2 routers sharing router 1 wan

[bladerunner1968]

Hi Guys,

I need to protect my main home network from my son's increasing gaming/network app activities etc etc and have a spare older RT-AC66U lying around.

Here is the current arrangement:

Internet -> ISP router -> WAN port of RT-AC68U (192.168.26.x) -> Lan port -> separate 18 port switch -> lan port -> RT-AC66U (192.168.28.x) broadcasting a separate wifi

I have a static route enabled on router 1 (RT-AC68U) as 192.168.28.0 - gateway 192.168.26.1, metric 1, LAN which currently allows me to 'see' the 2nd network devices.


Scenario one: is there a way of allowing clients on the 2nd router (RT-AC66U) network to be able to reach the internet, but be isolated from the network on router 1 (RT-AC68U), whilst allowing me to rdp from my win client located on network 1 onto my son's machine which is on the 2nd network?

Scneario two: If I set up a squid proxy on a virtual machine located on the first network (RT-AC68U), could I route all internet bound traffic from the 2nd network (RT-AC66U) via this proxy to the internet/WAN that is on network 1 (RT-AC68U) and again rdp from a client on network 1 to a client on network 2?

Thanks for any pointers

 

[ColinTaylor]

You can use the Network Services Filter on the RT-AC66U to block access to 192.168.26.x.

What is your use case for Squid. As a web cache it's rather pointless nowadays IMHO.

 

[bladerunner1968]

You can use the Network Services Filter on the RT-AC66U to block access to 192.168.26.x.

What is your use case for Squid. As a web cache it's rather pointless nowadays IMHO.

Thanks for your reply Colin

What do I need to do on the AC66U to be able to see the internet which is currently only accessible on the AC68U?

in terms of squid I was hoping that I could log traffic as well as provide finer control over what http site traffic is allowed (unless there is something better?)

 

[ColinTaylor]

Sorry, I must be misunderstanding something about your setup. Why is the internet only accessible from the AC68U?

Re. Squid; yes I guess that would still work although using AiProtection on the AC68U would probably do much the same and likely be more effective. My point was really just about using Squid as a web cache.

 

[bladerunner1968]

Sorry, I must be misunderstanding something about your setup. Why is the internet only accessible from the AC68U?

Re. Squid; yes I guess that would still work although using AiProtection on the AC68U would probably do much the same and likely be more effective. My point was really just about using Squid as a web cache.

No problem.

Clients on network 2 cannot seem to get to the internet which is hosted on network 1 despite them both being connected via lan. Should this just work out of the box?

I will look look at AIProtection thanks

 

[ColinTaylor]

Clients on network 2 cannot seem to get to the internet which is hosted on network 1 despite them both being connected via lan. Should this just work out of the box?

Your RT-AC68U's LAN port should be connected to the RT-AC66U's WAN port (via your 18 port switch). The RT-AC66U should be in router mode with NAT and firewall turned off. The gateway address of your static route should be the WAN IP address of the RT-AC66U (e.g. 192.168.26.???).

 

[bladerunner1968]

Your RT-AC68U's LAN port should be connected to the RT-AC66U's WAN port (via your 18 port switch). The RT-AC66U should be in router mode with NAT and firewall turned off. The gateway address of your static route should be the WAN IP address of the RT-AC66U (e.g. 192.168.26.???).

I've got the internet on network 2 working now via sharing the WAN from network 1 - I had to connect the lan cable to lan port 1 on the AC66U then in Dual Wan, set the Primary WAN option to Ethernet Lan on Lan port 1

 

[ColinTaylor]

I had to connect the lan cable to lan port 1 on the AC66U then in Dual Wan, set the Primary WAN option to Ethernet Lan on Lan port 1

Why aren't you using the AC66U's WAN port? Setting up Dual WAN just to use a LAN port is an unnecessary and pointless complication.

