Use a TPLink TL-WR1043ND as a SECOND LAN

[wcit]

I have an existing network using local IP address 192.168.1.x with an old draytek 2600 adsl/Router.

I wish to add a second network with a different IP range eg 192.168.2.x or whatever you might suggest.

I have a TP-LINK TL-WR1043ND Router and I am led to believe if I attach an ethernet cable from the ADSL router to the WAN port of the TL-WR1043D and make the appropriate settings on the TL-WR1043ND, this will give me a second isolated LAN from the original LAN and also allow users of this new LAN to still access the internet via the original ADSL router.

Can anyone provide an IDIOT's guide as to how I would configure the TL-WR1043ND to achieve this ? My knowledge of routers and their abbreviated mnemonics are very limited.

Is this the right approach to make this additional network totally secure from the original network.

My reason for choosing the TL-WR1043ND is that I already have one, that has never been used.

Thanks

mcl

 

[bicycle_repair_man]

You could simply create a VLAN on the DrayTek router and branch out from there. The VLAN will be assigned to specific ports on the router, into which you attach the computer, WAP, switch, etc.

 

[bill001g]

It depends what you mean by isolated and how secure you need it.

By default if you were to plug the WAN port of the tplink into LAN of the draytec using the IP you said

Users on the 192.168.1.x network could get to internet like normal but can not get to 192.168.2.x addresses because of the nat in the tplink
users on the 192.168.2.x network can get to the internet but the IP will be natted 2 times
BUT users on 192.168.2.x can access 192.168.1.x devices if they use the IP address to access them. This may or may not be a security issue for you.

What you are going to have to do to solve the last issue is to put a access control list in the tplink router. Basically you are going to put a rule in that says 192.168.2.1-192.168.2.254 can not get to 192.168.1.2-192.168.1.254. You will note 192.168.1.1 is not in the list, you may or may not need this depending on how the router works. This allows them to get to the draytec but technically they only need to pass though the draytec not actually get to the configuration screens. Problem is some routers are stupid and don't know the difference.

Exactly how you do this is pretty much read the manual. Even though I know you can do it on tplink they have changed the software every new router pretty much. There should be a way to define a group of source machines. ie 192.168.2.x and a group of destination machines 192.168.1.x and then you mark it as a deny.

Now if you can live with uses on the 192.168.2.x network getting to 192.168.1.x but not the other way around you can just plug wan-lan and be done with it.

 

[wcit]

You could simply create a VLAN on the DrayTek router and branch out from there. The VLAN will be assigned to specific ports on the router, into which you attach the computer, WAP, switch, etc.

 

[wcit]

@bicycle_repair_man Thank you for that suggestion.

On looking into the setup further. The Draytek is a non-starter for changes, as it so old and has been reliable and no one knows user name or password to make changes to it.

I will bear your answer in mind for the future, if the modem is available for changes.

Thanks

 

[wcit]

It depends what you mean by isolated and how secure you need it.

By default if you were to plug the WAN port of the tplink into LAN of the draytec using the IP you said

Users on the 192.168.1.x network could get to internet like normal but can not get to 192.168.2.x addresses because of the nat in the tplink
users on the 192.168.2.x network can get to the internet but the IP will be natted 2 times
BUT users on 192.168.2.x can access 192.168.1.x devices if they use the IP address to access them. This may or may not be a security issue for you.

What you are going to have to do to solve the last issue is to put a access control list in the tplink router. Basically you are going to put a rule in that says 192.168.2.1-192.168.2.254 can not get to 192.168.1.2-192.168.1.254. You will note 192.168.1.1 is not in the list, you may or may not need this depending on how the router works. This allows them to get to the draytec but technically they only need to pass though the draytec not actually get to the configuration screens. Problem is some routers are stupid and don't know the difference.

Exactly how you do this is pretty much read the manual. Even though I know you can do it on tplink they have changed the software every new router pretty much. There should be a way to define a group of source machines. ie 192.168.2.x and a group of destination machines 192.168.1.x and then you mark it as a deny.

Now if you can live with uses on the 192.168.2.x network getting to 192.168.1.x but not the other way around you can just plug wan-lan and be done with it.

 

[wcit]

Thanks for your reply - I shall investigate this further.

A couple of questions.

How do I connect the TL-WR1043ND to the existing network. Via the WLAN or normal port and how do I get at its settings. I connected it to both the WLAN and LAN port, but could not see it with IPSCANNER (using a MAC)

There was an address of 224.0.0.1 showing a network router, but my browser said webpage unavailable. I have connected to the TP-Link when it was the only device connected to the network

What effect does natted two times, have on the network.

As you will gather I am extremely naive in networking intracacies.

 

[bill001g]

You treat your current network as the ISP and connect the WAN port of the tplink to any LAN port on your draytec.

The draytec should give your tplink router a 192.168.1.? address on the WAN port.

The main issue with the NAT is you use some of the automated tools game consoles like UPnP to allow certain games to work they do not work well with 2 levels of NAT. Pretty much it will no effect if the devices in the second network never need to be access from something on the internet.

 

[wcit]

You treat your current network as the ISP and connect the WAN port of the tplink to any LAN port on your draytec.

The draytec should give your tplink router a 192.168.1.? address on the WAN port.

The main issue with the NAT is you use some of the automated tools game consoles like UPnP to allow certain games to work they do not work well with 2 levels of NAT. Pretty much it will no effect if the devices in the second network never need to be access from something on the internet.

 

[wcit]

My initial reply got lost in the ether as I was not connected to t'internet.

Basically I have reset the router and it appears as either 192.168.0.1 as a network router if I use the LAN port, in addition to the original router as 192.168.1.1 and it gives webpage not found for 192.168.0.1 which seems logical to me.

If I connect to the WAN port I get 192.168.1.2 Network camera ?, which also gives webpage not found - this I do not understand.

If I just add the router to my MAC, I get only 192.168.0.1 and my MAC 192.168.1.6 and I can connect to the router and see all the options.

In my naive way, I guess I could somehow set up the router directly from my MAC, so that when it is connected along with the original router it would behave as I would like it to or do I somehow just need to change its IP address to be in the 192.168.1.x range.

I am sure you will realise from my attempts and questions, I am not at all knowledgeable in the ways of networking devices. I understand what we are trying to achieve, but the syntax is a mystery - sorry to be such a pain.

I am not using the real network with the Draytek, but trying to get it working on a test network, which uses 192.168.1.x and a Belkin Modem/Router as I thought I could get it working and then just add it to the Draytek network.

 

[bill001g]

You have to be very careful when you use 2 networks to make sure you are connecting where you think you are. This is not a recommended setup because of issues like you are having, it tends to be somewhat complex. Most people run the second routers as a AP but that runs everything as one big network which provides no isolation of the devices.

So step 1 is to get the first router correctly running and when you plug your MAC into it you will get a IP link 192.168.1.x and you will be able to surf the internet.

Next move you MAC to the second router lan port. It should give you a IP in the 192.168.0.x range assuming that is what it uses for its default network. You should be able to access the configuration of the router.

Now when you feel that is correct connect the wan port of the second router to a lan port. The second router should now get a IP from the first.

You MAC should now be able to access the internet.

 

[wcit]

I can now access the router on the second network - many thanks.

Just need to work out the access control.