Guest wifi mode on a secondary router

networking wireless-networking router wireless-router lan
22,688

Solution 1

I got it to work with a little trick, using nonstandard subnet masks:

The primary router's internal LAN is set to:

  • Router IP: 192.168.1.252
  • Mask: 255.255.255.0
    (so valid IPs in this subnet are in the range 192.168.1.0-192.168.1.255)

The secondary router is connected through its WAN port to the primary.
Its internal LAN configuration is set to:

  • Router IP(secondary router): 192.168.1.1
  • Mask: 255.255.255.128 (== .10000000b)
    (so valid IPs in this subnet are in the range 192.168.1.0-192.168.1.127)

Its WAN Configuration is set to:

  • Gateway: 192.168.1.252 (The primary router)
  • Router IP: 192.168.1.249 (The secondary router's outward-facing IP)
  • Mask: 255.255.255.248 (== .11111100b)
    (so valid IPs in this subnet are in the range 192.168.1.248-192.169.1.255)
    (this was necessary since WAN and LAN may not have overlapping subnets

This way, the secondary router can access the primary router, and clients connected to the secondary router can also access the primary router, and through it the internet.

But clients on the secondary router cannot access any clients on the primary router's subnet with IPs between 192.168.1.0 and 192.168.1.128. That IP range is not forwarded by the secondary router, since that is also the local subnet of the secondary.

So guest mode is no longer required on the secondary router, clients on the secondary simply cannot see clients on the primary, unless those clients have an IP greater than 192.168.1.128.
It would be even better if I could block all IPs lower than 248, but I do not think that is possible with subnet masks.

Enabling guest mode with wireless isolation will additionally prevent guest machines from connecting to other guest machines or the secondary router.

Nothing prevents guest machines from connecting to the primary router, since those requests are still forwarded by the secondary, but a good password should suffice for that case.

Solution 2

If you consider the LAN/WLAN side of the primary router (that is, the network segment(s) between the primary router and the secondary router) to be part of "the local network" that the Guest Network devices should not have access to, then a secondary router cannot provide Guest Network access only to the Internet without cooperation from the primary router.

The Guest Network's traffic to/from the Internet has to cross the same link between the two routers as local network traffic. But if you want it segregated from the local network, it has to be tunneled or tagged in some way that segregates it from the local network traffic. But if that traffic is segregated through, say, VLAN tagging or some kind of higher-layer tunneling, the primary router needs to know how to do the right thing with that traffic (that is, decapsulate it and send it only to the Internet, and not let it route back onto the LAN).

I don't know if any Netgear equipment has support for this kind of "Guest Network Extension" functionality, where the primary router acts as a VLAN-aware device or tunnel endpoint so that secondary routers can forward segregated Guest Network traffic to it.

I know that Apple AirPort Extreme/Express/Time Capsules as of firmware 7.6.3 support this. If you have an Apple AP as your primary router (in NAT mode), and have Guest Network enabled, and another Apple AP as your secondary "router" (actually in bridge mode, not really being a "router" per se), also with Guest Network enabled, then the secondary AP will forward Guest Network traffic toward the primary AP, but will VLAN tag it so it's segregated from local LAN traffic. The primary AP also subscribes to the same VLAN, and knows to forward traffic from that VLAN to the Internet, but not back onto the local LAN.

Solution 3

NetGear connected through LAN port. DHCP disabled on NetGear.

This could work, but make sure both routers have the same DHCP-server settings before disabling it on the NetGear.

I think the NetGear may be confused on what the gateway for the network is. Maybe if we can fix that, it would allow traffic to the internet again.

Did you try connecting the WAN of NetGear to a LAN on the other router and then disabling DHCP on NetGear and enabling "Guest mode"?

Do not connect both WAN and LAN ports of the NetGear to the other router

You will have two DHCP servers on the same network, that's no good

Even if you disable DHCP on one router, it still makes no sense to connect both LAN and WAN.

Suggestion

You could try having one subnet with two DHCP servers, serving a different range.

  • Connect WAN of NetGear to LAN of other router.
  • IP of other router: 192.168.1.1
  • IP of NetGear: 192.168.1.2
  • DHCP server range of other router: 192.168.1.51 to 192.168.1.150
  • DHCP server range of NetGear: 192.168.1.151 to 192.168.250
  • Default gateway of NetGear: 192.168.1.1
  • Enable "Guest Mode" on NetGear

I'm not 100% sure this will work, but it's definitely worth a try!

The network configuration sounds good in theory, and the "Guest Mode" might also work this way.

My solution, satisfaction guaranteed

The solution would be to reverse the routers, connect the WAN port of the NetGear to the modem, and connect the other router's WAN to a LAN on the NetGear.

This way all your computers will have internet and the Guest-Wifi will not be able to access any other internal network.

You do not even need to enable "Guest mode" on the NetGear, the firewall of the second router will block that traffic.

My other solution

Plug the both routers into the modem (if possible - if you don't have enough ports, but a switch in between).

