1".

First question, will the OpenDNS filters I set propagate to the Secondary router?

Second question, is it expected behavior that when I'm connected to the primary network (192.168.1.x), I can't ping the subnet (192.168.50.x)?
 
First question, will the OpenDNS filters I set propagate to the Secondary router?
Yes. The client on the secondary LAN is using the router (192.168.50.1) as it DNS server. Because that router is set for automatic DNS it will be forwarding requests upstream to 192.168.1.1, which in turn is forwarding to OpenDNS.

Second question, is it expected behaviour that when I'm connected to the primary network (192.168.1.x), I can't ping the subnet (192.168.50.x)?
Yes, because the secondary subnet is behind the router's firewall and all the client's are NATed.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top