One Cable Modem Connected to Two Routers w/Independent Networks WIFI & Guest

[PunchCardBoss]

Okay folks. I finally relent. After days and hours of reading and trial-by-error (fire), I concede I need more professional guidance. Pls consider me a newbie even though I learned programming on punch cards and am a power user. I’m not a network sys-admin and still trying to catch up with the rest of you guys.

I know this subject has been covered many times, but the available resources don’t seem to cover new equipment with current FW AND guest WIFI.

Objective:
Create two distinct LAN networks each with their own GUEST network capability with two different routers connected to one cable modem.

Why?
One ISP internet connection shared between an office and a home. Each should have their own (different) networks and Guest WIFI capabilities but share the same internet WAN connection with one modem.

Hardware/Services:
(1) Motorola 8600 cable modem connected to COX ISP
(1) Asus RT-AX88U (primary router) running 386_49674 FW (most current AsusWRT)
(1) Asus RT-AC88U (secondary router) running 386_48260 FW (most current AsusWRT)
(1) very old (5) port dumb switch – Linksys model EZXS55W 10/100 Workgroup Switch
Ethernet (wired) connections available to all the above devices.

Possible Topologies:

• Aimesh
• Access Point (AP)
• Media Bridge
• Wireless router mode (default)
  • AX88U LAN port connected to AC88U WAN port (piggyback)
  • 8600 modem connected to the Linksys switch and both router WAN ports connected to the switch.

Both Aimesh and AP modes want to extend a single network. I want two independent (isolated) networks. So these potential options do not seem to apply to my objective.

Media Bridge mode for Asus routers only works with a WIFI connection between each router. So it too does not qualify as a potential option.

Asus’s Wireless router mode seems like the only possible path. And of these, there seems to be 2 alternatives: “piggyback” and a switch between routers and modem.

Linksys Switch Between Modem and Routers:
The AC88U was reset and a basic setup was performed. All options were default settings.

I first tried placing my switch between the modem and router. One router would connect but not the other. After may reboots, which ever router connected first seemed to be the router that received internet access. I’m a little surprised this did not work as I had read a few older posts that suggest this topology would work okay.

Question #1: Would a new switch or a managed switch make any difference? Or is this something that will never work? If this topology can be made to work, what router configurations should I be looking at? [I know that is more than one question :-o]

BTW, if router error logs would be helpful, I can recreate the test conditions and add them in a separate post.

AX88U LAN port connected to AC88U WAN port (piggyback)
The AC88U was reset and a basic setup was performed. All options were default settings.

LAN IP addresses that follow are fictitious to protect the innocent.

I found a few posts that covered this topology, but none covered GUEST mode operations. Well, the setup was rather easy and seemed to work. The AX88U assigned a DHCP address of 192.168.11.201 to the AC88U. The AC88U WAN address showed 192.168.21.1. with subnet of 255.255.255.0. I also assigned several GUEST networks on the AC88U with different SSIDs than those on the AX88U. And they all worked. So, on the surface, this topology seemed to offer the solution I was looking for.

However, when I tested access of network devices (wired and WIFI) from an AC88U network that are on the AX88U network, I could access them all. So, I was not getting isolation of the 192.168.21.1 and 192.168.11.1 networks.

Question #2: Is the lack of isolation between the two router networks to be expected? Is there a setting that would isolate the LANs from each other while still allowing internet access for each?

Thank you in advance for all kind and helpful advice.

 

[ColinTaylor]

The only option that will work with your current equipment is the "piggy back" method. To isolate devices on the primary network from clients on the secondary network use the Network Services Filter on the secondary (AC88U) router.



P.S. I believe this is a typo: "The AC88U WAN address showed 192.168.21.1." I'm assuming that's the LAN address.

 

[Tech Junky]

You need an edgerouter or something to get the IP from the 8600 and then use the LAN on the ER to give an IP to the Asus boxes.

8600 is going to give a WAN IP to the first MAC as it's a bridge not a router.

Maybe upgrading to a L3 switch you could grab the IP from the 8600 and get it assigned to the switch and then from there split it to the routers.

Probably the simpler idea would be replace the 8600 with a different model that provides routing.

MG8702 - looks like a good swap. $270
Or if you want a backup WIFI / upgrade to AX - $450
https://www.amazon.com/dp/B08DL4QB25/?tag=snbforums-20

 

[PunchCardBoss]

P.S. I believe this is a typo: "The AC88U WAN address showed 192.168.21.1." I'm assuming that's the LAN address.

