Very Specific Wireless Router Recommendation Request

[NetworkingNovice]

I realized that my previous attempt to request information may have been placed in the wrong forum and so I have moved it here.

I need to buy a new wireless router.

My curent topolgy is as follows...

I have an ActionTec MI424WR as gateway to FIOS internet.

The wireless radio is turned off intentionally.

The ActionTec feeds a Cisco SG100-16 Gigabit switch.

All of my wired devices are connect to this switch to create my LAN.

In addition, I have a Zyxel X-550 Router connected with an ethernet cable from the LAN on the Cisco switch and is plugged into the WAN port on the Zyxel Router.

The Zyxel has DHCP turned on and set to a different Private IP addess range than the ActionTec.

The Zyxel has the wireless radio turned ON and is ONLY used to connect wireless clients to the internet.

Wireless clients like smartphones only see other wireless clients, the Zyxel router, and the internet.

Wireless clients do not see the ActionTec Router or any WIRED client.

That is intentional. That is what I want for security reasons.

The Zyxel is very old, 2.4 GHz only, and is slow.

I would like to replace it with a new 802.11AC type wireless router, but so many modern routers get a siginificant percentage of 1 star reviews on Amazon with horrendous problems being described.

Can anyone tell me of a reliable router that will successfully replace my Zyxel being used as described above?

 

[Trip]

For a true network novice (if you are one), the best way to do this would be utilize the Guest wireless network feature found on most mainstream all-in-one wireless routers. Joining your wireless clients to the guest wireless network would keep all of those clients isolated from any wired hosts connected to the router or the Cisco SG100-16 switch (which would be connected to one of the LAN ports on the router).

I would suggest looking for whatever Asus AC all-in-one hardware seems to be the least failure-prone, then load the latest version of Merlin firmware on it (essentially a bug-fixed and much more stable version of the Asus stock firmware), then configure the router, including Guest wifi, connect your SG100-16 to one of the LAN ports, connect your wireless clients to the guest wifi, and you should be good to go. EDIT - I'm mentioning @RMerlin to perhaps get his input on the best Asus hardware choice.

Beyond the above approach, I could recommend more pro-level gear, which, if setup properly, would likely be more stable and potentially higher performance (if desired), but you would likely have to configure VLANS, interface VLAN membership and firewall rules, among a few other tweaks, to create an equivalent setup; something that would be challenging, if not impossible, for a novice, unless you were willing to put in the time for learning and trial-and-error. Your call, but I would probably lean towards the first approach, if you can find a candidate hardware that seems reliable enough.

 

[coxhaus]

In addition, I have a Zyxel X-550 Router connected with an ethernet cable from the LAN on the Cisco switch and is plugged into the WAN port on the Zyxel Router.

The Zyxel has DHCP turned on and set to a different Private IP addess range than the ActionTec.

The Zyxel has the wireless radio turned ON and is ONLY used to connect wireless clients to the internet.

Wireless clients like smartphones only see other wireless clients, the Zyxel router, and the internet.

Wireless clients do not see the ActionTec Router or any WIRED client.

That is intentional. That is what I want for security reasons.

I don't see how this is true in that the wireless client don't see the Cisco LAN. Once routing is turned for this to work then all wireless clients should be able to ping all IPs in the Cisco LAN and have complete access. The only way to stop higher level access that comes to my mind is to use ACL, access control lists. Please explain how you limit access on the wireless clients to the Cisco LAN?

The ASUS routers do not support ACLs. A guest network on a lower level network is not going to help you. The guests will have complete access to the Cisco LAN clients.

PS
If you replace your ActionTec router with an ASUS router then it will work but you need to collapse the Cisco LAN and only use the ASUS LAN. Can you use the Actiontec as a modem?

 

[NetworkingNovice]

Thank you Trip. Thank you coxhaus.

My configuration came as a result of poking around the internet and finding a few articles probably more than a decade ago which described daisy chaining routers with both DHCP servers on and using different address ranges for each. I call myself a novice because I do not know how or why it works. It just has for over 10 years.

I am stuck with the ActionTec router (MOCA) because it provides my FIOS DVR scheduling info.

I am willing to buy whichever brand of Router will substitute in for the Zyxel and hopefully perform the same way.

I recently tried using a Grandstream GWN7610 Access Point in place of the Zyxel.
No matter which Client Isolation Mode I chose for the wireless clients, I could still see all wired clients and ActionTec Router from my smartphone using the app "WiFi Monitor: analyzer of WiFi networks" by Alexander Kozyukov.

When I tried turning on the DHCP server in the GWN7610 it required using a VLAN with a subnet mask matching the private address range for the GWN7610 address range and was unable to translate the DNS addresses and could not see the internet. Though it also did not see the wired clients nor the ActionTec router.

All of the reviews I have read have a significant percentage of people who are complaining that either their router never worked right from day 1, or dropped dead prematurely.
The general impression I got was the less folks were complaining about Asus and TP Link than the other brands. But that is just a general impression I got and if anyone has some more concrete recommends for other brands, I am open to that.

