Isolated network (incl wifi) for rental apartment

[grr]

I have an apartment, in my home, thats being rented to unknown people, and I would like to isolate the network in the apartment from the rest of the house.

My current setup is:

- Inteno VDSL modem from my ISP, in DHCP bridge mode.
- Asus RT-AC68U connected by cable, running in DHCP mode. Public IP on the outside, 10.0.1.x on the LAN side both for wireless and cabled. It is running wifi guest network thats isolated from the regular LAN. It is also an Aimesh hub, with two nodes connected by cable (RT-AC66U B1 and RT-AC68U).

The apartment has four network points and also needs wireless access.

If only the asus routers were able to delegate one LAN port to the guest network, I could just get a 5 port switch and be done with it all, but it doesnt seem like that is possible, so what do I do?

I am having a hard time figuring out how to do it without going for a double NAT solution for both networks (reset the Inteno and plug in my asus network on one LAN port and another wifi router for the apartment in another port), which will remove the possibility to access my home remotely - which I do need.

Any suggestions? Can it be done via a managed switch connected to a LAN port on the main Asus? (And another wifi router connected to the managed switch again). Will the switch be able to prevent access to 10.0.1.x?

 

[L&LD]

Don't be an ISP (not worth the headaches).

Single ISP and two completely independent networks

Hello Community, was wondering if I can get some help. In the near future I will sublet an office inside my property. The property has a single internet line and will need to share this with the renter. Currently I have a ISP provided modem/router where I have three PCs and Wireless devices...

www.snbforums.com

 

[dosborne]

You can setup a vlan or double Nat (no reason not too) to accomplish what you asked to do.

But, *YOU* are responsible for whatever these "unknown people" will be doing on the internet under your account.

 

[grr]

So if I keep my current setup, I can get a small managed switch, connect to a LAN port on the Asus main router, setup one port as a VLAN, and connect a wireless router for the apartment via that port, and the switch will prevent access to the rest of the network, but still allow internet access? I have done quite a lot of work with iptables etc on Linux/BSD before (20 years ago!?), but never used vlans on a switch. Are there options on which subnets to allow or not? Is the switch acting as a firewall?

As for double NAT, I thought that might give other problems like port forwarding etc?

And... The legal part is actually not an issue here in Norway.

It might be a temporary solution as there are no better options at the momemt. There are available pairs in the copper cable, but no new xDSL subscriptions are being accepted anymore as all copper lines will be taken out of service soon. The other option is wireless over 4G/LTE, which isnt a good option for a gamer.

Fiber optics with subscription package up to gigabit are 20 yards from my house though, and it will be made available soon, probably within 1-3 months. 5G will also be available within a couple of months. I might reconsider separate subscriptions then, but for now sharing is the only viable option...

 

[CaptainSTX]

Your solution of adding a smart switch between your network and the apartment and then an AP in the apartment is the best solution. A double NAT setup, if it was to double NAT the apartment's router behind your router and your router is the router connected to the Internet would result in the apartment dwellers being able to see and connect to devices on your subnet while you could not connect to devices in the apartment.

 

[ColinTaylor]

So if I keep my current setup, I can get a small managed switch, connect to a LAN port on the Asus main router, setup one port as a VLAN...

The Asus firmware doesn't have support for VLANs. There are some user hacks posted in the forums that you might allow you to add it via scripts.

 

[Tech9]

I am having a hard time figuring out how to do it without going for a double NAT solution for both networks (reset the Inteno and plug in my asus network on one LAN port and another wifi router for the apartment in another port), which will remove the possibility to access my home remotely - which I do need.

Do it this way, not a problem. Both routers in double NAT, put your router IP address in ISP router DMZ. All ports will be forwarded for your router, the apartment router needs manual port forwarding. If you run Asuswrt on your router, set DDNS on the ISP router. If you run Asuswrt-Merlin, set DDNS on the Asus router. Connected devices to the ISP router will be accessible from both routers, so connect all your LAN devices to the Asus router.

 

[grr]

Your post made me look into the ISP router again, reset it (out of bridge mode), and found out that it actually has guest network ability, both for wifi and possibility of assigning a LAN port as well. Seems they have had some progress the later years (I received a new router a couple of months ago due to lightning taking out the old one, but it was put into bridge immediately). I DMZed to my main Asus router, and the apartment is now using the ISP router both for wireless and LAN. There seems to be limited QoS options, but I think this will work anyway.

Thanks all of you, for excellent help!