 

[BK303]

Scenario one: is there a way of allowing clients on the 2nd router (RT-AC66U) network to be able to reach the internet, but be isolated from the network on router 1 (RT-AC68U), whilst allowing me to rdp from my win client located on network 1 onto my son's machine which is on the 2nd network?

As I understand it, your desire is to setup two local IP subnets, one for child's gaming activity (let's call it "gaming subnet") and another for everything else (let's call it "main subnet"), with both subnets sharing a NAT gateway to single WAN connection. Plus, you'd like to setup separate WiFi network for each, and you'd like to allow access from the main subnet to the gaming subnet, but not vis versa. And, I'll bet you may want to limit the WAN throughput on the child's gaming subnet (if not now, then someday).

I've setup similar configurations with multiple semi-isolated LANs using a single SOHO-grade firewall/router. So it can definitely be done, but I'm 95% sure the stock firmware provided with AC68U or AC66U is NOT capable of this type of direct (one-layer) multiple LAN subnet configuration. I believe I tried something similar using VLAN with Merlin firmware branch in past without much luck on an older RT-N66U, but that could just be my mistake and hopefully someone with more knowledge on Merlin's firmware branch can chime in. I believe Open-WRT is capable of such a multiple LAN subnet config using internal VLANs, firewall zones, and NAT routing features, but I also recall that Open-WRT alternate firmware doesn't have support for your Asus RT-ACxxx devices because they are Broadcom chipset based.

Three options for you to consider:
1. Purchase or build a more capable firewall/router that you connect to your WAN, and setup two semi-isolated LANs as desired. Then you can re-use your existing two RT-AC6xU in Access Point(AP) mode hardwired to the new firewall to setup the independent WiFi networks for each subnet. The basic config is you setup two LAN IP subnets with each associated with one or more physical ethernet LAN ports, then each sub-network has DCHP plus NAT routing enabled to a single WAN port, finally a firewall rule allows one way traffic from main subnet to gaming subnet.

To build firewall yourself, you could use an older computer with three wired Ethernet ports and the popular free Pfsense software-based firewall, or they also sell dedicated Pfsense enabled hardware ($180 and up). I personally use Zyxel USG40 firewall ($250 to $350) for small office with multiple LANs, but might be more complex than you want, and about 50% higher cost than Pfsense basic hardware. Many other similar dedicated firewall options available, but many are significantly more expensive.

2. You could try to leverage the "Guest WiFi network" feature of your best existing WiFi home NAT router, and turn on "Guests can not communicate with LAN (Intranet)" blocking feature of Guest WiFi. In this setup, the Guest network is used only for the gaming network and router is isolating the guest network. Disadvantages include you can only have Guest Wifi, not Guest wired LAN ports, with stock firmware (perhaps Merlin's firmware support's more flexible Guest network setup with physical ports too?). Also you won't be able RDP to child's computer from main subnet because isolation between regular LAN and Guest Wifi is both directions. Some routers always use "client isolation" within the guest network (some have a enable/disable config option) that would prevent you from connecting to the Guest Wifi and RDP into child's gaming computer even over the Guest Wifi. However, I think Guest Wifi network is the best option (easy to manage) with your current hardware if you could give up the remote access to child's gaming computer. Asus Guest Wifi doesn't use separate IP subnets, but rather sets up a virtual barrier between two parts of the same subnet. On my newer RT-AC86U, I can also set bandwidth limits on the Guest Wifi, and have up to three separate Guest Wifi SSIDs.

3. Finally, you could setup a two-level network, which is what you've been exploring so far with your outer router1 and inner router2 topology. I think you'll find with your first attempt having the gaming subnet on router2 (inner RT-AC66U), that the gaming computer(s) can still communicate to your main subnet computers (e.g., try pinging your main computer from gaming computer by IP address), unless you do @ColinTaylor suggesting of filtering the outer main subnet IP address on the inner router2 network services outbound firewall rules. If you try that, then I'm pretty sure router2 DOES need NAT routing enabled, because it's inner LAN is going to be an isolated subnet. In just AP mode (no NAT) you won't have the outbound firewall available. I don't think either RT-AC6xU supports a pure router mode with stock firmware, and even that would require the outer router to support two IP subnets (hence #1 above uses a new firewall/router). With normal NAT routing on router2, the inner gaming subnet is going through two-NAT router layers and that won't work for many peer-to-peer gaming setups.

