1

We’re in need of separated ethernet networks with all network traffic going through the ISP issued modem/router (ZyXEL P2812) (possibly with its wireless functions disabled and set to bridge mode).

We’re planning to use two routers for wireless network traffic. Asus AC87U and NetGear WNR612.

The Asus router would be the main router, handling the most important tasks, and the NetGear router would be the “slave” router.

The optimal solution would be to have the two routers act independently of each other. Where the devices connected to the i.e the Asus router would have no way to communicate with the NetGear router, and vice versa.

Illustration

The networking devices in the diagram is the actual devices I have at hand. Using other hardware is also a possibility.

It would seem like a fairly simple scenario, but I’m not entirely sure how to configure it correctly.

Basically it would work like it was two different houses on two different networks. There should be no way to communicate with the other network without being connected to the corresponding router.

Any thoughts not big enough for an answer is still welcome as comments.

Aleksander Azizi
  • 154
  • 1
  • 9
  • What do you mean by "*separated* ethernet networks" and why do they need to be separated? – harrymc Jul 02 '17 at 09:49
  • @harrymc Making the routers work as if they weren’t connected to each other in any way. The reason for this is simply because of unttrused devices on the slave network. – Aleksander Azizi Jul 02 '17 at 11:41

2 Answers2

1

A huge amount depends on the exact hardware you have, how its connected, and your networking confidence. Can you add a list of exact models of the 3 items of WiFi and routing equipment in your picture, including the actual box connecting you to the internet if its different (pictures arent any use) and a bit of description of your confidence, experience or ability, to the question?

Also importantly, we need to know more exact details for how the networking should end up. Are all connections WiFi or are any devices connected using network cables, if so which? How many devices are connected in total, which are connected to which, and how are they connected (WiFi/wired)? Which ones must be able to talk with each other, or blocked from seeing each other?

Its quite a bit of info but if you can add it, someone might be able to answer you and help.

As it stands, a good answer for you could be anything from "Its built-in, do it this way", through to "install OpenWRT because the manufacturer code doesn't allow it", thorough to complete noob help or reorganising it all. What I do here is a different solution again - add a software router I've installed myself, to control access. So you can see, there are several options depending on you and your equipment. But what you're after should not be difficult to do, for almost any router, even a home router.

The basic answers are adding firewall or routing rules (so the two IPs can't communicate), using built-in isolation if included, or using VLANs. The first two are usually easiest if its new to you. Not all home routers have the second. Almost all home routers have enough capability to do this using rules and/or routing. In many cases it depends on which exact devices on the network need to be able to see (or not see) which other devices, and how they are connected.

Exact details beyond that are almost impossible without knowing the info above. If you add that, it will be easier to comment.

Update 1: security/privacy

  • Bear in mind that if one router's data travels through the other router, the master router is being trusted to not watch its data in transit. Even if the two networks don't communicate, the router that both travel through can see all data, so anyone who controls that device, can arrange to see all data. Is that acceptable?

Update 1: howto

The Asus RT-AC87U is a very nicely featured modern router that beyond doubt will do what you need without thinking twice. The manual (online at Asus support) suggests immediately a number of ways to do it. Two of them look very easy. Other methods would need a bit more explanation and no point to writing on that, if either of the first 2 works well enough.

