Need some advice on multiple networks within a flatshare

[LtJeronimo]

Hi everyone! For a while now I've been trying to wrap my head around the best way to setup two seperate networks within one flat.

Just a bit of info on my current situation.

Current situation:
I currently live in a shared flat with two other people. We have an ISP provider router that comes into the flat through coax. As of now I have it setup that the ISP device is doing all the routing and there's a cable that goes to my room where I have my own Asus router set as an AP with my own SSID. But of course we are all on the same network.

My Goal:
Ideally I would like to have two seperate networks so my house mates can stay on one network which is isolated from my own. I've been trying to figure out what
would be the best approach but I'm totally overwhelmed. Because my Asus AC66U is starting to show it's age I was thinking of upgrading to a GL.iNet GL-B1300 to have some more flexibility in my networking.
One of the reasons of having my own network would also be to have the GL-B1300 run a Wireguard client to connect to a VPN so all my devices (or maybe just a few with policies) route their traffic through there.

What would be the best way of achieving this? The ISP provided router can also be set to act as a bridge and I've been reading about VLANs. I know what they are and had a Cisco class in university but my
knowledge is bit iffy to say the least. Would setting the ISP router to a bridge and using the GL-B1300 with VLANs be possible to make this happen or is there a better/easier solution?

Thanks in advance!

 

[ColinTaylor]

If you are only concerned about isolating yourself from your other housemates (rather than them from you) you could just run your current (or future) router in "router mode". That way you have your own private network which they can't access. The VPN client on the router will work fine.

You would of course have a double NAT setup which may or may not be an issue depending on whether or not you need to allow remote access to devices on your LAN.

 

[LtJeronimo]

If you are only concerned about isolating yourself from your other housemates (rather than them from you) you could just run your current (or future) router in "router mode". That way you have your own private network which they can't access. The VPN client on the router will work fine.

You would of course have a double NAT setup which may or may not be an issue depending on whether or not you need to allow remote access to devices on your LAN.

It wouldn't be my only concern so yeah, ideally isolating them from me would be preferable. Had issues with for example Xbox Live when behind a double NAT in the past. That's one of the reasons I chose to have my current router set to AP mode to avoid any problems. So in that case what would be the best way to get around it?

 

[coxhaus]

If you don't want the troubles of double NAT then use VLANs with assigned networks. You will need a router or an L3 switch which supports VLANs.

 

[OzarkEdge]

It wouldn't be my only concern so yeah, ideally isolating them from me would be preferable. Had issues with for example Xbox Live when behind a double NAT in the past. That's one of the reasons I chose to have my current router set to AP mode to avoid any problems. So in that case what would be the best way to get around it?

Would this work:

ISP router <> your switch ...
... <> your Xbox and other 'don't care' clients
... <> your router <> your secured clients

Also, maybe a new/faster router will improve the Xbox double NAT issue(?).

OE

 

[coxhaus]

Would this work:

ISP router <> your switch ...
... <> your Xbox and other 'don't care' clients
... <> your router <> your secured clients

OE

His house mates may not want him to have access to their network.

 

[OzarkEdge]

His house mates may not want him to have access to their network.

Yes, but... they may not care, it's been that way, they could move, they could pay for their own service, they could do what he's doing... so many options.

OE

 

[LtJeronimo]

If you don't want the troubles of double NAT then use VLANs with assigned networks. You will need a router or an L3 switch which supports VLANs.

Yeah this sounds like the cleanest solution. Seems the router I'm looking to get supports VLANs but I'm still unsure how the wireless would work.
Can't seem to find anywhere if it's possible to use the router's wifi to have 2 SSIDs that are pointing to different VLANs?

And yeah, my house mates could care less about having a seperate network or not.

 

[Trip]

Since you're currently thinking of a hardware upgrade anyways, I'd opt for a VLAN-capable router and APs. That way you're providing segmentation independent from the physical hardware layer (so you can have their SSID and yours broadcasting everywhere, for better range for all of you).

 

[LtJeronimo]

Since you're currently thinking of a hardware upgrade anyways, I'd opt for a VLAN-capable router and APs. That way you're providing segmentation independent from the physical hardware layer (so you can have their SSID and yours broadcasting everywhere, for better range for all of you).

I'm thinking about upgrading the router yes. But since it's a temporary living situation I wouldn't want to invest a lot of money into also purchasing extra APs. Also the flat is pretty small so the wifi from one device is enough to cover everything. The only thing I can't seem to find if it's possible to use that particular router, which runs on some OpenWRT based OS, to create 2 VLANs and 2SSIDs and assign them to each other. What do you think?

 

[Trip]

Fair enough. You should be able to create multiple VLANs per SSID in OpenWRT via these instructions -- in short, you create a bridge interface, assign an SSID to it, then designate the corresponding VLAN ID in the ifname variable value (example: option ifname=eth0.100) where 100 is the VLAN ID. Note: that level of config granularity may not be available in the LuCi web GUI; you may have to delve into the command line instead.

If you're uncomfortable with having to get that technical (with no official end-use support, either), you might instead consider a all-in-one SMB-class router that natively supports VLANs in a bit more straight-forward way, such as a Cisco RV340W.