Creating two completely separate WiFi networks

ahostmadsen

Reputable
Mar 9, 2016
13
0
4,510
I am renting out part of my house, and I want to create a separate WiFi network for the tenants. I don't want them to have any access to our network. Can I connect two WiFi routers? My internet access is a fiber optics modem provided by the telephone company.
 
Solution
The guest network feature is actually pretty stupid which makes it secure. It only allows the guest network to access the internet, some of the implementation do not even allow the devices on the guest network to talk to each other.

Generally the internet connection will be your bottleneck. The number of users the router will support more depends what the are doing rather than some number. Someone running torrent session with lots of open connection will put much more load on the router than someone checking their email.

I suspect you will be fine with 7 devices but again a couple people watching HD movies on netflix will likely eat your internet connection unless you have a large cable connection.

This still in no way solve...
It depends on the router you get and it also assumes they can not change the configuration. You could plug a second router into your main one and then put in a a firewall rule in the second router preventing access to the ip in the main network. You will need the second router to have at least a very basic firewall or parental filter ability.
 

ahostmadsen

Reputable
Mar 9, 2016
13
0
4,510
My main WiFi router is an Apple Time capsule. I don't thinks guest networking is secure enough. We have a deal of (moderately) confidential information on our computers.

In any case, I do need a second WiFi access point due to the layout of the house. One WiFi router cannot cover the whole house.
 

Rogue Leader

It's a trap!
Moderator
There are many ways to do this.

If you're sharing a connection there are many routers that offer a "Guest" network setup, that just basically gives them isolated internet access in a different IP scheme. Thats the simplest way.

If you want to give them more than that then you can get 2 routers. Leave your router exactly as is, and connect one of your LAN ports to the WAN port on the second router. The second router (and you may have to configure it disconnected from the first) should be set up to use a different DHCP (so for example if your first router assigns addresses in the 192.168.1.xxx range, set the second one up to do 192.168.2.xxx). This will provide them with their own network and because of the different IP range they cannot access yours.
 

ahostmadsen

Reputable
Mar 9, 2016
13
0
4,510


Do I understand it correctly as follows. My primary router is an Apple Time Capsule. I connect an ethernet cable to a LAN port. My secondary router is a DLINK AC1000. I connect the cable to the the "internet port" (it doesn't have a WAN port, but I assume internet port means WAN port). Then I need to reconfigure the DLINK router to different IP addresses.
 

Rogue Leader

It's a trap!
Moderator


Correct the "Internet" port is the WAN port, and then you configure the DHCP on the DLINK AC1000 to use the different range I specified.
 

This will not work to isolate the networks. Actually have different IP addresses makes it so they CAN get to the main network although making them same ip range is not a allowed configuration. The second router thinks the first routers network is the internet and allows it. The traffic from the main network can not access the secondary because of the NAT but that is the reverse of the requirement.

You need the additional feature of a firewall to filter the traffic and prevent this access.
 

Rogue Leader

It's a trap!
Moderator


Thats not true, I have done this before, the different network range of the second router is prevented from accessing the first.

Even Linksys says this is how to do it:

http://www.linksys.com/us/support-article?articleNum=132275

 


The link you have in no way talks about security.

You are absolutely wrong no matter what you think you have done in the past.

How does the secondary router know that the network connected to the WAN port is some strange main network in your house and not the internet. Please explain how the router knows this to be true and does not allow traffic to pass to that network. I can guarantee the router does not have that magic function.
 

Rogue Leader

It's a trap!
Moderator


As per linksys:

This type of cascading requires the main router and the secondary router to have different IP segments. This connection makes it easier to identify which router the computers and other devices in the network are connected to since they will have different LAN IP segments. However, computers that are connected to the main router will not be able to communicate with the secondary router, and vice versa since there are two (2) different networks.
 

Who ever wrote that is completely wrong. It only prevents session from being initiated from the main network to the secondary network for the same reason you must port map to allow internet connected machines to access you local network. Going the other way works for the same reason you can get to any location on the internet.

This is the based on they way the tcp session is being opened and how nat works. This is a fundamental thing and linksys does not have a magic router that works different.
 

ahostmadsen

Reputable
Mar 9, 2016
13
0
4,510
Well, now I'm confused. I clearly want a strong separation between the two networks. So, I'm not sure what to believe.

My alternative is to have the phone company install a second, separate line. But that is of course much more expensive (say paying for one 200mbits/s is cheaper than two 100mbits/s lines).
 

ahostmadsen

Reputable
Mar 9, 2016
13
0
4,510


That's a good point I didn't think about. But if I install a second line, I would still be listed as owner. At least it would be clear which router downloaded, so perhaps our computers would not be confiscated.
 
The issue is not the 2 router solution that still works it is that that by itself does not solves this problem. You still put in the second router as talked about but it need the additional firewall feature to prevent the traffic from being able to talk between the 2 network. This is what i put in my first post before we got off track.
 

USAFRet

Titan
Moderator


No it would NOT be clear as to 'which router'. All your ISP or anyone else sees is traffic going to the public IP address. Everything that happens behind that is all on you.
 

ahostmadsen

Reputable
Mar 9, 2016
13
0
4,510
Perhaps the easiest after all is to use the guest network feature on my Time Capsule. How secure is that?

I can probably put the Time Capsule at a central place in my house, and it will cover the whole house. But can a single base stations handle traffic from 7 people?
 

USAFRet

Titan
Moderator


Depends on what the 'people' are doing.
Email and facebook? Sure.
24/7 torrents, youtube, and hulu? You might have issues.

What is the speed from your ISP?
 

ahostmadsen

Reputable
Mar 9, 2016
13
0
4,510
I have fiber, and I can choose up to 1Gbps -- so I can alway scale that up (right now I just have 15Mbps). What I would like is to be able to stream, say Netflix, to 5 devices simultaneously.
 
The guest network feature is actually pretty stupid which makes it secure. It only allows the guest network to access the internet, some of the implementation do not even allow the devices on the guest network to talk to each other.

Generally the internet connection will be your bottleneck. The number of users the router will support more depends what the are doing rather than some number. Someone running torrent session with lots of open connection will put much more load on the router than someone checking their email.

I suspect you will be fine with 7 devices but again a couple people watching HD movies on netflix will likely eat your internet connection unless you have a large cable connection.

This still in no way solve the misuse problem. I am not sure I would even trust family members especially teenagers.
 
Solution