Need help with installing two routers in house with limited ethernet cable

[scott0_1]

Please be patient with this one, networking is not my strong suit!

My ISP is Telus in British Columbia. They provided an optical network terminal and a T3200M modem/router. The router stinks, but with their Optik TV (IPTV), I'm stuck with it.

I'm trying to install two new routers into the system to overcome the T3200M's shortcomings. I have an Asus AC86U and AX-86U. I have flashed them both with Asuswrt-Merlin.

This is where things get tough. The junction box in my garage has very limited space, but that is where all the ethernet cable comes in. Ideally, one of the Asus routers would be on my first floor and the other on my second floor. I have the T3200M set in bridging mode.

I have an unmanaged switch in the junction box where it sends the cables off to different rooms in my house.

Can someone suggest how to make this setup work with ethernet backhaul in the AIMesh setup? I've tried a few different things, but it doesn't seem to work. I have reached the end of my networking know-how (not much to begin with).

The problem with having the first router on the first floor is that there is only one cable in. So that means that cable has to be in and out? Would a managed switch overcome this?

ONT > T3200M WAN

T3200M Port 1 > Garage switch

Garage switch > first floor connection
> second floor connection

First floor connection > managed switch
> router 1 wan port
> lan port 1 > managed switch > second floor router wan port

Feel free to mock, but helpful suggestions are welcome too!

 

[tgl]

I think what you want is one cable from the ONT to the primary node's WAN port, and then a cable from the primary node's LAN port (any one will do) to the secondary node's WAN port. Then make sure the primary is in router mode and the secondary is in AP or AIMesh-node mode.

If you have more wired gear to connect, adding a switch on the LAN side of the primary router is fine, but it won't matter whether it's managed or not. (And, frankly, if you're a networking newbie then you don't want to trouble with managing a managed switch.) You probably don't want to try to connect more than one device directly to the ONT, so having a switch connected to that is not very helpful.

 

[scott0_1]

I think what you want is one cable from the ONT to the primary node's WAN port, and then a cable from the primary node's LAN port (any one will do) to the secondary node's WAN port. Then make sure the primary is in router mode and the secondary is in AP or AIMesh-node mode.

If you have more wired gear to connect, adding a switch on the LAN side of the primary router is fine, but it won't matter whether it's managed or not. (And, frankly, if you're a networking newbie then you don't want to trouble with managing a managed switch.) You probably don't want to try to connect more than one device directly to the ONT, so having a switch connected to that is not very helpful.

sorry, I skipped important details!

ONT > T3200M WAN

T3200M Port 1 > Garage switch

Garage switch > first floor connection
> second floor connection

First floor connection > managed switch
> router 1 wan port
> lan port 1 > managed switch > second floor router wan port

The problem with having the first router on the first floor is that there is only one cable in. So that means that cable has to be in and out?

 

[tgl]

OK, now I think I get it: you need both of the cable runs I described to pass through the garage junction box?

If that's the situation, you're right, an unmanaged switch won't cut it because it will just think there are four interchangeable connections. You need to separate that so that traffic on the WAN side of your new router doesn't intermix with traffic on the LAN side. You should be able to do that if you can replace the garage switch with a managed switch. (Basically, create separate VLANs for each side and put the appropriate ports into each VLAN.)

 

[scott0_1]

OK, now I think I get it: you need both of the cable runs I described to pass through the garage junction box?

If that's the situation, you're right, an unmanaged switch won't cut it because it will just think there are four interchangeable connections. You need to separate that so that traffic on the WAN side of your new router doesn't intermix with traffic on the LAN side. You should be able to do that if you can replace the garage switch with a managed switch. (Basically, create separate VLANs for each side and put the appropriate ports into each VLAN.)

A picture says a thousand words, but I think you see what I was describing. This is the meat and potatoes of my current setup. Both switches are currently unmanaged. The principle router is the office and the node is the living room. In this configuration, the principle doesn't even know the node exists.

I was hoping the system would be smart enough to send traffic from the office router via lan 1 to the living room wan, but it's not.

 

[Steve23]

I'll ask because it seems like avoiding the use of a managed switch could be useful in your case, just to keep things simpler..

Is there enough space in the conduit (I'm presuming this is run thru conduit), to allow you to pull another Cat-x cable to the office so that you have two there? If so, it may not be as difficult as it might seem. You can use the single cable that already goes there as the 'puller' to pull two cables. During this process, you essentially removing the 'puller' from the conduit while pulling two new cables thru.

...we always need one more, don't we?

 

[tgl]

Oh, that's even messier than I imagined

Your problem here is that you have just one cable between the garage switch and the office gear, and that cable has to carry two kinds of traffic: packets passing between the T3200M and the office router's WAN port, and packets passing between the office router's LAN port and the living-room AP (which will then squirt right back out the garage switch to reach the living room). Have I got it straight finally?

Yes, you can make that work, but AFAIK you will need two VLAN-aware (hence, managed) switches: you need to replace the garage switch with a managed switch, and also put a managed switch into the office that will connect to both sides of the office router and then transport those as two separate VLAN tags on the single cable leading to the garage. This is about at the limit of my own competency with VLANs, but I'm pretty sure it can work.

 

[tgl]

Is there enough space in the conduit (I'm presuming this is run thru conduit), to allow you to pull another Cat-x cable to the office so that you have two there?

If I'm understanding things correctly, having two cables to the office would eliminate the need for a managed switch in the office; but a managed switch would still be required in the garage junction box, if there's not room for two independent switches there. So I'm not sure if this removes enough complexity to be worth the hassle/risk of pulling more cable.