A better topology for #3 option is to reverse the inner/outer subnet associations by configuring the gaming subnet as the outer/top-level LAN (and WiFi) off your RT-AC68U (in normal NAT mode) router1 that has the connection to ISP, and then your "main subnet" is the inner/second layer (more protected) subnet off the router2 LAN ports with its WiFi. The KEY to the inner/outer config is that router2's WAN port is connected to one of router1's LAN ports (no need for the dual-WAN setup on router2 with lan-to-lan wire). The inner-network's NAT router2's default firewall would prevent the outer gaming network devices traffic into the main (inner) subnet. But router2's outbound NAT routing still allows traffic initiated from the inner main subnet to the outer gaming subnet for your RDP connection. In this topology, the outer gaming subnet only has one-layer of NAT and all gaming subnet applications (including UPnP for port forwarding) should work same what you started with. However, two-level NAT on the inner main subnet is not good for some applications (VoIP, anything that is peer-peer, etc.) that might be on the main subnet, and if you needed any open inbound ports from the Internet to the main subnet, it will be harder to setup (two layers of port forwarding required) and UPnP can not function to automatically setup port forwarding to main subnet (although I'd avoid UPnP anyway).

Good Luck. If this isn't clear yet, we should draw some diagrams next.

 

[bladerunner1968]

Why aren't you using the AC66U's WAN port? Setting up Dual WAN just to use a LAN port is an unnecessary and pointless complication.

agreed Colin - when I tried the wan port on the AC66U it didn't work. However I've since realised it is because NAT was off on the AC66U and I have sorted it now that NAT is turned on. Thanks

 

[bladerunner1968]

As I understand it, your desire is to setup two local IP subnets, one for child's gaming activity (let's call it "gaming subnet") and another for everything else (let's call it "main subnet"), with both subnets sharing a NAT gateway to single WAN connection. Plus, you'd like to setup separate WiFi network for each, and you'd like to allow access from the main subnet to the gaming subnet, but not vis versa. And, I'll bet you may want to limit the WAN throughput on the child's gaming subnet (if not now, then someday).

I've setup similar configurations with multiple semi-isolated LANs using a single SOHO-grade firewall/router. So it can definitely be done, but I'm 95% sure the stock firmware provided with AC68U or AC66U is NOT capable of this type of direct (one-layer) multiple LAN subnet configuration. I believe I tried something similar using VLAN with Merlin firmware branch in past without much luck on an older RT-N66U, but that could just be my mistake and hopefully someone with more knowledge on Merlin's firmware branch can chime in. I believe Open-WRT is capable of such a multiple LAN subnet config using internal VLANs, firewall zones, and NAT routing features, but I also recall that Open-WRT alternate firmware doesn't have support for your Asus RT-ACxxx devices because they are Broadcom chipset based.

Three options for you to consider:
1. Purchase or build a more capable firewall/router that you connect to your WAN, and setup two semi-isolated LANs as desired. Then you can re-use your existing two RT-AC6xU in Access Point(AP) mode hardwired to the new firewall to setup the independent WiFi networks for each subnet. The basic config is you setup two LAN IP subnets with each associated with one or more physical ethernet LAN ports, then each sub-network has DCHP plus NAT routing enabled to a single WAN port, finally a firewall rule allows one way traffic from main subnet to gaming subnet.

To build firewall yourself, you could use an older computer with three wired Ethernet ports and the popular free Pfsense software-based firewall, or they also sell dedicated Pfsense enabled hardware ($180 and up). I personally use Zyxel USG40 firewall ($250 to $350) for small office with multiple LANs, but might be more complex than you want, and about 50% higher cost than Pfsense basic hardware. Many other similar dedicated firewall options available, but many are significantly more expensive.

