Cascading routers - how to protect the first router clients from second router clients

[KoosKoets]

I would like to set up the following in a SOHO environment:
Internet -> modem -> router 1 (ASUS RT66U) -> router 2 (ASUS RT66U)

I will set up a different IP range for both routers:
Router 1 192.168.1.x
Router 2: 192.168.2.x

Router 1 clients - office equipment, VOIP etc
Router 2 clients - guests, using wifi

I read that router 1 clients (further R1C) will not have access to router 2 clients (further R2C) but R2C will have access to R1C if they know the IP address of the R1C.

Goal: To increase security, R2C should not have access to R1C in any circumstance

The most obvious solution would be to switch Router 1 and 2, but due to the wiring in the office, this is not possible (guest room is 100 feet from internet access, and there is no way to put down a second cable)

Question: how do I set up router 2 to prevent any traffic to clients from router 1?

 

[bill001g]

If router 2 have firewall abilities you can prevent traffic from going to any address 192.168.1.x.

 

[KoosKoets]

OK, that makes sense. Thank you very much.

Under Firewall/network services filter there is a "Network Services Filter Table".

I can blacklist the following variables:

source IP (this would be 192.168.2.0/24)
Port Range
Destination IP (this would be 192.168.1.0/24)
Port range
Protocol (TCP/UDP)

I can't figure out the correct parameters. Should I use * as a wild card like 192.168.1.* or use 192.168.1.0/24?
Same question for the ports. If blank, it means all ports? Or write 1-10000?
Protocol: All or just one?

 

[bill001g]

I wish I knew it is so inconsistent between routers. I normally just leave a constant ping run and change it until it blocks. Now if it were a cisco commercial router that I could give you a clear answer on.

 

[KoosKoets]

I think that this function is not working properly on the ASUS RT N66U firmware.

I learned that if you leave it open, it will apply to all.
* = wildcard

So it should be:

source IP empty
Port Range empty
Destination IP 192.168.1.*
Port range empty
Protocol (TCP/UDP) both

However, it does not work.

Even if I just test one device, like this:
source IP 192.168.0.104 (my laptop)
Port Range
Destination IP 192.168.1.127
Port range
Protocol (TCP/UDP) both

I can simply reach 192.127.1.127 from the browser of my laptop. Even if I specify the port range (80 and 8080), it does not block traffic.

I just think that this feature is not working properly, especially because i found one other thread on the internet that came to the same conclusion. His solution was to install alternative firmware - DD WRT

Does anybody have any other suggestion or thoughts?

 

[bill001g]

With asus you could also try the merlin image. This is a asus supported version of dd-wrt. All else fails send asus email and tell them it does not work and ask them exactly how you do this. May take a bit but asus customer service is better than a lot of other companies.