 

[tgl]

After further thought ... it seems like the basic requirement here is for only the office router to talk directly to the T3200M, with every other device in the house talking to the LAN side of the office router. In principle I think that could be done without any complicated switch setup, but it may well be beyond the configurability of both the T3200M and the ASUS router. In particular, if you can't turn off the T3200M's DHCP service (which I assume will advertise itself as the network's gateway device) there's no hope of making it work without VLAN-like isolation of that DHCP server.

 

[scott0_1]

I'll ask because it seems like avoiding the use of a managed switch could be useful in your case, just to keep things simpler..

Is there enough space in the conduit (I'm presuming this is run thru conduit), to allow you to pull another Cat-x cable to the office so that you have two there? If so, it may not be as difficult as it might seem. You can use the single cable that already goes there as the 'puller' to pull two cables. During this process, you essentially removing the 'puller' from the conduit while pulling two new cables thru.

...we always need one more, don't we?

That would be fantastic, but no conduit. The cable was installed when the place was built. The builders definitely weren't going to spend extra on conduit!

 

[scott0_1]

After further thought ... it seems like the basic requirement here is for only the office router to talk directly to the T3200M, with every other device in the house talking to the LAN side of the office router. In principle I think that could be done without any complicated switch setup, but it may well be beyond the configurability of both the T3200M and the ASUS router. In particular, if you can't turn off the T3200M's DHCP service (which I assume will advertise itself as the network's gateway device) there's no hope of making it work without VLAN-like isolation of that DHCP server.

This is it here. I'm glad I put the picture up!

In bridge mode, the T3200M kind of ignores the rest of the network. It allows traffic from the rest of it pass through, but does not try to manage it, including DHCP assignments. It does manage anything plugged into LAN ports 1-3..

That's why I was thinking one managed router in the office would be enough? Tell it that traffic coming through port 1 goes to the Asus router and traffic through port 4 goes to the Asus node?

I've never worked with managed switches before, so I don't know how specific you can be with directing traffic the way I'm suggesting?

 

[tgl]

I do not think I'd risk running the T3200M in bridge mode with the sort of physical layout you're talking about. What I suggested in my last post basically requires all the devices on the LAN to cooperate with some rules you impose on where to send traffic to. That's fine as far as it goes, but if your ISP router is in bridge mode then that means baddies can get into your LAN and potentially mess things up. You really want one wire going from the ONT and terminating in a router that you trust as a firewall/NAT device. Everything else has to be on the LAN side of that firewall.

Now, probably you could fake that with a managed switch providing isolation of the not-yet-firewalled internet traffic ... but I can't in good conscience recommend that a networking newbie try to set that up. One mistake could allow a hacker to break into all of your machines.

So, keep the T3200M in its standard router configuration, and then set up your own router behind it. This is what's called a "double NAT" configuration, and some people will tell you that that's bad ... but it's also pretty safe, especially when you need to take seriously the possibility that some traffic will leak around your own router until you get things fully squared away.

 

[Adooni]

Ok if you not have a networking knowleadge and plant to buy managed switch why you will not make this simple configuration.

ISP modem in bridge + Asus Ax86u as Aimesh router in garage - aimesh node in office - aimesh node in room. All connections via rj45 cable.

For nodes you can use AC86u + one new router or 2 new router if AX standard is important for you. If you need more LAN connections in office just connect switch to node.

 

[Tech9]

I would dump AiMess completely and add 2x business class access points to this AX86U with radios disabled... if Asuswrt is that important. Above I see an overengineered project involving business class switches to save one older and one newer disposable home routers. It doesn't make sense to me. AiMesh also needs own VLANs for Guest Networks and this makes the project even more complicated for no reason.

 

[tgl]

I would dump AiMess completely and add 2x business class access points to this AX86U with radios disabled... if Asuswrt is that important.

AFAICT Asuswrt's limitations are hardly an issue here. The sticking point is wanting to have nothing smarter than a switch that's directly connecting the ISP's router and the other routers. If the OP is stuck with this physical layout, and space and/or heat constraints and/or Faraday-cage issues prevent putting a proper router immediately downstream of the ISP's router, then it's gonna be a mess.

 

[Tech9]

It's a mess already. Plans for VLANs with basic networking knowledge, plans for AiMesh with 2x routers running Asuswrt-Merlin... what for? One small EdgeRouter in this box connected to the existing switch and 2-3 AP 6 Lite upstairs and go watch YouTube. Won't have to touch it again unless updates arrive. Home routers - Facebook Marketplace or eBay to recover some money. Wi-Fi done and can focus on more enjoyable things in life.

 

[scott0_1]

Thanks for the help all. I think I've got my solution and made it out fairly unscathed!

I'm going to come up with some way to get the AX86U in the garage. It is the easiest solution with no extra expense. All other solutions would require new hardware (switch, access points, etc) and probably some networking knowledge above my current level.

I'll put the AC86U in the living rooms as a node for the AiMesh.

This addresses most of the security issues @tgl brought up, I think?

Asuswrt-Merlin with AiMesh wasn't the make-or-break deal in this setup, but the easiest software solution that existed. I could have opted for other firmware, but again, with limited networking knowledge, it seemed the easiest way to go. It's important to know one's limitations.

Thanks for all the help and suggestions... And the patience!!!

 

[tgl]

One small EdgeRouter in this box connected to the existing switch and 2-3 AP 6 Lite upstairs and go watch YouTube.

I was actually thinking that an EdgeRouter would surely fit in that junction box, and it could easily do everything that is required (including replacing the switch, if you only need 4 or so ports). However, I remember what a steep learning curve Ubiquiti's software has, so I'm pretty hesitant to recommend that way. If the OP can arrange things so that his AX86U sits between the T3200M and the existing garage switch, then everything should be simple.