Hey guys, I have question around having multiple routers configured and their client access. I've been doing a lot of searching online about this and I'm not sure what's going on since people seem to be saying the opposite of what's happening for me.
Let me start on the background for why I'm attempting this. I have a fiber plan that's pretty overkill for me and it doesnt make sense for me to downgrade it as I'd get locked into a contract and pay just slightly less for about half the speed. Recently a couple of immigrants moved in the house facing my backyard and I got talking to them and offered them use of my internet, but wifi doesn't work well enough. So what I did is grabbed a 50M cat5e cable and pulled it across the backyard to their place and dug out an old AC68U I had in my storage and put it up in their place.
Now I naively (stupidly?) assumed from doing a quick search before that as long as I kept their router connected by WAN port and in a different subnet I should have it isolated from my LAN, but this doesnt seem to be the case. I seem to be able to access all my devices/services while connected to the Wifi on the AC68U. I might be misreading this Asus page that seems to imply this wouldn't happen unless I set up some static routes - https://www.asus.com/my/support/FAQ/1011706/, but I've seen numerous comments on other pages and forums saying the different subnets would mean the clients cant communicate with each other.
So basically I have a 3 router AIMesh setup in my home - 2 AX86us and an AC86u, all running Merlin firmware. The AC68U in the back house is connected to LAN4 of the AC86U in my house on its WAN port, with the WAN setting set to automatic IP (in my DHCP setting's I've binded the MAC of the device to assign it a static IP of 192.168.0.5). If I connect my phone to the wifi of the AC68U (and get assigned an IP of say 192.168.100.10) I am still able to access my NAS at 192.168.0.25. Basically what's in the RED ARROW in the diagram can occur, and I'd really like it not to.
Is there anyway to achieve this? To block the clients in the 192.168.100.0/24 subnet behind the AC68u from connecting to the 192.168.0.0/24 subnet clients behind the AX86u? One idea I have is to run an OpenVPN server on the main router and an open VPN client on the AC68u and have LAN access disabled on the main router's VPN setting ... but I believe this is putting unecessary load on the main router and hence I'd like to avoid that (I already have a running instance of OpenVPN for my own use as well). Is there any other way, say like using static routes to isolate the traffic?
I don't expect them to do anything malicious but they're not particularly tech savvy and I'm worried about things like ransomware breaches and so on.
TL;DR - red arrow traffic flow in diagram is allowed, how to stop it.
Let me start on the background for why I'm attempting this. I have a fiber plan that's pretty overkill for me and it doesnt make sense for me to downgrade it as I'd get locked into a contract and pay just slightly less for about half the speed. Recently a couple of immigrants moved in the house facing my backyard and I got talking to them and offered them use of my internet, but wifi doesn't work well enough. So what I did is grabbed a 50M cat5e cable and pulled it across the backyard to their place and dug out an old AC68U I had in my storage and put it up in their place.
Now I naively (stupidly?) assumed from doing a quick search before that as long as I kept their router connected by WAN port and in a different subnet I should have it isolated from my LAN, but this doesnt seem to be the case. I seem to be able to access all my devices/services while connected to the Wifi on the AC68U. I might be misreading this Asus page that seems to imply this wouldn't happen unless I set up some static routes - https://www.asus.com/my/support/FAQ/1011706/, but I've seen numerous comments on other pages and forums saying the different subnets would mean the clients cant communicate with each other.
So basically I have a 3 router AIMesh setup in my home - 2 AX86us and an AC86u, all running Merlin firmware. The AC68U in the back house is connected to LAN4 of the AC86U in my house on its WAN port, with the WAN setting set to automatic IP (in my DHCP setting's I've binded the MAC of the device to assign it a static IP of 192.168.0.5). If I connect my phone to the wifi of the AC68U (and get assigned an IP of say 192.168.100.10) I am still able to access my NAS at 192.168.0.25. Basically what's in the RED ARROW in the diagram can occur, and I'd really like it not to.
Is there anyway to achieve this? To block the clients in the 192.168.100.0/24 subnet behind the AC68u from connecting to the 192.168.0.0/24 subnet clients behind the AX86u? One idea I have is to run an OpenVPN server on the main router and an open VPN client on the AC68u and have LAN access disabled on the main router's VPN setting ... but I believe this is putting unecessary load on the main router and hence I'd like to avoid that (I already have a running instance of OpenVPN for my own use as well). Is there any other way, say like using static routes to isolate the traffic?
I don't expect them to do anything malicious but they're not particularly tech savvy and I'm worried about things like ransomware breaches and so on.
TL;DR - red arrow traffic flow in diagram is allowed, how to stop it.