2. You could try to leverage the "Guest WiFi network" feature of your best existing WiFi home NAT router, and turn on "Guests can not communicate with LAN (Intranet)" blocking feature of Guest WiFi. In this setup, the Guest network is used only for the gaming network and router is isolating the guest network. Disadvantages include you can only have Guest Wifi, not Guest wired LAN ports, with stock firmware (perhaps Merlin's firmware support's more flexible Guest network setup with physical ports too?). Also you won't be able RDP to child's computer from main subnet because isolation between regular LAN and Guest Wifi is both directions. Some routers always use "client isolation" within the guest network (some have a enable/disable config option) that would prevent you from connecting to the Guest Wifi and RDP into child's gaming computer even over the Guest Wifi. However, I think Guest Wifi network is the best option (easy to manage) with your current hardware if you could give up the remote access to child's gaming computer. Asus Guest Wifi doesn't use separate IP subnets, but rather sets up a virtual barrier between two parts of the same subnet. On my newer RT-AC86U, I can also set bandwidth limits on the Guest Wifi, and have up to three separate Guest Wifi SSIDs.

3. Finally, you could setup a two-level network, which is what you've been exploring so far with your outer router1 and inner router2 topology. I think you'll find with your first attempt having the gaming subnet on router2 (inner RT-AC66U), that the gaming computer(s) can still communicate to your main subnet computers (e.g., try pinging your main computer from gaming computer by IP address), unless you do @ColinTaylor suggesting of filtering the outer main subnet IP address on the inner router2 network services outbound firewall rules. If you try that, then I'm pretty sure router2 DOES need NAT routing enabled, because it's inner LAN is going to be an isolated subnet. In just AP mode (no NAT) you won't have the outbound firewall available. I don't think either RT-AC6xU supports a pure router mode with stock firmware, and even that would require the outer router to support two IP subnets (hence #1 above uses a new firewall/router). With normal NAT routing on router2, the inner gaming subnet is going through two-NAT router layers and that won't work for many peer-to-peer gaming setups.

A better topology for #3 option is to reverse the inner/outer subnet associations by configuring the gaming subnet as the outer/top-level LAN (and WiFi) off your RT-AC68U (in normal NAT mode) router1 that has the connection to ISP, and then your "main subnet" is the inner/second layer (more protected) subnet off the router2 LAN ports with its WiFi. The KEY to the inner/outer config is that router2's WAN port is connected to one of router1's LAN ports (no need for the dual-WAN setup on router2 with lan-to-lan wire). The inner-network's NAT router2's default firewall would prevent the outer gaming network devices traffic into the main (inner) subnet. But router2's outbound NAT routing still allows traffic initiated from the inner main subnet to the outer gaming subnet for your RDP connection. In this topology, the outer gaming subnet only has one-layer of NAT and all gaming subnet applications (including UPnP for port forwarding) should work same what you started with. However, two-level NAT on the inner main subnet is not good for some applications (VoIP, anything that is peer-peer, etc.) that might be on the main subnet, and if you needed any open inbound ports from the Internet to the main subnet, it will be harder to setup (two layers of port forwarding required) and UPnP can not function to automatically setup port forwarding to main subnet (although I'd avoid UPnP anyway).

Good Luck. If this isn't clear yet, we should draw some diagrams next.

That's really good of you to provide that outline. Lots to consider there and I will have time over the Xmas break to hopefully delve into this.

I have achieved scenario one now with using the info Colin provided, having the static route from router 1 to router 2 (for the RDP access) and having the lan cable into the AC66U's wan port, and setting 192.168.26.0/24 in the Network Services Filter as a blacklist in order to prevent traffic from the 2nd 'gaming' network from getting to the first 'house' network.

