I am trying to configure a router as a secondary WiFi access point, that provides internet access but prevents access to the local network.
The router supports both, but I cannot get it to work.
My setup is as follows:
- primary Router + Modem issued by my provider, located in the cellar (WiFi capable, but no reception outside the cellar)
- various PCs connected by LAN cable to the primary router
- secondary router (NetGear WGR614v10) connected by LAN cable to the primary router. The NetGear router should serve as a wireless access point, but wireless clients should not see the machines on the local network. To this end, the NetGear router supports "guest mode", which does exactly this: it lets WiFi clients access the internet but not other local machines.
I tried various configurations:
- NetGear connected through WAN port to the local network.
Internet works this way, but wifi machines can access other local machines.
This is logical: the local network are on the WAN side of the netgear router, so from the perspective of the router they belong to the internet, not the LAN - NetGear connected through LAN port. DHCP disabled on NetGear.
Internet works if I also allow access to the local network, but does not work with guest mode.
This is logical: the gateway to the internet has a local address, and wifi clients are not allowed to access local addresses. - NetGear connected trough LAN and WAN ports.
Does not work either, i guess because the DHCP server is still the primary router, so it will send the wrong route to the wifi clients. It might work if the wifi clients had fixed IP settings, but that is not an enforceable option for guests. - NetGear connected trough LAN and WAN ports, and DHCP re-enabled; using both routers as DHCP servers with non-overlapping IP ranges on the same subnet.
Does not work either, and I have no idea what is happening anymore.
Basically I mostly understand why the first two configurations do not work.
But I have no idea what the correct configuration could be, for something that seems like a basic feature of almost any modern router.
My replies to some of the questions below, since there were too many for comments:
Did you try connecting the WAN of NetGear to a LAN on the other router and then disabling DHCP on NetGear and enabling "Guest mode"?
I think if I do that there will be no DHCP server left on the Wifi network. The netGear router does not bridge DHCP requests between LAN and WAN, so guest machines would not work unless their IP is configured manually
The solution would be to reverse the routers, connect the WAN port of the NetGear to the modem, and connect the other router's WAN to a LAN on the NetGear. [...] Plug the both routers into the modem (if possible - if you don't have enough ports, but a switch in between).
Unfortunately the first router is the modem. I cannot exchange that one since it is configured by the provider.
Suggestion
You could try having one subnet with two DHCP servers, serving a different range.
I tried that, basic connectivity does work, but I am a bit concerned what would happen if new computers get connected to the network. as far as I understand, they will randomly choose one of the two DHCP servers to get a lease from. The major killer however is that as soon as I enable guest mode it stops working again.
Answer
I got it to work with a little trick, using nonstandard subnet masks:
The primary router's internal LAN is set to:
- Router IP: 192.168.1.252
- Mask: 255.255.255.0
(so valid IPs in this subnet are in the range 192.168.1.0-192.168.1.255)
The secondary router is connected through its WAN port to the primary.
Its internal LAN configuration is set to:
- Router IP(secondary router): 192.168.1.1
- Mask: 255.255.255.128 (== .10000000b)
(so valid IPs in this subnet are in the range 192.168.1.0-192.168.1.127)
Its WAN Configuration is set to:
- Gateway: 192.168.1.252 (The primary router)
- Router IP: 192.168.1.249 (The secondary router's outward-facing IP)
- Mask: 255.255.255.248 (== .11111100b)
(so valid IPs in this subnet are in the range 192.168.1.248-192.169.1.255)
(this was necessary since WAN and LAN may not have overlapping subnets
This way, the secondary router can access the primary router, and clients connected to the secondary router can also access the primary router, and through it the internet.
But clients on the secondary router cannot access any clients on the primary router's subnet with IPs between 192.168.1.0 and 192.168.1.128. That IP range is not forwarded by the secondary router, since that is also the local subnet of the secondary.
So guest mode is no longer required on the secondary router, clients on the secondary simply cannot see clients on the primary, unless those clients have an IP greater than 192.168.1.128.
It would be even better if I could block all IPs lower than 248, but I do not think that is possible with subnet masks.
Enabling guest mode with wireless isolation will additionally prevent guest machines from connecting to other guest machines or the secondary router.
Nothing prevents guest machines from connecting to the primary router, since those requests are still forwarded by the secondary, but a good password should suffice for that case.
No comments:
Post a Comment