[SOLVED] What is the best way to enable my two routers (total of five Wi-Fi networks)?

[puppychumful]

I live in in a big house in an isolated rural location. I have a TP Link AC4000 (two guest networks one @ 2.4 GHz & one @ 5Hz) and a Asus RT-AC68U (one guest network @ either 2.4GHz or 5GHz). That should give me a total of five separate SSID's, right?

As of now, I am only using my Asus RT-AC68U, with one of networks dedicated to my me and my wife, and the other for my basement suite tenant. Everything works really well and has for some years, and AFAICT there are no security, bandwidth, interference issues. I want to add some home security Wi-Fi cameras (and maybe smart plugs) and I want to further isolate my computers from my wife and tenant for increased Internet security. Here is how I was thinking of doing it:

Asus RT-AC68U

1. Basement suite tenant: main network
2. Wi-Fi cameras (and maybe smart plugs): guest network

TP Link AC4000

1. My computers: main network
2. Wife's computers: guest network #1
3. Business computers: guest network #2

Is this the best way to configure everything, will I have interference between the two routers, what should I set the GHz at for each of the five networks, can I place the two routers close to each other, will I even be able to use 5GHz or is everything likely to run at 2.5 GHz only, etc?

Much obliged!

 

[bill001g]

Buy business grade routers that have the ability to run multiple actual networks. Having different SSID is only part of the solution. You need the different SSID assigned to different vlans especially if you plan to have multiple boxes. The traffic must be kept isolated when it flows between the devices. Then you need the main router to be able to assign different subnets to these different vlans. It also needs some form of firewall to restrict traffic between the vlans and to the internet.

I would avoid any form of wifi cameras. Cameras in general have a very bad history of security exposures. Wifi adds the ability to remotely attack them as well as jam them. Since you have to get power to the cameras anyway you might as well use PoE ethernet power cameras. Although ethernet all the way back to a central location would be better you could use the outlet you were going to plug a wifi camera with a powerline network device. This would give you network as well as a place to plug in a the PoE power injector for the camera. This is confusing at first because you have one device that runs network over electrictiy wires and the second that provides dc power over the ethernet cable.

You have a very serious problem if you are concerned about different machines in your house attacking each other and need to separate them. Since the any router that is separating them is also on the network it could also be attacked and could be used to then attack the other network anyway.

I guess you can let your tenant use a guest network to provide isolation but they are still sharing the internet connection bandwidth as well as the IP address so if they do something bad it still comes back to you. Unless you security cameras actually need access to the internet I would manually assign them IP addresses and leave the gateway IP blank or put in some invlaid value. This way they cameras do not know how to get out of your network so they can not communicate with anything outside your local lan.

If you really want all the different networks look at more commercial devices, ubiquiti tends to be brand that sells stuff with more commercial features without the cost of say cisco or hp equipment. You could also consider loading third party firmware like dd-wrt or tomato but these are complex to use and setup. This though does not magically create more wifi bandwidth everything will still compete with each other and all your neighbors for the wifi bandwidth.

 

[puppychumful]

Thank you so much bill001g! I am trying to digest everything you advised, my understanding of such things is nowhere near yours, so it will take a bit to figure it all out and respond in kind. I surely will respond back shortly; much to think about.

 

[bill001g]

This is what happens when you need/want something more than home/consumer grade gear offers. It is designed to be simple to use and many features have been removed to make it less confusing. When you start getting requirements that are closer to a business customer you knowledge level must be much greater. This is why very large companies hire network professionals. These enterprise level systems are so complex it takes someone who has years of experience to do proper design.

 

[gggplaya]

I would think you would want your tenant on the guest network with isolation, not your wife? Something I'm missing here lol?

You also have to keep in mind, that with consumer routers set to access point mode, the guest network function does not always work. At least that was my experience with ASUS. Sure, it creates an ssid which you think is a guest network, but there was zero isolation which defeats the purpose. After some research, it turned out that in order to have isolation, the router must actually be the main gateway router, not in access point mode.

For what you want, you should either get a network switch and use VLANs to the 2nd access point for your tenant, or buy commercial/small business grade equipment like Ubiquiti, which can run up to 8 ssid's, where you can choose guest isolation for each ssid and bandwidth control for each ssid.

 

[puppychumful]

Hi gggplaya,

I do not have any preferences when it comes to how best to provide isolation as I do not know enough about such things, but I am never going to transfer files or data from one computer to another on the network, as I would always do this via a USB flash drive, so whatever you think it easiet / best here, and no you're not missing something, it’s just that I do not know what is best.

You mention, that with consumer routers set to access point mode, the guest network function does not always work, and your experience with ASUS was that it creates an SSID (which one would think is a guest network) but there is zero isolation which defeats the purpose. How do I configure my system to have isolation, so that the router (I have two so whch one?) is the main gateway router, and not access point mode? I do not even know what the terms "main gateway router" and "access point mode" mean in the context you are referring alas. Recall I have two routers but I am only using one at this time.