I make heavy use of Proxmox and run a number of Linux containers on that server such as Plex which is located on the main network 1 (ie the AC68U's network). The second scenario was to maybe try and make use of this by spinning up something like Squid in a Centos container just for my Son's internet/gaming traffic so I can monitor/control that. I would imagine I would have to set up a static route from the gaming network's AC66U to the squid instance but that would then break the isolation from the gaming network being able to see the 1st main network devices. Any suggestions?

 

[ColinTaylor]

agreed Colin - when I tried the wan port on the AC66U it didn't work. However I've since realised it is because NAT was off on the AC66U and I have sorted it now that NAT is turned on. Thanks

It should work with and without NAT enabled. I have used exactly this configuration myself.

 

[bladerunner1968]

It should work with and without NAT enabled. I have used exactly this configuration myself.

Just tried it again - turned NAT off on the 2nd router (AC66U)and there is no internet on the 2nd router network

 

[ColinTaylor]

Just tried it again - turned NAT off on the 2nd router (AC66U)and there is no internet on the 2nd router network

What static route are you using on the AC68U?

 

[bladerunner1968]

What static route are you using on the AC68U?

I have a static route enabled on router 1 (RT-AC68U) as 192.168.28.0 - gateway 192.168.26.1, metric 1, LAN which currently allows me to 'see' the 2nd network devices.

 

[ColinTaylor]

I have a static route enabled on router 1 (RT-AC68U) as 192.168.28.0 - gateway 192.168.26.1, metric 1, LAN which currently allows me to 'see' the 2nd network devices.

That route is not correct. The gateway address should be like I said in post #6, the WAN IP of the AC66U.

 

[bladerunner1968]

That route is not correct. The gateway address should be like I said in post #6, the WAN IP of the AC66U.

maybe I am not understanding this right but the AC66U does not have a WAN IP - it is sharing the WAN from the AC68U

Network 1 (AC68U has a gateway of 192.168.26.1 and has the WAN interface to the ISP router) and Network 2 (AC66U) has a gateway of 192.168.28.1)

 

[ColinTaylor]

The "WAN" is not the same as "the internet".

The AC66U is not "sharing the WAN from the AC68U".

The AC66U does have a WAN IP otherwise it wouldn't be able to route. This WAN IP address is the gateway address to the 192.168.28. network from the 192.168.26. network. It will be shown on the AC66U's Network Map page as 192.168.26.<something>.

If you choose not to configure the AC66U this way you can leave NAT enabled and it will still work (as you know) and you can remove the static route completely as it would be redundant. The only downsides to doing it this way is that you will need to configure port forwarding rules for remote access to the AC66U's LAN (e.g. for RDP), and as far as the AC68U is aware all traffic from the the AC66U's clients will originate from the AC66U itself rather than the clients.

 

[bladerunner1968]

OK understand now

The "WAN" is not the same as "the internet".

The AC66U is not "sharing the WAN from the AC68U".

The AC66U does have a WAN IP otherwise it wouldn't be able to route. This WAN IP address is the gateway address to the 192.168.28. network from the 192.168.26. network. It will be shown on the AC66U's Network Map page as 192.168.26.<something>.

If you choose not to configure the AC66U this way you can leave NAT enabled and it will still work (as you know) and you can remove the static route completely as it would be redundant. The only downsides to doing it this way is that you will need to configure port forwarding rules for remote access to the AC66U's LAN (e.g. for RDP), and as far as the AC68U is aware all traffic from the the AC66U's clients will originate from the AC66U itself rather than the clients.

OK now I get it. I see the WAN address on the AC66U as 192.168.26.234 and I have set that as a static route on the AC68U as 192.168.28.0 -> gateway = 192.168.26.234 -> metric 1 -> Lan.

Still same result - no traffic unless NAT is enabled on the WAN page on the AC66U

 

[ColinTaylor]

Well I'm either missing something or something has recently changed in the firmware because this setup works for me and other people in these forums.

Rather than waste any more time on this I suggest you stick with what works for you (NAT enabled) as that is an equally valid setup. As noted above you can then remove the static route completely.