Yep. My bad. I just checked again and see the AC88U has a LAN address of 192.168.21.XXX. This is the DHCP LAN IP given by the AC88U.

 

[PunchCardBoss]

The only option that will work with your current equipment is the "piggy back" method

Big Tks Colin. I needed to know that I am on the right path with the "piggy back" approach. I will study your suggestion of the "Network Service filter Table". Tks again for pointing me in the right direction.

I did read some more and see older posts that speak to the modem-switch-router(s) topology but they really didn't address the type of equipment necessary.

 

[PunchCardBoss]

MG8702 - looks like a good swap. $270
Or if you want a backup WIFI / upgrade to AX - $450

Nice....

Tks for your insight. I will give that a look. Again, very much appreciate pointing me in the right direction. Your advice is like aspirin to my novice headache .

 

[PunchCardBoss]

To isolate devices on the primary network from clients on the secondary network use the Network Services Filter on the secondary (AC88U) router.

Well, Colin, the good news is your solution worked partially. Only when I am connected by ethernet cable to my AC88U LAN ports.



When I am connected by the primary WIFI, everything except access to the AC88U is gone. No internet. No access to AX88U LAN devices. When connected to the AC88U guest WIFI, the access to the router UI is lost. This is expected because the “Access Intranet” field is disabled.

I have created a crude network topology map so we can follow things a little better. These LAN address are the actual addresses on my test setup.

I have also taken screen shots of

• Firewall – Network Service Filter (IPs are actual)
• AC88U mode – just to show that it is not in any other mode
• System Log Routing Table
• Guest WIFI settings

The Firewall is disabled on the AC88U. And there are no other custom settings. There were no errors in the Systems Log.

If error logs on the AX88U would be helpful, I can get them too.

Thank you, Colin, for your kind assistance and next suggestion.

 

[PunchCardBoss]

MG8702 - looks like a good swap

Tks for the suggestions. I have done a little more research on the MG8702. It looks like there are (4) RJ45 ports on the back side.

Would the idea be to wire both AC and AX routers to ethernet ports on the back side of the MG8702? Would both router LANs be isolated from one another?

 

[Tech Junky]

Yes, both would be in the same subnet unless there's an option for dual subnets. Another option would be configure system A with a /25 and system B with the remaining /25 and they would not talk to each other but still use the same gateway to get out. I haven't looked into the manual for that model but, a little trickery can get you where you want to end up. The other option is the L3 switch and put each router into its own vlan and then route both vlans out the same gateway on the modem. Adding vlan 802.11q tagging to the mix.

 

[ColinTaylor]

Well, Colin, the good news is your solution worked partially. Only when I am connected by ethernet cable to my AC88U LAN ports.

To be clear - clients connected to the AX88U are still working OK. Correct? It's just WiFi connections on the AC88U that have problems.

Disable the guest network #1 while testing. As you can see it creates a separate hard-coded subnet with its own VLAN. I can't predict how that will interact with the upstream router. It's generally a good idea to avoid using that anyway unless you're using AiMesh. Later on you can use guest networks #2 or #3 instead.

The Firewall is disabled on the AC88U. And there are no other custom settings. There were no errors in the Systems Log.

Don't change the firewall (or NAT) setting, it should be enabled. Although that shouldn't be the cause of your problem.

EDIT: If it still doesn't work enable SSH on the AC88U. Log into it and post the output of the iptables-save command. It's possible NSF works differently on stock firmware than it does on Merlin's.

 

[PunchCardBoss]

unless there's an option for dual subnets

Looked through the user manual and did't see support for a dual subnet. So this may not work for the purpose intended.

Any suggestions for isolating the AC router LAN from the AX in piggy back mode?

 

[ColinTaylor]

Looked through the user manual and did't see support for a dual subnet. So this may not work for the purpose intended.

This method would work because the MG8702 is a combined cable modem plus wireless router. So you'd end up with three routers and three networks. But it seems rather wasteful paying for a wireless router when you'll only have two devices connected to it (the Asus routers) and you wouldn't be using it's WiFi.

 

[Tech Junky]

Any suggestions for isolating the AC router LAN from the AX in piggy back mode?

Looking at your diagram....

Just give the routers a WAN IP in the same subnet and then on each router change the LAN to whatever you want to make them different and there shouldn't be any crosstalk since the subnets on the LAN's will be different w/ NAT on each Asus for session connectivity.

