Using router mode Double Nat instead of AP on 86U?

[Mouse4]

Hello folks,
I am fairly new to all network setups. Up until recently it's been super basic setup. Been using my ISP box and using a RT-AC86U in AP mode for my wireless. Recently I started sharing my connection with couple neighbors. This got me into looking at my setup as I wanted to be able to monitor the bandwidth the are using and limit speeds and possibly services on the wireless side, specifically for the 2.4ghz band which is the connection I let guests connect to.

I recently replaced my ISP router with a Pfsense box, which does let me see things on a client to client basis. And I started to look at my Wireless and realized there isn't much that can be done in AP mode. I can't set bandwidth limits for the guest network, can't monitor anything except IP's and see connections. So I thought, I'd switch the wireless to Router mode and disable NAT so I can do some of this stuff. Well I can't seem to figure out how to get this working, mainly because it seems I can't have the wan and LAN on same subnet? I imagine most likely I just don't understand something properly and this is probably a dumb question, And I apologize if this is the case or if I have missed some obvious post or info somewhere.

At the moment the only two ways I have been able to use it is as AP mode and Client mode, neither of which seem to give me much control. I was hoping maybe someone could help me out.

 

[CaptainSTX]

Here is how to double NAT your routers. Both can't be on same subnet.

 

[OzarkEdge]

Hello folks,
I am fairly new to all network setups. Up until recently it's been super basic setup. Been using my ISP box and using a RT-AC86U in AP mode for my wireless. Recently I started sharing my connection with couple neighbors. This got me into looking at my setup as I wanted to be able to monitor the bandwidth the are using and limit speeds and possibly services on the wireless side, specifically for the 2.4ghz band which is the connection I let guests connect to.

So, are neighbors on your AP 2.4 GHz able to access your LAN, I wonder...

OE

 

[Mouse4]

At the moment, Unfortunately yes.

 

[CaptainSTX]

At the moment, Unfortunately yes.

With a double NAT and/or guest networks you can prevent that. For maximum flexibility consider flashing Merlin onto your AC86.

 

[OzarkEdge]

At the moment, Unfortunately yes.

Hmm... you are accepting responsibility for their Internet usage and permitting them and theirs and maybe not theirs to have access to your network, clients, traffic, and data. Even if you trust them, this is not safe computing... imo. Perhaps your current project should include isolating their network from yours. Someone here with experience could probably suggest how that can best be done.

OE

 

[Digitald00d]

I always use the neighbor sharing / hacking examples when some non-networker asks me why it’s important to lock a network down. I tell them about the bad guy who’d hook into their network, send a threatening letter to the White House, then disconnect and watch the black cars pull up and watch if they can explain it wasn’t from them. The 500W lightbulb ALWAYS goes on immediately. [emoji1787]

 

[Mouse4]

So I did the Double NAT setup CaptainSTX posted and it seems like it may have been the answer to my question. I just had a Misconception that double NAT was a huge no no and would nothing but cause issues. But after trying it, using the guest wireless network seems to be limiting the speed like I want, And I can no longer see my intranet from the guest like I could before.

I appreciate your help folks. Now my plan is to figure out how to limit/ban certain services, mainly torrents, and how to route specifically guest network through a VPN just for further protection.

Hmm... you are accepting responsibility for their Internet usage and permitting them and theirs and maybe not theirs to have access to your network, clients, traffic, and data. Even if you trust them, this is not safe computing... imo. Perhaps your current project should include isolating their network from yours. Someone here with experience could probably suggest how that can best be done.

OE

I thought that was kinda partially what I was asking, just not as direct. I guess it would helped if I had mentioned that I was using Merlin firmware.

I always use the neighbor sharing / hacking examples when some non-networker asks me why it’s important to lock a network down. I tell them about the bad guy who’d hook into their network, send a threatening letter to the White House, then disconnect and watch the black cars pull up and watch if they can explain it wasn’t from them. The 500W lightbulb ALWAYS goes on immediately.

I wasn't really asking about the importance about locking down the network. We absolutely agree on it. I was asking for help on how to do it on the wireless side, I just don't know exactly what to ask so I ask what I know in hopes of figuring out the correct questions.