You mention that I should either get a network switch and use VLANs to the 2nd access point for my tenant, or buy commercial/small business grade equipment like Ubiquiti, which can run up to 8 ssid's. What would be the simplest most cost effective way to get what I need then? Do I need to buy more hardware or can I reconfigure the two routers I have to get what I want?

I do not really need isolation for any more than the following three:

1. Tenant (she just has one laptop as far as I can tell)
2. Wife & me (all our laptops)
3. Wi-Fi cameras (only so that no outside source can hack them)

Much thanks!

 

[gggplaya]

Yes, I set up one of my asus routers to act as an access point and tested the guest network ssid, I was still able to access the full LAN. So there was no guest network separation. A guest network should not be allowed to access your LAN. WIth access to your LAN, it's possible to hack into your other computers on the network and your cameras, as well as anything else on your LAN. This is why you should set up your tenant on their own network. You never know who they'll give your wifi password to. With a guest network, they'll only be allowed to access the internet, not you LAN. With wifi isolation, devices can't communicate with each other on the same wifi, only to the internet.

Ubiquiti access points would be the easiest solution, but if you aren't decently versed in networking. You may find the options of the software a bit overwhelming. You can look at some youtube videos on how to set up a unifi access point to see if it's something you're up to.

Personally, I would make:

1. Guest SSID 1 wifi network for just the Tenant and people they may bring over, you can call it Apartment wifi or something.
2. Main SSID for your wife and yourself, as well as all your main electronics like tv's and such.
3. Set up a 2nd VLAN with it's own SSID for just your cameras with no access to the internet if you're worried about hacking. Of course this would mean you couldn't access camera's from your smartphone app. It really depends on whether or not you want your cameras to act as a CCTV network, or as an APP camera solution. If you do want the camera's to use an app, they'll need internet. In which case, do not create a 2nd vlan, instead just make a 3rd SSID guest network with isolation. The camera's will only communicate through the internet to the app. Makes sure you use 2 factor authentication on the app.

 

[puppychumful]

Thank you so much gggplaya,

My apologies for not fully understanding! As to your above three points, I am not sure what hardware's needed to allow that. Given I have two routers, do I need to buy other hardware and if so what? And if not, how exactly do I configure my two existing routers, and my one ISP account as you suggest:

a. the hard-wiring i.e. cable > cable modem > ?
b. the two routers in terms of software / firmware / SSID's / etc?

As you and I talked about, I do not really need isolation for any more than the following three:

1. Tenant (she just has one laptop as far as I can tell)
2. Wife & me (all our laptops)
3. Wi-Fi cameras (only so that no outside source can hack them)

 

[bill001g]

The problem is having 2 physical boxes. You need to keep the traffic isolated between them on the ethernet cable. This requires vlan and consumer routers do not support that.

Maybe a simpler option is to put a guest network on the main router only. This is for your tenant. When you run a guest network this way it only allows access to internet.

Next put in the other router as a simple AP. This is purely to provide better coverage, your tenant is not going to have access though.

I assume you are not concerned that you and your wife can get to the cameras. What you can do is assign static IP to the cameras...you should do this anyway. Then leave the gateway IP blank. The gateway does exactly what the word means, it is the door out of the local network. If you don't tell the cameras where the exit is they can not find the internet to use it. All their traffic will be restricted to the local lan.

 

[puppychumful]

I must apologize but I still do not fully understand what I should connect to what and which router I should use for what job and if I need to buy more hardware, etc:

1. Maybe a simpler option is to put a guest network on the main router only. This is for your tenant. When you run a guest network this way it only allows access to internet. (Which one should I use for the main router?)

2. Next put in the other router as a simple AP. This is purely to provide better coverage, your tenant is not going to have access though. (Which one should I use for the simple AP and how do I convert it to a simple AP?)

3. I assume you are not concerned that you and your wife can get to the cameras. (I do not know what you mean by this. If my wife and I could not view the cameras, what would be the point of the cameras?)

4. What you can do is assign static IP to the cameras (How do I do that and with which router?)

5.Then leave the gateway IP blank. The gateway does exactly what the word means, it is the door out of the local network. (On which router and how to I leave a gateway blank?)

6. If you don't tell the cameras where the exit is they can not find the internet to use it. All their traffic will be restricted to the local lan. (What do you mean by exit and how do I not tell the cameras?)

 

[bill001g]

The main router is the one that has the connection from the ISP coming into it.

You can search to find how to use a router as AP, some routers have a option.

All the static ip etc are done on the cameras not on your routers. How exactly you do this you are going to have to read the manual for the camera. I tried to simplify this but I don't know what more I can explain. The camera must be told how to get to the internet this is what the gateway field does.

This is actually extremely simple compared to any other solution like using vlans and multiple different networks.

 

[puppychumful]

Appreciated, I think I've go it all figured out, thanks to both of you for being so kind and supportive!