Other than specifying a different address range and leaving the DHCP server turned on, I don't remember anything special when connecting the WAN port on the Zyxel to one of the LAN ports on the Cisco unmanaged switch. I might be using the subnet mask for the ActionTec address range as the subnet mask for the Zyxel. I am not sure, and I am hesitant to enter the configuration page for fear of messing up something by accident.

I don't mind learning new networking concepts. I just want to keep hardware things as simple as what I have been using, if possible.

Sorry I do not know more to share.

 

[coxhaus]

The config you are running is protecting your Wi-Fi from the PC network providing you are running the firewall on the Zyxel. Your network is not working the way you think. You have it backwards. So replacing a router is not going to fix your network design if you really want to isolate your PC network from the phones.

 

[NetworkingNovice]

The config you are running is protecting your Wi-Fi from the PC network providing you are running the firewall on the Zyxel. Your network is not working the way you think. You have it backwards. So replacing a router is not going to fix your network design if you really want to isolate your PC network from the phones.

I was surprised to read this since WiFi Monitoring app did not show any of the wired devices, so I downloaded the Fing app and pinged the addresses of wired devices and yes you are correct. The wired devices are pingable.

Grrrrrr!!!!

Would changing the subnet mask of the Zyxel to the correct value for the Zyxel's address range help?

With the constraint that I have to keep the ActionTec router as the primary, what topology and devices would allow me to isolate my wired devices from my wireless network?

What brands of router would allow me the ACL features?

Thanks for any guidance.

 

[NetworkingNovice]

This may be a naive question but here goes...

My ONT is an I-211-MH.
Currently the COAX is connected to the ActionTec Router and the Ethernet jack on the ONT is unused and disabled.
If it is possible for me to request that Verizon enable both the COAX and the Ethernet Jacks on the ONT,
could I leave the ActionTec connected to the COAX connector and connect a new wireless router to the Ethernet Jack on the ONT?
Would this allow separation of the wireless and wired networks if the two routers used different address ranges (i.e. 192.x.x.x on ActionTec and 172.x.x.x on the new router) ???

 

[Trip]

ACLs (access control lists) are a part of a firewall feature set that allows for controlling access (duh!) of layer 2 and 3 network objects to/from one another, be it MAC IDs, IPs, whole or partial networks, domains, zones, etc. The actual truth is that ACLs are resident and running behind the scenes in most all router firmwares, even consumer, as they're almost all based on Linux and iptables these days; it's just that in a lot of the consumer firmwares, they typically provide zero access (as it's beyond the grasp of most consumers).

That can be solved on a lot of consumer routers by flashing third-party, open-source firmwares (OpenWRT, DD-WRT, pfSense, etc.) which often expose iptables and make them more or less fully editable. In other scenarios, it's more desirable to just purchase routers whose stock firmware already comes with this ability, which I would presume is more of what you're looking for. Still, even if you were to buy something with that capability included, you should know that administrating firewalls definitely takes some study and practice, especially if you're a novice. We can certainly recommend plenty of options, but operation will be anything but plug-n-play. (Granted, some firmwares make ACLs and policy creation much nicer to interact with than others).

If that hasn't scared you off and you still want to see an example, check out the Cisco RV160W, perhaps even the 260W for 3-stream wifi. They are Cisco's newer RV models and with a friendlier UI (here's a link to a 160W online demo). If you navigate to "Firewall" > "Access Rules", that is the kind of stuff you'd be getting yourself into. As you can see, very powerful, but also not for the uninitiated.

Regarding requesting special CPE adjustments by Verizon, ISPs are typically reluctant to alter any standard config when it comes to on-premise residential gear, for all the obvious reasons, most surrounding support overhead, so I doubt you're going to get anywhere there. Then again, as long as you're setting your stuff up properly behind the ISP modem, you likely shouldn't have, or more importantly want, to go altering their equipment anyways.

 

[coxhaus]

I was dealing with new IP phone contracts with my daughter's small business all day and I am tired. We can talk tomorrow when I am rested. Think about if you can switch the Cisco LAN and the Zyxel router LAN as this will protect your PCs from the phones. If the Zyxel router is too old, then it would be good to switch out the router.

I like the Cisco RV340 router but it does not have wireless. Sounds like you need 2 wireless networks? The Cisco router Trip recommends may be great but I have no experience with them. I do like Cisco gear. What about a small Ubiquiti Edge router X ($50) and a cheap wireless AP. It may be too complicated to set up for you but I don't know.

 

[NetworkingNovice]

Would this achieve the isolation of the wired clients I am seeking ???
I would have my Cisco SG100-16 Gigabit switch between the ActionTec and the wired clients.

 

[coxhaus]

I am not sure about your wireless clients. The wireless phones and PCs need to be in separate networks. I can't tell from your diagram.

 

[NetworkingNovice]

If the Quantum Gateway is at ip address range 192.x.x.x and
the Cisco Wiresless router at 10.x.x.x and ActionTec at 172.x.x.x would that satisfy that requirement ???

 

[coxhaus]

Yes. but you can use 192.168.0.0/24 , 192.168.1.0/24 or 192.168.2.0/24 networks you don't need to jump to big networks. I still can't tell about your wireless from the diagram.