Posted: Thu May 09, 2019 20:37 Post subject: Optimal setup for Internet network shared across 2 subnets
I want to know if my network setup is optimal. I need an internet connection shared to 2 subnets fully isolated from each others.
I'm using 2 WRT-1900ac routers that I used to configure using this guide.
The only difference in my scenario is that my 2 routers are connected to each other using WIFI instead of an ethernet cable, using Client Mode on the second router.
Both subnets had access to Internet, and I thought that both subnets were isolated because I wasn't able to ping clients from different subnets.
But today I realized that I was able to access a Google Home device on the main router subnet from a client in the second router subnet.
So I changed the network setup and used the Kong guide to create an hidden guest network over WIFI just for the second router.
WAN: DHCP from ISP
Virtual Interface on the 5ghz radio
Masquerade / NAT enabled
Net Isolation enabled
Interface IP: 192.168.2.1
Operating Mode: Gateway
Client mode on the 5ghz radio, using the guest network infos
Virtual interface on the 5ghz radio (bridged, just to also broadcast a 5ghz wifi for the second network)
Operating Mode: Gateway
Seems to work fine, however I realise that clients under the second router are now being double NAT-ed uselessly by the Guest network.
Will this cause problems somehow? Speedtests and pings doesn't seem to be affected.
Should I revert to my initial setup and just add some firewall commands to truely block clients from other subnets? If so, how should I proceed?
Should I be doing WDS between the routers instead of using Client Mode?
If all you want to do is prevent the local network on the second router from accessing the upstream local network on the primary router, a simple firewall rule on router #2 will do the trick. No need to be creating additional networks.
I created that script for situations where I wanted a guest network built on a standalone router behind the primary router. Notice the following firewall rule which prevents those guests from accessing resources on the upstream router.
# deny access to private network by guests (internet only)
iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT
Also, as currently configured, any client on the local network of router #2 is, by definition, double NAT'd.
Last edited by eibgrad on Fri May 10, 2019 6:05; edited 1 time in total