Setting Up Separate Subnets

[rnmccann]

I am trying to set up two subnets with two routers while making sure neither can access each other and anything connected to them.

I swear I had this working properly a few weeks ago but needed to restore the settings on the second (inner) router and now I can't seem to set this up properly.

I know this should be relatively simple.

The first (outer) router is using an internal IP scheme of 192.168.1.1. The router admin is listening on that IP.

The second (inner) router I want to set up on 192.168.2.1.

I was able to achieve this, but for some reason, while on a client on the inner router I can still reach the admin of the outer router. I want to prevent that and I swear I was able to the first time I set all this up.

Was hoping that someone could walk me through what needs to be set on the second, inner router to achieve this properly.

For that specific router, I am using a Netgear N300 if that makes things simpler.

What should be set on the Internet, Wan, and Lan options? Is it just a matter of setting the Lan IP to 192.168.2.1? Am I falsely assuming that clients on that subnet shouldn't be able to reach the router and clients on the outer subnet?

What am I missing here?

Thanks in advance!

 

[failboat]

You really need vlans.

Having one router pick where to send packets will enforce the fw rules better.

In a nested router the top router and bottom router has access to the bridge of the top router. You can create fw rules on the bottom router to try and prevent packets going to the bridge. Clients on the bridge can try and trick the router to pass them packets. When you have one router subnet1 will always go to it's interface and subnet 2 will always go to it's interface. a client in either one can try and change it's address, but the router will not send subnet1 to interface2 if interface1 is for subnet1.

 

[rnmccann]

You really need vlans.

Having one router pick where to send packets will enforce the fw rules better.

In a nested router the top router and bottom router has access to the bridge of the top router. You can create fw rules on the bottom router to try and prevent packets going to the bridge. Clients on the bridge can try and trick the router to pass them packets. When you have one router subnet1 will always go to it's interface and subnet 2 will always go to it's interface. a client in either one can try and change it's address, but the router will not send subnet1 to interface2 if interface1 is for subnet1.

Hmm, ok. This gives me something to google at least. But to make sure I understand as much as I can, let me ask a few questions.

To setup VLANs, does that still only require two routers? Do both routers need to have VLAN capabilities or just the outer router? Assuming I only need two routers, is my brain correct in thinking make the inner router the "crappier" router? In my case the Netgear N300?

In hopes to arrive at a quicker solution, my other router is an Asus RT-AC66U. I am going to see if that supports VLAN.

If it doesn't, what would be a good low budget router that would support this? I've been eyeballing Ubiquiti stuff for quite some time. Maybe one of their routers will get me there?

For starters, I'll start reading about VLAN setups.

Thanks for your help!

 

[failboat]

You will only need 1 router. If you have a decent number of wired clients or you need both subnets on the same wifi then you also need vlans on wireless and a switch and trunking.

The ubiquiti stuff is easy to setup. If you go full unifi it is all is managed from the same controller on a windows/mac.

USG->US 8-60W->unifi AP PRO. is a nice setup. If you need multiple access points and wired clients on different subnets. Adding more APs is painless.

If one wireless router can provide you the coverage you need then one of those might be able to do the vlans.