To be fair, Contrary to what my original question implied, my Wireless is not an open network, I have it password protected and only the people I know have been allowed access. I just want to be able to further limit and monitor beyond what I have already done.

 

[OzarkEdge]

To be fair, Contrary to what my original question implied, my Wireless is not an open network, I have it password protected and only the people I know have been allowed access. I just want to be able to further limit and monitor beyond what I have already done.

Fair enough.

My main concern would be malware they encounter finding its way around the network to infect/encrypt all resources.

OE

 

[Digitald00d]

So I did the Double NAT setup CaptainSTX posted and it seems like it may have been the answer to my question. I just had a Misconception that double NAT was a huge no no and would nothing but cause issues. But after trying it, using the guest wireless network seems to be limiting the speed like I want, And I can no longer see my intranet from the guest like I could before.

I appreciate your help folks. Now my plan is to figure out how to limit/ban certain services, mainly torrents, and how to route specifically guest network through a VPN just for further protection.


I thought that was kinda partially what I was asking, just not as direct. I guess it would helped if I had mentioned that I was using Merlin firmware.



I wasn't really asking about the importance about locking down the network. We absolutely agree on it. I was asking for help on how to do it on the wireless side, I just don't know exactly what to ask so I ask what I know in hopes of figuring out the correct questions.

To be fair, Contrary to what my original question implied, my Wireless is not an open network, I have it password protected and only the people I know have been allowed access. I just want to be able to further limit and monitor beyond what I have already done.

I knew you’d have the understanding of open networks problems, and sorry I didn’t really contribute. I just love telling that story because my visual is always their eyes getting really big when the bulb goes on. [emoji102] [emoji1787]

 

[Ronald Schwerer]

bad guy who’d hook into their network, send a threatening letter to the White House, then disconnect and watch the black cars pull up and watch if they can explain it wasn’t from them.

Oh, so that was YOU!!! [<forward to NSA>]

 

[Plompie]

I appreciate your help folks. Now my plan is to figure out how to limit/ban certain services, mainly torrents, and how to route specifically guest network through a VPN just for further protection.

Since you're already on Merlin, have you looked at YazFi?

 

[Mouse4]

Thanks, I solved my problems. I ended up dumping my overpriced ASUS junk and buying a much more capable AP and everything is working great now.

 

[ColinTaylor]

Thanks, I solved my problems. I ended up dumping my overpriced ASUS junk and buying a much more capable AP and everything is working great now.

For the benefit of other people wanting to do the same thing would you mind telling us what equipment you're now using?

 

[bitsbytes]

from reading the first post op your asus router was working fine as a access point and after that it seems like you successfully configured it to work as a double nat router.

 

[Mouse4]

You Know I am sorry if that came of as me knocking Asus products, I actually do think they make good products for the market they are focused on, Which is kinda me but not . I was really just bit frustrated that at every turn beyond setting up anything more than basic at-home network I was being blocked by this thing. The Double Nat wasn't working well and I wanted to be able to do Vlan tagging of guest of which there is no currently documented way at all to do (Even though it is obviously capable of it).
When I thought about what I was looking for and finally realized I needed to get something a bit more suited so I could do stuff like monitor connections, Vlans, etc.. w/o having to jump through hoops and feel like I have just duck taped everything together. I wound up getting a Ubiquity Unifi HD , I must say my only real -very small- complaint is having to use management software to set it up, other than that, it is amazing how smooth and easily everything has gone together. Plus I got a really good deal on it, Much less than what I originally even paid for the Asus.

 

[Val D.]

I recently replaced my ISP router with a Pfsense box

You can do everything on the pfSense box with the help of some extra equipment like managed switch and APs with VLAN support. You can isolate LAN and WiFi networks using the same WAN, monitor traffic, apply restrictive rules, block traffic, limit bandwidth, etc. whatever you want, but the main problem (mentioned above) remains - the ISP account owner is responsible for ALL the activity through the account. And if I was one of those neighbors of yours and I know you can monitor my Internet activities at any given moment, I wouldn't connect to this "shared" account anyway.