The firewalls of both routers would block all traffic between the two networks.

This will however depend on your modem configuration whether this will work or not.

Share:
22,688

Related videos on Youtube

HugoRune
Author by

HugoRune

Updated on September 18, 2022

Comments

  • HugoRune
    HugoRune over 1 year

    I am trying to configure a router as a secondary WiFi access point, that provides internet access but prevents access to the local network.

    The router supports both, but I cannot get it to work.

    My setup is as follows:

    • primary Router + Modem issued by my provider, located in the cellar (WiFi capable, but no reception outside the cellar)
    • various PCs connected by LAN cable to the primary router
    • secondary router (NetGear WGR614v10) connected by LAN cable to the primary router. The NetGear router should serve as a wireless access point, but wireless clients should not see the machines on the local network. To this end, the NetGear router supports "guest mode", which does exactly this: it lets WiFi clients access the internet but not other local machines.

    I tried various configurations:

    • NetGear connected through WAN port to the local network.
      Internet works this way, but wifi machines can access other local machines.
      This is logical: the local network are on the WAN side of the netgear router, so from the perspective of the router they belong to the internet, not the LAN
    • NetGear connected through LAN port. DHCP disabled on NetGear.
      Internet works if I also allow access to the local network, but does not work with guest mode.
      This is logical: the gateway to the internet has a local address, and wifi clients are not allowed to access local addresses.
    • NetGear connected trough LAN and WAN ports.
      Does not work either, i guess because the DHCP server is still the primary router, so it will send the wrong route to the wifi clients. It might work if the wifi clients had fixed IP settings, but that is not an enforceable option for guests.
    • NetGear connected trough LAN and WAN ports, and DHCP re-enabled; using both routers as DHCP servers with non-overlapping IP ranges on the same subnet.
      Does not work either, and I have no idea what is happening anymore.

    Basically I mostly understand why the first two configurations do not work.
    But I have no idea what the correct configuration could be, for something that seems like a basic feature of almost any modern router.

    My replies to some of the questions below, since there were too many for comments:

    Did you try connecting the WAN of NetGear to a LAN on the other router and then disabling DHCP on NetGear and enabling "Guest mode"?

    I think if I do that there will be no DHCP server left on the Wifi network. The netGear router does not bridge DHCP requests between LAN and WAN, so guest machines would not work unless their IP is configured manually

    The solution would be to reverse the routers, connect the WAN port of the NetGear to the modem, and connect the other router's WAN to a LAN on the NetGear. [...] Plug the both routers into the modem (if possible - if you don't have enough ports, but a switch in between).

    Unfortunately the first router is the modem. I cannot exchange that one since it is configured by the provider.

    Suggestion

    You could try having one subnet with two DHCP servers, serving a different range.

    I tried that, basic connectivity does work, but I am a bit concerned what would happen if new computers get connected to the network. as far as I understand, they will randomly choose one of the two DHCP servers to get a lease from. The major killer however is that as soon as I enable guest mode it stops working again.

    • Ramhound
      Ramhound about 11 years
      You should be able to simply connect the router to the modem and set your DHCP to an entirely different ip block ( 10.0.0.1 ) and set it up however you want.
    • HugoRune
      HugoRune about 11 years
      I cannot connect the router directly to the modem, since the modem already has an integrated router. I can only connect to the primary router. If I set a different IP block on the secondary router, then I can still access the IP block for the primary router even in guest mode, since the secondary router just forwards requests for the primary IP block
    • Ramhound
      Ramhound about 11 years
      The modem has a lan port does it not? The router connected to the modem will act like any other device on the network. You will then create a sub-network only visabile to devices connected to that second network device. I have done what I describe before, the question remains, if your modem has the lan port required to do this. You could also connect the router to the wireless network of the modem if you wanted in theory.
  • HugoRune
    HugoRune about 11 years
    Thank, you, this explanation has been helpful in understanding why this seems so hard
  • HugoRune
    HugoRune about 11 years
    Thanks, I added some comments to my original answer, since the space in this comment was too small
  • GorillaApe
    GorillaApe almost 11 years
    that is double nating
  • Fitter Man
    Fitter Man over 6 years
    While it would appear this could work with some routers, the one I attempted to do it on noticed the parameters were out of whack on the secondary router and won't accept them.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to support more than 500 users at one time on a WiFi network
ASUS router EA-N66R has different subnet mask than laptop
Laptop won't work with WPA encryption
Configuring a Wired Access Point - Linksys WRT54G
Asus Router RT- N12 D1 not connecting with pppoe
How to set up a wireless printer on a computer wired to a Wireless Router
I cannot ping from my laptop to my desktop and vice-versa but can ping my smartphone
Can I check which devices are connected to the router I'm connected to through a range extender (Booster)?
D-Link DIR-615 bricked. Power led stays orange, can't get into emergency flash mode
Can't connect HP DeskJet 3050a J610a over WPS to a new Wireless Router