There's a 1000 ways to do this sort of thing just not usually w/ 2 routers behind a router. Most would just get a L3 switch and put each network into its own VLAN and call it a day but, I'm assuming you're doing this to provide WIFI to each location / use.

I would start over w/ the MG / disable WIFI or use it for one of the groups
Connect a L2 or L3 switch and give each use a VLAN of their own
If you need additional ports for wired clients in either network just get a dumb switch for 5 ports or whatever you need as they're only $10
Grab 2 AP's to plug into each network for WIFI

Sell the Asus routers and be done with it. Even a different model CM w/ routing ability would work and depending on your ISP plan you may not even need D3.1 for the speed you're getting. For the not having to replace the CM though when they start sunsetting older Docsis tech.

 

[Tech9]

Instead of replacing the existing cable modem with an expensive Wi-Fi modem/router for $270, a cheap ER605 wired router for $60 will do exactly what @PunchCardBoss wants with the two Asus routers behind it. Even this small extra expense may not be necessary.

 

[Tech Junky]

@Tech9

One Cable Modem Connected to Two Routers w/Independent Networks WIFI & Guest

Okay folks. I finally relent. After days and hours of reading and trial-by-error (fire), I concede I need more professional guidance. Pls consider me a newbie even though I learned programming on punch cards and am a power user. I’m not a network sys-admin and still trying to catch up with the...

www.snbforums.com

I think I already mentioned that but not the specific model.

 

[Tech9]

I think I already mentioned that but not the specific model.

Correct. No hardware replacement is needed, no L3 switches or APs. What @PunchCardBoss already has as hardware is enough. If the devices connected to both routers don't have some special requirements even this extra router is not needed. The two routers connected and firewall rules play only.

 

[PunchCardBoss]

To be clear - clients connected to the AX88U are still working OK. Correct? It's just WiFi connections on the AC88U that have problems.

Thanks for your reply. I spend the last few hours conducting a simple experiment that seems to play into some of your ideas. I changed the Firewall-Network Service Filter Table DENY list to include a single static IP that is on the AX88U LAN network. And I compared results to another static IP device on the AX88U LAN. So only one of these 2 different static IP address was on the Firewall-Network Service Filter Table DENY list.

Results were weird. I tested over and over with different browsers and cleared cache every time. The tests shows that Guest WIFI on index #2 (5Ghz) worked as it should. But Guest WIFI (2.4Ghz) on index #1 did not. Here are my results.

But look at the results when Access Intranet was enabled (which defeats the some of the purpose of a guest wifi network). Access results were different.

I will confirm my results tomorrow after I let things sit for a while. And I will investigate your suggestions as well.

I think I smell a bug!

 

[ColinTaylor]

The tests shows that Guest WIFI on index #2 (5Ghz) worked as it should. But Guest WIFI (2.4Ghz) on index #1 did not.

The inconsistent behaviour of guest network #1 (on both 2.4 and 5 GHz) has been widely reported in these forums. This applies to a single standalone router and is not particularly related to your two router setup. The advice is to not use guest network #1 so as to avoid these kinds of confusing situations. Having two primary WiFi networks and four guest networks is usually enough to work with.

So apart from the issue with guest network #1 when intranet access is disabled this seems to be working as you wanted.

 

[PunchCardBoss]

The inconsistent behaviour of guest network #1 (on both 2.4 and 5 GHz) has been widely reported in these forums.

Ahhhhhh... Big thanks for that heads-up. Newbie(itise) strikes again . Humbled again .

So apart from the issue with guest network #1 when intranet access is disabled this seems to be working as you wanted.

It does prove that the deny list is functioning the way it should. And your original inputs into the deny list should work well if guest network #1 is avoided.

---------------------------------------
NOW, on to the reality. All my testing has been done on my routers test bench. The AC88U was my old router I kept as a spare. The AX is my working home unit..

Today (or tomorrow) I install the same piggy-back setup except for one hardware change. The setup will be with a relatively new AX88U as the primary router. And a brand new AX3000 will piggy-back into the AX88U. I donate my time to others that know less about networking than I do - although that's not saying much .

These two routers are more similar that my home bench test routers. Both the AX88U and AX3000 share the same FW version. So, in theory, they should be more likely to play nice with one another.

So, pls give me a day or two to report back on this new install.