Posted: Fri Jun 05, 2020 4:02 Post subject: dual router configuration with shared private network
I'd like to configure my home network with 2 routers (1 upstairs/1downstairs), connected via ethernet, such that:
1) there are two networks:
(192.168.1.x) with less trusted devices (IoT)
(192.168.2.x) with more trusted devices
2) both routers have at least 1 ethernet port for each network.
3) both routers provides AP service for both networks:
- 2.4ghz/5ghz >> 192.168.1.x
- 2.4ghz/5ghz >> 192.168.2.x
and they share the same SSIDs so that devices can wander between routers, but stay on the same subnet.
4) isolate all traffic between networks
I've been testing with iptables, and while I feel like I can tackle this, It would be great to get some feedback on the plan.
I have been able to setup second guest network (VAP), but when isolating the VAP to a second bridge with 2nd DHCP no device will connect due to "incorrect password" issue. I have tried multiple devices, android/iOS, next to router, etc. researched all related posts. I suspect It could be due to DNSmasq settings, but I've tried what I could find.
If you have a good workflow for that setup, that would be a good starting place. I've debugged for days . Maybe I'm trying to do something im not supposed to ?
Last edited by sneakypete on Fri Jul 03, 2020 20:17; edited 1 time in total
Joined: 18 Mar 2014 Posts: 6996 Location: Netherlands
Posted: Fri Jun 05, 2020 10:56 Post subject:
Unfortunately you did not come across the forum guidelines.
If you use them we can give you better advice.
A lot of things are device specific (like VLANS) thus it is really useful if you state router model and the build number.
See my signature at the bottom for the forum guidelines
Mea culpa - I did read the rules, but was afraid my post was getting too long, and thought this was more of a design issue than hardware/firmware issue. but, I get it. sorry for not including in the first place.
Can I get partial credit for the picture?
I have an ASUS RT-AC66U running 43290.
I also have a tp-link A7 v5. I don't believe dd-wrt will run on it, but openwrt is apparently supported. I haven't flashed it yet.
My plan was to figure out my plan, and then verify that I have the necessary features to accomplish my plan, before rendering my kids internet-less. I'm not tied to which router I use where, and hoped that there'd be enough features between the two of them to pull it off.
The WAP article is really clear. Thanks for the link.
I have tried the "secondary router on a separate subnet", but that just segments traffic to each router. I am trying to get both router/ap to support both networks for improved coverage, AND have the networks isolated.
I ran "nvram get wl0_corerev" on the ASUS - it was in the teens, so I apparently have support for WLANs.
I have been attempting to configure the VLAN/VAP on the ASUS, but it was it was operating in "gateway" mode. I think that may be what was causing the headaches. I will follow these AP instructions.
If router A (connected to WAN) is operating in gateway mode, and router B is operating in router mode, and A provides DHCP services to the LAN "192.168.1.x" (including router B), which router provides DHCP for the VLAN (192168.2.x)?
connect the two routers with a tagged VLAN trunk that contains both sub-nets
I have the ASUS configured as the gateway, and the Archer configured as a router.
I am setting up 3 vlans on both, using bridges (br0, br1, br2) to assign ap/vaps to the vlans.
question1: Should the archer "router" be a DHCP forwarder? (assumed yes)
question2: I have DHCPD servers setup for the 2nd and 3rd vlans on the ASUS. Will br1 and br2 (for the 2nd/3rd vlans) on the archer also get DHCP forwarded? or do I need to setup multiple DHCPD servers on the archer, too?
I found that out. I expected that I only needed one DHCP per subnet, but wasn't sure how to configure that. It's "not" configuring that.
In networking-port setup, is the IP address in "Network Configuration br1 (and br2)" where the bridge gets "self assigned" to the subnet (for all the interfaces assigned to the bridge)? I just need to make that something out of the DHCP range, but in that subnet, correct?
Also, when connecting the two routers with a tagged VLAN trunk that contains both sub-nets, I was planing to use the wan port of router#2 for the trunk. should I also disable the WAN connection type and assign the WAN port to switch?
I've reviewed your page, and Mache's, and a few others. I have a much better understanding of the process/config and am going to implement it this weekend.
I would greatly appreciate a review of my design/config?
The attached image depicts my design for separating ports/wifi into 3 vlans (1, 5 & 6).
Following are my GUI Settings and NVRAM settings.
Also, Please verify that my tags should be assigned to the 3 vlans, not the bridges. thank you!
On Atheros vlan id set using the swconfig utility instead of nvram variables.
found a few examples. swconfig looks similar to the vlan/ports nvram setting. does It also handle the other nvram settings (i.e. nvram vlanXhwname and portXvlans)?
when I ran:
nvram show | grep vlan.*ports | sort
nvram show | grep vlan.*hwname | sort >>
nvram show | grep port*.vlans | sort >>
I got similar "initial" output for both routers. Does Atheros just use swconfig to set the values but the final result should be as listed?
Also, I only have bridges configured with ip addresses on the Asus gateway (the vlans are not configured with an IPAddress). Is this the same on the Atheros router? Does this line "ifconfig vlan7 192.168.7.1 /24" set a specific IPAddress for the vlan, or is it assigning the vlan to the 192.168.7 subnet?