Guest Network and Double NAT

[ljg1000]

I have a basic setup question.

Router A/Network is my main router/network connected to an Internet cable modem. VPN Router B/Network is connected to Router A's LAN port. (Double NAT). My goal is to protect Router A from harmful access from Router B. I realize that to accomplish this it would be better to reverse the roles of A and B- since in the aforementioned setup, B is actually more secure from A because of its firewall and VPN.

However, if Internet users on Router B are only allowed to access a guest network that is Internet only (no Intranet access), will users of the guest network be able to access/ping/harm the Router A/Network. Non guest network users certainly will be able to do so, however, I believe guest users with Internet only access will not. At least this is my guess. So in this scenario, a guest network user would have to break through the guest network to potentially harm the main network controlled by Router A.

Of secondary relevance, both Router B's main and guest network is using a Wireguard VPN, with a router kill switch if the VPN goes down.

 

[ColinTaylor]

However, if Internet users on Router B are only allowed to access a guest network that is Internet only (no Intranet access), will users of the guest network be able to access/ping/harm the Router A/Network.

Theoretically yes. Everything upstream of router B's WAN port is considered "the internet". So Router B's guests could ping/access devices on Router A's LAN just as they can the internet. From router B's perspective there's no difference.

Of secondary relevance, both Router B's main and guest network is using a Wireguard VPN, with a router kill switch if the VPN goes down.

If all client traffic from router B is going via a VPN client then they would not be able to access Router A's LAN directly as the traffic is being tunnelled between Router B's WAN and the VPN provider.

 

[ljg1000]

Thanks. Also, if I use AP isolation on Router A for Router B (my router allows me to do this by individual network device), would this further protect Router A's network, or is this not helpful since Router B requires Router A for its internet connection?

 

[CaptainSTX]

I have a basic setup question.

Router A/Network is my main router/network connected to an Internet cable modem. VPN Router B/Network is connected to Router A's LAN port. (Double NAT). My goal is to protect Router A from harmful access from Router B. I realize that to accomplish this it would be better to reverse the roles of A and B- since in the aforementioned setup, B is actually more secure from A because of its firewall and VPN.

However, if Internet users on Router B are only allowed to access a guest network that is Internet only (no Intranet access), will users of the guest network be able to access/ping/harm the Router A/Network. Non guest network users certainly will be able to do so, however, I believe guest users with Internet only access will not. At least this is my guess. So in this scenario, a guest network user would have to break through the guest network to potentially harm the main network controlled by Router A.

Of secondary relevance, both Router B's main and guest network is using a Wireguard VPN, with a router kill switch if the VPN goes down.

As Colin said the only way to protect your router A from traffic from devices on router B in your setup is to send all traffic using a VPN client from router B.

In my double NAT setup I have to take a PC on my router B off the VPN to administer the router A or conte ct to a device on Router A.

As you mentioned much more secure to put less secure IoT or guests on router A and more secure devices on Router B. I don't know what speeds you get from your ISP but you might want to experiment with the order of your routers to determine what impact is. Also be aware that running WireGuard may disable hardware acceleration.

 

[ColinTaylor]

Thanks. Also, if I use AP isolation on Router A for Router B (my router allows me to do this by individual network device), would this further protect Router A's network, or is this not helpful since Router B requires Router A for its internet connection?

Sorry, I don't know what isolation you're referring to. But then you never said what router or firmware you're using. Maybe this is something in the "Pro" firmware that I'm not familiar with. The only AP isolation I know about is for wireless clients not routers.

 

[tgl]

Theoretically yes. Everything upstream of router B's WAN port is considered "the internet". So Router B's guests could ping/access devices on Router A's LAN just as they can the internet. From router B's perspective there's no difference.

Right. However, if you can install custom packet filtering rules on Router B, you can set it to drop outgoing traffic that's bound for any address on the main LAN.

 

[ljg1000]

I wonder if the cleanest approach for what I want to do is to purchase the RT-AX 88U or 86 U Pro and use the Guest Network Pro feature to setup IOT, Custom and VPN guest networks. The VPN guest networks would be used by visitors. The Pro router also has a VLAN feature I believe that while it can be used with Guest Network Pro can also be used to create VLANs that are not also isolated guest networks. I believe the Pro router will support up to six guest network Pro networks.

This would eliminate double NAT and as long as the guest networks are truly isolated from devices on other guest/non-guest networks, would provide some additional security.




Is the above correct? Asus's online literature is not always clear.