Question Setting up a separate network for my garden house ?

[xterd]

Hello IT/Network Specialists, can you help me please?
I could really use your advice on a personal home network challenge!

Here’s the situation: I have a network set up in my home with a FritzBox 7590 router, and from there I’m using a TP-Link Deco M4 as a network extender to reach my basement. Now, I’d like to run a 50-meter UTP cable from the Deco M4 in the basement to my garden house and set up a new wireless network there.

The catch: I need the internet to come from my main house, but I want to ensure that devices in the garden house can’t access the devices in my home network.

My question: Is it possible to simply connect a new router in the garden house (which is connected to the Deco M4 in my home) and enable Guest Network mode, or is there a better approach to achieve this setup?

Looking forward to your insights!

Thanks in advance!

 

[bill001g]

I am going to bet it will not work.

Key here is the concept of "guest". The way this is implemented on consumer routers is kinda a firewall thing rather than a true different network. If you were to look at the IP you get on the guest network and the main network they come out the same DHCP pool.

What most consumer routers do is say devices on the "guest" network can only go the the internet. Which is fine except this so called guest network is only implemented between the wifi chips and the router chip inside the router.

You are talking about different physical boxes and want to have different networks between boxes. When traffic passes between boxes it loses the concept of "guest"

Actually very simple to do if you have something that at least partially supports enterprise features. Your firtz box likely does but not very likely the tplink deco stuff.

What you would do is make different vlans. Even though very technically the traffic is all on the same network when it passes between devices there are tags on the packets that prevent the data from being sent between the vlans.

A kinda hack solution that works in simple cases might be to buy a router that has some basic firewall ability for the remote location. Lets say your main network is 192.168.0.x and your second network is 192.168.1.x. You would put a firewall rule in the remote router that says 192.168.1.x devices can talk to everything except 192.168.0.x. Now I guess if you were to buy another fritz box you could put in multiple different networks and let some of them talk to the main network and others not. Gets more and more complex.

Most more complex installs you have to use vlans.

 

[Ralston18]

@xterd

Your post appears to be very much a homework like question and Forum rules prohibit doing homework and/or work assignments.

No way to know the full truth of the matter from this end.

What you need to do is to present a plan that includes the necessary network devices and the applicable network configuration settings.

Explain what you believe will work and include reasons and references.

Sketch out a network diagram and fill in the details. Show your requirements and your work thus far.

Identify specific problems and questions.

Then others may post comments and suggestions as necessary and applicable.

 

[xterd]

I am going to bet it will not work.

Key here is the concept of "guest". The way this is implemented on consumer routers is kinda a firewall thing rather than a true different network. If you were to look at the IP you get on the guest network and the main network they come out the same DHCP pool.

What most consumer routers do is say devices on the "guest" network can only go the the internet. Which is fine except this so called guest network is only implemented between the wifi chips and the router chip inside the router.

You are talking about different physical boxes and want to have different networks between boxes. When traffic passes between boxes it loses the concept of "guest"

Actually very simple to do if you have something that at least partially supports enterprise features. Your firtz box likely does but not very likely the tplink deco stuff.

What you would do is make different vlans. Even though very technically the traffic is all on the same network when it passes between devices there are tags on the packets that prevent the data from being sent between the vlans.

A kinda hack solution that works in simple cases might be to buy a router that has some basic firewall ability for the remote location. Lets say your main network is 192.168.0.x and your second network is 192.168.1.x. You would put a firewall rule in the remote router that says 192.168.1.x devices can talk to everything except 192.168.0.x. Now I guess if you were to buy another fritz box you could put in multiple different networks and let some of them talk to the main network and others not. Gets more and more complex.

Most more complex installs you have to use vlans.

Thanks for that. That seems to get indeed quite complex.
I just don't want the people who are on the garden house network to be able to see/access the devices within my home.

 

[xterd]

@xterd

Your post appears to be very much a homework like question and Forum rules prohibit doing homework and/or work assignments.

No way to know the full truth of the matter from this end.

What you need to do is to present a plan that includes the necessary network devices and the applicable network configuration settings.

Explain what you believe will work and include reasons and references.

Sketch out a network diagram and fill in the details. Show your requirements and your work thus far.

Identify specific problems and questions.

Then others may post comments and suggestions as necessary and applicable.

If I had the answer, I wouldn't be asking the question here. I'm simply suggesting the idea of putting a new router there and asking if that might work. My goal is to avoid buying devices, testing things without the proper knowledge, and then finding out it won't work.

If someone can confirm it will work, great—that's all I need. I'm just asking for some help/advice

This isn't a task or assignment.

Is there any reason for the negative tone?

 

[bill001g]

The issue is kids are very lazy. The way your post is written is very similar to questions you see in class assignments for networking. They don't seem to understand that the purpose of the class is to learn not just get some cert so you can then get money for letting someone else do the work. Then again we sometimes get people who are actually being paid to do something they have no idea and come here in effect wanting someone to work for free for them and they collect the money.

In any case it seems like the simplest solution is to just use a router that has the ability to run simple firewall filters. You would then as I explained above put in a rule that prevents access to the main network. This assume that nobody in the remote building is going make a effort to bypass what you put in. Very hard if someone for example can physically touch your new router and either cable around it or try to reset and remove the firewall rules.

 

[Ralston18]

Seconding the above.