Network Segmentation

[macster2075]

Hello,
I'm going to try to explain my setup and the issue I am having. Please bare with me as I may not use the correct technical wording and such.

I have 2 Routers, one on each corner of the house.
Router 1, (main network) 192.168.1.x (connected to ISP modem) provides internet access for personal devices.
Router 2, IoTs and security cameras 192.168.2.x

I run an NVR (Blue Iris) on a PC that has 2 NICs.

On the other side of the house, where Router 2 is, I also have a couple of PC that connects to the Main Network, Router 1 via Ethernet cable.
----

I ran an Ethernet cable from Router 1 LAN to a switch which is next to Router 2.
Now, from that switch, I can provide internet access to both PCs on that other side of the house using Ethernet.. great so far.

NIC 2 on that NVR PC, I set it to 192.168.2.x static IP range.

It's hard to explain what I am trying to do or say, but here it goes....

Router 2 needs to have DHCP enabled to provide internet access to devices connected to that network and be separate from the main one.

The issue I am having is that, if I connect an Ethernet cable to the WAN port on Router 2, I lose internet access on devices connected to it. I don't know why.
DHCP is enabled, but no internet access.

Also, if instead of using the WAN port, I use the LAN, then wireless devices will have internet access, but will be getting IP from Router 1 network!.. huh?

So..
Router 1 LAN to Router 2 WAN, No internet access.
Router 1 LAN to Router 2 LAN, then all devices connected to it get IPs from Router 1, 192.168.1.x network.

I can't figure this out!.. Please help. I'm sure it must be something really easy, but I am sure I am just overlooking it.
Is this even possible? I mean, it sounds like it should work fine.

 

[ColinTaylor]

Why have you made two identical threads?

 

[macster2075]

When I posted the first one, it didn't do anything and looked like it was stuck, so I pressed post again. I noticed there are two now, but I can't delete it.

 

[ColinTaylor]

When I posted the first one, it didn't do anything and looked like it was stuck, so I pressed post again. I noticed there are two now, but I can't delete it.

Use the "Report" option on your other post and ask the mods to delete the thread.

 

[ColinTaylor]

Check that Router 2 is in "router mode" and not some other mode, and that it's WAN is configured for DHCP.

 

[ATLga]

Check that Router 2 is in "router mode" and not some other mode, and that it's WAN is configured for DHCP.

And router 1 Lan to router 2 Wan

 

[ColinTaylor]

And router 1 Lan to router 2 Wan

Is that a question or a statement?

 

[macster2075]

And router 1 Lan to router 2 Wan

Router 2 is using Fresh Tomato firmware and it's set to Access Point with DHCP enabled.

 

[drinkingbird]

Hello,
I'm going to try to explain my setup and the issue I am having. Please bare with me as I may not use the correct technical wording and such.

I have 2 Routers, one on each corner of the house.
Router 1, (main network) 192.168.1.x (connected to ISP modem) provides internet access for personal devices.
Router 2, IoTs and security cameras 192.168.2.x

I run an NVR (Blue Iris) on a PC that has 2 NICs.

On the other side of the house, where Router 2 is, I also have a couple of PC that connects to the Main Network, Router 1 via Ethernet cable.
----

I ran an Ethernet cable from Router 1 LAN to a switch which is next to Router 2.
Now, from that switch, I can provide internet access to both PCs on that other side of the house using Ethernet.. great so far.

NIC 2 on that NVR PC, I set it to 192.168.2.x static IP range.

It's hard to explain what I am trying to do or say, but here it goes....

Router 2 needs to have DHCP enabled to provide internet access to devices connected to that network and be separate from the main one.

The issue I am having is that, if I connect an Ethernet cable to the WAN port on Router 2, I lose internet access on devices connected to it. I don't know why.
DHCP is enabled, but no internet access.

Also, if instead of using the WAN port, I use the LAN, then wireless devices will have internet access, but will be getting IP from Router 1 network!.. huh?

So..
Router 1 LAN to Router 2 WAN, No internet access.
Router 1 LAN to Router 2 LAN, then all devices connected to it get IPs from Router 1, 192.168.1.x network.

I can't figure this out!.. Please help. I'm sure it must be something really easy, but I am sure I am just overlooking it.
Is this even possible? I mean, it sounds like it should work fine.

Without the NVR connected, does everything work as expected? The ports in that NVR may just be a switch (bridged together). In which case it is merging your two networks.

Start with just router 2 WAN connected to router 1 LAN. Router 2 WAN should get an IP in 192.168.1.x (you can set a DHCP reservation for it so it always gets the same IP for simplicity, or set a static if you want).

A device connected to router 2 should be able to access the internet at this point. if that doesn't work, then that's where we need to focus. If that works, then start adding devices and see when it dies.

 

[drinkingbird]

Router 2 is using Fresh Tomato firmware and it's set to Access Point with DHCP enabled.

Oh well there you go. There is no segmentation there, router 2 is just an extension of router 1. Set it to router mode and double NAT to get the segmentation you desire. Either that or set up Aimesh if you don't want the double NAT (note both will need to run 386.x or 388.x code in order to have guest network segmentation, and you must use Guest #1). Wired devices connected to router 2 will not be segmented, they will be part of the main LAN in that case. If you need wired devices to be segmented, the dual router/NAT setup or scripting to put ports into the guest network is necessary.

