Question Two access points, make one only external (so no internal network access)

[agent37]

Hi,


I have a Sky Q Hub which is the main router with DHCP enabled. I then have two routers connected to this as access points with DHCP disabled, the other routers are

TP-LINK WDR3600
TP-LINK WR940N

The SkyQ Hub is in the living room and the TP-LINK (3600) in my room in the attic, in my room I also have an 8 Gigabit Switch (unmanaged) which has various devices connected to it such as Raspberry PI, Printer, Desktop PC, CCTV.

The WR9 is located in the other house (it's a big house) for the kids to use for their PS3/Tablets etc. The SSID name for WR940N is XXX-Guest with a different WIFI password. For this router I was looking into making it external only (so it can’t see or access other devices), but I can’t figure out how to accomplish this with the current hardware I have.


I know I can purchase a firewall appliance or managed switch to have VLANs but I don’t fancy spending anything at the moment. I also am aware the WDR300 has a guest network, but this won’t reach in the other house, and I can’t swap it with WR9 as that does not have Gigabit ports or a 5GHz WIFI band which I need.



Is there anything I can do to isolate the network?

 

[kanewolf]

You don't have the necessary hardware to isolate the 940N. You could use the 3600 in your room as a router rather than an access point. That would isolate your hardware but anything connected to the Sky Hub can't be isolated

 

[agent37]

You don't have the necessary hardware to isolate the 940N. You could use the 3600 in your room as a router rather than an access point. That would isolate your hardware but anything connected to the Sky Hub can't be isolated

Can I have two DHCP servers, the WD3600 DHCP would be on and so would Sky Q. Sadly Sky Q does not have a modem mode.

How would this isolate network?

 

[kanewolf]

You can create "double NAT" isolation with any of the routers (what I said above). But for kids that game, that means complicated port forwarding potentially.
You are trying to do advanced networking without the proper hardware.

 

[agent37]

You can create "double NAT" isolation with any of the routers (what I said above). But for kids that game, that means complicated port forwarding potentially.
You are trying to do advanced networking without the proper hardware.

Right ok. might be best getting correct hardware

 

[agent37]

Was just looking at correct hardware to get, found this switch on Amazon it's a NetGEAR GS108E will this be sufficient it supports VLAN. I am not this advanced with networking so not sure on the correct hardware or whether router needs to support VLAN as well.

 

[kanewolf]

Was just looking at correct hardware to get, found this switch on Amazon it's a NetGEAR GS108E will this be sufficient it supports VLAN. I am not this advanced with networking so not sure on the correct hardware or whether router needs to support VLAN as well.

Generally for VLANs to be effective, all network devices need to support them. BUT, can you post a drawing of your current setup and what areas you would like segregated from each other.

 

[agent37]

Generally for VLANs to be effective, all network devices need to support them. BUT, can you post a drawing of your current setup and what areas you would like segregated from each other.

https://drive.google.com/file/d/1I-l8uFlR26GdOyHFq06yxRlm87B4rUub/view

Please see linked image which I made using Packet Tracer.

The circled red network is the one I wish to isolate, any devices connected directly to that router should not be able to access internal network, so printers, other PCs/Laptops etc.

Now you might be wondering why/how the devices seem to be linked like a chain. Let me briefly explain.

The Sky Q hub is in the living room (2nd floor) - this is where the fibre line from outside comes from.

The TP LINK WDR3600 is located in the attic (4th floor) - it's an access point only. (There are Gigabit ethernet sockets around the house, which directly connect to each other, that's how the Sky Q Hub and WDR3600 connect).

The Switch then provides connection to the WDR940N (and other devices), WR940N is located in the house next door, and the Ethernet wire passes from my room. This is the network I wish to Isolate.

Thanks

 

[bill001g]

With just a single connection maybe a different solution maybe simpler. Vlans would be worth the effort if for example you have multiple AP and they all had a guest network that needed to be isolated.

If you put a router with a firewall ability in the connection between your house and the other you could restrict traffic. Say your network is 192.168.0.x and you create a second lan network you run over to the other house 192.168.1.x. That alone does not protect you since the devices on the 192.168.1 network can still get to 192.168.0 but not the other way. So you have 1 way protection. What you can do is put a firewall rule in the router that says no traffic can go to the 192.168.0.x network from 192.168.1.x. It still allows all other ip addresses and those will be sent to the main router. The firewall rule will not block the traffic between the routers because the addresses will have been translated when it leaves the wan port.