Optimal setup for Internet network shared across 2 subnets

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
the_dog
DD-WRT Novice


Joined: 29 Jan 2017
Posts: 9

PostPosted: Thu May 09, 2019 20:37    Post subject: Optimal setup for Internet network shared across 2 subnets Reply with quote
Hello,

I want to know if my network setup is optimal. I need an internet connection shared to 2 subnets fully isolated from each others.
I'm using 2 WRT-1900ac routers that I used to configure using this guide.
The only difference in my scenario is that my 2 routers are connected to each other using WIFI instead of an ethernet cable, using Client Mode on the second router.

Both subnets had access to Internet, and I thought that both subnets were isolated because I wasn't able to ping clients from different subnets.
But today I realized that I was able to access a Google Home device on the main router subnet from a client in the second router subnet.

So I changed the network setup and used the Kong guide to create an hidden guest network over WIFI just for the second router.

Main router
WAN: DHCP from ISP
Local: 192.168.1.1
Virtual Interface on the 5ghz radio
Unbridged
Masquerade / NAT enabled
Net Isolation enabled
Interface IP: 192.168.2.1
Operating Mode: Gateway

Second router
WAN: 192.168.2.2
Local: 192.168.20.1
Client mode on the 5ghz radio, using the guest network infos
Virtual interface on the 5ghz radio (bridged, just to also broadcast a 5ghz wifi for the second network)
Operating Mode: Gateway

Seems to work fine, however I realise that clients under the second router are now being double NAT-ed uselessly by the Guest network.
Will this cause problems somehow? Speedtests and pings doesn't seem to be affected.
Should I revert to my initial setup and just add some firewall commands to truely block clients from other subnets? If so, how should I proceed?
Should I be doing WDS between the routers instead of using Client Mode?

Thank you!
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu May 09, 2019 23:10    Post subject: Reply with quote
If all you want to do is prevent the local network on the second router from accessing the upstream local network on the primary router, a simple firewall rule on router #2 will do the trick. No need to be creating additional networks.

https://pastebin.com/1df1XsuK

I created that script for situations where I wanted a guest network built on a standalone router behind the primary router. Notice the following firewall rule which prevents those guests from accessing resources on the upstream router.

Code:
# deny access to private network by guests (internet only)
iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT


Also, as currently configured, any client on the local network of router #2 is, by definition, double NAT'd.


Last edited by eibgrad on Fri May 10, 2019 6:05; edited 1 time in total
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5128
Location: Akershus, Norway

PostPosted: Fri May 10, 2019 3:50    Post subject: Reply with quote
You can avoid the doubble NAT by disabling NAT on the second router and set a static route to 192.168.20.0/24 on the main router with 192.168.2.2 as gateway.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum