Customise guest access from secondary AP

[kennyli]

Hi,

I'm looking for some advice on setting up an isolated guest network on a secondary AP.

I have the following set up currently:-

1. Primary Router (Asus RT-AC68U running stock firmware) connected to my cable provider, providing Ethernet and 5Ghz access and DHCP
2. Secondary AP (Linksys E4200 running DD-WRT) connected to my primary router via Ethernet LAN ports, providing Ethernet and 2.4Ghz access
3. Both wifi networks use the same SSID

I want to provide guest wireless access from the Secondary AP, specifically with the following requirements:-

• 
  - Guest Type 1 to have access to the internet, as well as my Apple TV. No access / visibility to any other device on the network.
  - Guest Type 2 to have access to the internet only. No access / visibility to any other device on the network.

Here's a conceptual diagram representing the current set up and what I'm trying to do

The key is that I need to isolate the guest devices as much as possible from the rest of the devices on the network.

Given my current set up, what do I need to do to get this working? Whilst I'm relatively technically minded, my networking knowledge is somewhat basic. So I'd like to understand also what network concepts / functionality I need to employ to get this working.

Thanks

 

[bill001g]

You have a excellent drawing of how it needs to work. Most people do not understand that the traffic must flow between the routers.

What you are describing is vlans and using the ethernet cable between the 2 routers to act as 3 virtual cables.

This is a function on more commercial routers. Lucky you have already some exposure to DD-WRT.

I would load the asuswrt-merlin firmware on your asus device. It has slightly less features than the full dd-wrt but is optimized for asus devices.

What you then need to do is define 3 networks corresponding to your colors. Each will be a vlan. You will define the connection between the routers as a tagged connection so all the vlans can pass. You can then put whatever firewall rules you like between the vlans to force it to the internet or allow access.

There maybe other solutions using purely firewall rules when you only have a small number of devices but a vlan solution is the more industry standard way to solve this issue. You will want to use different SSID for each vlan/ network. Technically it can be done with the same SSID it just makes the configuration very complex.

 

[kennyli]

Brilliant thank you! Will give this a go and report back how I get on.

You have a excellent drawing of how it needs to work. Most people do not understand that the traffic must flow between the routers.

What you are describing is vlans and using the ethernet cable between the 2 routers to act as 3 virtual cables.

This is a function on more commercial routers. Lucky you have already some exposure to DD-WRT.

I would load the asuswrt-merlin firmware on your asus device. It has slightly less features than the full dd-wrt but is optimized for asus devices.

What you then need to do is define 3 networks corresponding to your colors. Each will be a vlan. You will define the connection between the routers as a tagged connection so all the vlans can pass. You can then put whatever firewall rules you like between the vlans to force it to the internet or allow access.

There maybe other solutions using purely firewall rules when you only have a small number of devices but a vlan solution is the more industry standard way to solve this issue. You will want to use different SSID for each vlan/ network. Technically it can be done with the same SSID it just makes the configuration very complex.