  • Section 3.2 "Creating a guest network" - creates a guest network that can't access your main network, directly on the Asus. Pros - looks dead simple, less to go wrong, and should do what you want. Cons - person using slave router won't have a slave router as it won't be needed, they would connect directly to the Asus which would handle isolation itself. This is by far the easiest way if acceptable.
  • The zyxel might be locked down, but it's probably working fine in bridging mode. Even if the ISP has put tape across it other ports, as some do, they should still be bridged if usable. I can't think why they wouldn't be left that way. As the Zyxel almost certainly has its DHCP setup working (we know this because it acts as a router not just a modem), it will handle devices attached via the two other routers. So if you can, try to connect both the Asus and the Netgear directly to it, and see if they can both see the internet at the same time. If they can, its all pretty much solved. What this does is make the Netgear appear to the Asus as a WAN (non local) device, which can be easily blocked 100% and treated as untrustworthy. (It also makes the Asus appear to be on the WAN from the Netgear's perspective but that's not an issue as you explained). You will need to sort out DHCP but as the ISP supply the Zyxel, its quite likely that is already set up properly and will work automatically. What should happen is that the Asus and Netgear (and devices connected to them) will both accept IP addresses from the Zyxel, since you already seem to have the Asus behind the Zyxel anyway, and then set up the network services or firewall or incoming rules, to prevent unexpected packets from outside the Asus passing through the Asus. Pros- all, if it works (which it should). Cons - none if it works (which it should :) )

Try to get one of those two ways working. If you need more help, update your question to explain whay youve tried, what worked and what isnt (yet) working.

See also

  • section 4.1.6 "professional" covers the "AP isolation" setting which probably isn't what you want, but is worth knowing about in case it becomes relevant. It would stop all wireless devices connected to the Asus from intercommunicating.
  • section 4.6.4 "network services" which covers part of the firewall. It says "blocks LAN to WAN" but there's a chance it could also be used to block LAN to/from WiFi using an IP based rule, and if both routers work behind the zyxel then its probably what you need to lock down incoming packets from the netgear.

Also if confident, don't overlook the option to define a specific IP range (subnet) for devices attached to the Asus, or to use the DHCP server built into it, which will help as well, by ensuring your "master" devices are on a different subnet entirely from the others. See sections 3.1.1 "setting up the wireless security settings" and 4.2.2 covers network setup for the wired network.

Stilez
  • 1,655
  • 3
  • 24
  • 40
  • Updated with hardware used. All connections will be wireless. An entry list of “separated” devices would only work if it was dynamic. All in all the solution would make each router independed of one another (except for the fact that they share the same outgoing connection). – Aleksander Azizi Jul 02 '17 at 11:41
  • Can you identify the ISP device as well. These are usually rebranded other makes, take a look at the labels and underneath behind, to see if you can tell the actual maker or brand, either from the labels or product numbers, or by googling the USP or the photo. – Stilez Jul 02 '17 at 11:47
  • Also it looks like all equipment on the left should intercommunicate and all equipment on the right intercommunicate, with a router dedicated to the latter. Is that correct, is it able to be flexible, or is that the only way it can be organised? – Stilez Jul 02 '17 at 11:49
  • The ISP device is a *ZyXEL P2812*. If I understood you correctly then yes. The devices on the left side would only be able to communicate with the devices on the left. And vise versa for the right side. No exceptions. – Aleksander Azizi Jul 02 '17 at 11:56
  • That's fine. One question, the zyxel, which looks like it might be a P2812 HNU-F1 from your description, is a also a wireless router in its own right, as well as supporting openWRT if you wanted to go that route (you probably don't though). It also has connections for 4 routers at the back. Has the ISP locked down or minimised its control panel, or can you log into and configure the Zyxel itself? If you can, that might be a good solution. If not let us know. – Stilez Jul 02 '17 at 12:08
  • The ISP issued modem/router is “locked down”. Using it as the main router is not an option. The Asus MUST be the main router. Preferably configured to prioritize itself over the slave. I’ve also updated my question to clearify some of your qeustions. – Aleksander Azizi Jul 02 '17 at 12:12
  • Ok. Its a modern router and should be possible. Will go and look it up. Meantime see the note on security I've added. – Stilez Jul 02 '17 at 12:14
  • On a side note: It’s only the slave router that can not under any circumstances have access to any communications on the main router. What the main router has access to is not a concern. – Aleksander Azizi Jul 02 '17 at 12:15
  • Thanks @Stilez. If this pans out I’ll be sure to add a bounty and award it to you. – Aleksander Azizi Jul 02 '17 at 12:16
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/61433/discussion-between-aleksander-azizi-and-stilez). – Aleksander Azizi Jul 02 '17 at 12:18
-1