Or since you are running FT on router 2 you can set up the guest network 1 on router 1 (assuming it runs 386 or 388 code) which will create the VLANs, then use FT to accept those VLANs on router 2 and set ports into whichever one you want.

 

[macster2075]

Without the NVR connected, does everything work as expected? The ports in that NVR may just be a switch (bridged together). In which case it is merging your two networks.

Start with just router 2 WAN connected to router 1 LAN. Router 2 WAN should get an IP in 192.168.1.x (you can set a DHCP reservation for it so it always gets the same IP for simplicity, or set a static if you want).

A device connected to router 2 should be able to access the internet at this point. if that doesn't work, then that's where we need to focus. If that works, then start adding devices and see when it dies.

When I refer to an NVR, I meant a PC running Blue Iris.

 

[drinkingbird]

When I refer to an NVR, I meant a PC running Blue Iris.

Ignore this post - you answered your own question and I explained in the next post.

 

[macster2075]

Ignore this post - you answered your own question and I explained in the next post.

I dont see Router mode on this one. I only see this..

 

[drinkingbird]

Router 2 is using Fresh Tomato firmware and it's set to Access Point with DHCP enabled.

Some additional info:

When you enable Guest Wireless 1 on Asus or Merlin 386.x or 388.x code (with "access intranet" disabled) it will create two or three VLANs and subnets for you:
VLAN 501 - 192.168.101.0/24 - 2.4Ghz Guest is in here
VLAN 502 - 192.168.102.0/24 - 5Ghz Guest is in here
VLAN 503 - 192.168.103.0/24 - 5Ghz Guest 2 is in here (only if you have a router with dual 5ghz radios)

Those VLANs are tagged out all LAN ports. So then you can connect your FT router LAN port to any router 1 LAN port, set that FT router port to 501 and 502 tagged and 1 untagged. Then set other ports to 501 or 502 untagged and they will be in that subnet/VLAN. Map your guest wifi on router 2 into one or both of those VLANs and you've essentially done what AIMESH does but with the ability to have wired ports in them also.

If FT supports VLANs on the WAN port in AP mode you can use that one for the uplink if needed so you have 1 more port available.

If you don't want router 2 advertising the guest network, you could hide the SSID (and use a different SSID than router 2's guest so clients won't connect to router 1).

 

[drinkingbird]

I dont see Router mode on this one. I only see this..
View attachment 51333

Sounds like router 2 is not a router, but an AP (or for some reason FT only supports AP mode on that router). If you reset and go through initial setup, does it give you the option of using it as a router? What model is it?

 

[macster2075]

Some additional info:

When you enable Guest Wireless 1 on Asus or Merlin 386.x or 388.x code (with "access intranet" disabled) it will create two or three VLANs and subnets for you:
VLAN 501 - 192.168.101.0/24 - 2.4Ghz Guest is in here
VLAN 502 - 192.168.102.0/24 - 5Ghz Guest is in here
VLAN 503 - 192.168.103.0/24 - 5Ghz Guest 2 is in here (only if you have a router with dual 5ghz radios)

Those VLANs are tagged out all LAN ports. So then you can connect your FT router LAN port to any router 1 LAN port, set that FT router port to 501 and 502 tagged and 1 untagged. Then set other ports to 501 or 502 untagged and they will be in that subnet/VLAN. Map your guest wifi on router 2 into one or both of those VLANs and you've essentially done what AIMESH does but with the ability to have wired ports in them also.

If FT supports VLANs on the WAN port in AP mode you can use that one for the uplink if needed so you have 1 more port available.

If you don't want router 2 advertising the guest network, you could hide the SSID (and use a different SSID than router 2's guest so clients won't connect to router 1).

I can't use Router 1 Auss for this because If I disable intranet, I can't add the cameras to the NVR because they will be blocked from accessing the LAN.

 

[ATLga]

Is that a question or a statement?

There is no question mark. It's a statement.

 

[drinkingbird]

I can't use Router 1 Auss for this because If I disable intranet, I can't add the cameras to the NVR because they will be blocked from accessing the LAN.

I'm not saying to, enabling GW1 on router 1 is just to get it to create the VLANs for you. You don't have to use that guest wireless for anything. Rewind. What model are the two routers, what devices do you want connected to each router, and how should they be segmented?

 

[ColinTaylor]

There is no question mark. It's a statement.

Sorry, I thought that was a reply from the OP. I completely missed your name.

 

[macster2075]

I'm not saying to, enabling GW1 on router 1 is just to get it to create the VLANs for you. You don't have to use that guest wireless for anything. Rewind. What model are the two routers, what devices do you want connected to each router, and how should they be segmented?

Thanks for your patience.. haha...

Main router is Asus RT-AC86U v386.11
router 2, Asus RT-AC68U Fresh Tomato

Router 1 - peronal stuff - 192.168.1.x
Router 2 iot's and security cameras + NVR running on Windows 11 PC - 192.168.2.x