To separate devices on the secondary router from those on the main one, just plug the secondary one into one of the LAN ports of the main one:

image

For more information, see this answer of mine.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • This would not block communication between the devices connected to each router. I.e an iPhone on the secondary router could still connect to the Apple TV on the main router. – Aleksander Azizi Jul 02 '17 at 11:53
  • 1
    This doesn't guarantee anything as it stands, because many routers configure their LAN ports as bridged. To do better we need to know what the main modem/router is, so we can decide whether separating the networks at the main router, by wires at router #1, by using router #2 as a wireless AP, or some other method is best here, which router is best placed as master/slave (it might matter in some cases if capabilities differ), and whether the isolation element is configured via firewall rules, or a simple "isolated vs bridged" setting on one of them. Also may have NAT/wifi issues in some cases. – Stilez Jul 02 '17 at 11:57
  • @AleksanderAzizi: Not true, as they would be on differing IP segments. – harrymc Jul 02 '17 at 15:11
  • @Stilez: With the right setup this is guaranteed. Actually, it would take some doing to allow connections between the two sub-networks. – harrymc Jul 02 '17 at 15:13
  • It doesn't seem so. There's a lot of implicit assumptions about what rules or subnets would be in place for each router by default, and that it wouldn't be open bridging/NAT. But a lit of routers bridge wireless and wired, there's no way to be sure, and a lot of assumptions about the default state of both, what NAT is used, which dhcpd is picked up by router 2, etc. Ultimately router 2s wan is connected to router 1s lan, so if adequate rules don't exist, router 2 can be configured by its user so that clients can access router 1 devices as they would any wan device. – Stilez Jul 02 '17 at 15:52
  • @Stilez: Routers do NAT or they are not routers, and the post does say "routers". Your argument is invalid. – harrymc Jul 02 '17 at 15:54
  • Of course they do NAT, but that's useless here. If you set this up, and I'm on router 2, I reconfigure it to not block private IP addresses. Instant access from 192.168.1.2 on router 2 LAN, to 192.168.0.2 on router 2 Wan. Which is too bad for router 1 that gives **its** LAN users 192.268.0.1/16 by default.. and My wan is on the LAN side so I'm now in your subnet and NAT has done ** all to protect any router 1 device. A virus could trivially do it too. This breaks the OP requirement of *cannot* access r1 devices... because the untrusted r2 is **already** behind the trusted r1's NAT by design. – Stilez Jul 02 '17 at 16:04
  • I don't think you understand routers, IP segments and NAT. – harrymc Jul 02 '17 at 16:22
  • I think I do. The fatal flaw is that r1 has a totally exposed LAN side to all traffic that r2 allows out from its LAN. The OP states in this case r2 traffic is untrusted but r1 cannot be assumed to separate the LAN connections as it would lan-wan. Out of the box the view must be that r1 isn't separating the LAN circuits, or not with enough certainty. So there's nothing actually trustworthy blocking cross-subnet traffic. Yes with config its fixable but you imply its a solution ("just connect them like this"). No. It's not assumed secure and should **never** be assumed so without a lot of care. – Stilez Jul 02 '17 at 16:47
  • @Stilez: It's secure as long as he alone administrates the routers. – harrymc Jul 02 '17 at 16:49
  • Exactly. "As long as *he* sets up all the other config he needs to". That's a **massive** difference from "to separate devices, just plug the secondary one like this", which is what you **actually** gave as the main part of the solution. Your answer put "By the way you also have to fully configure it and administer it as well", almost as a footnote. It isn't a footnote. Its the central answer to the OP's question since they already got the connections before asking what else is needed. Your reply treated config as an afterthought rather than core to the Q, and gave **no** actual info about it. – Stilez Jul 02 '17 at 16:53
  • @Stilez: There is no point in continuing this discussion. – harrymc Jul 02 '17 at 16:58