I appreciate all the suggestions!
@tgl and
@drinkingbird I have an older ASUS router packed away as a spare/backup.
Just for the sake of perspective, my wife's office space connects to the router from a wall ethernet jack, then a Netgear gigabit smart managed switch connected to that jack. I put that switch in to allow her to connect a computer, network printer, and company phone. I'm not super network savvy so I gotta ask, could that switch be a solution to my problem?
@bbunge I might try that as a last resort, good info thanks a lot.
Yes, the switch should work for you.
Here is a basic config.
-Main router must be running 386 firmware.
-Enable guest wireless 1 2.4ghz only. It must be GW1, not 2 or 3. Set the SSID to anything other than your main LAN (WiredGuest or whatever) and select "hide ssid". Use WPA2-AES and set the pre-shared key just to protect it, but you don't need to remember it, just fill it with random letters and numbers. Set access intranet to disabled. Note I don't think the bandwidth limiter will work for the wired guest, but it might. Never tried.
-Reboot router
-On your switch, add VLAN 501
-On the port uplinking to your router, leave vlan 1 untagged, set 501 tagged. Leave the PVID of the port as 1.
-On all other ports on the switch, set them to VLAN 501
untagged, and set the PVID of those ports to 501 also
To be clear, enabling the guest wireless is just to create the VLANs and assign them to the LAN ports on the router (which it does automatically for Aimesh, even if you don't have aimesh enabled), the wireless won't actually be used for her stuff.
This will make her stuff appear to be on the guest wifi, but will show it as hardwired in the client list.
If you want something main LAN in that room, set that port on the switch to vlan 1 untagged and pvid 1 (which is the default for all ports unless you change it). It will be totally isolated even though it is on the same switch. Just make sure she knows not to plug work stuff into that port/ports. All her work stuff on VLAN 501 will be able to see and access each other so she can print, etc, and can access the internet, just not the main LAN or router.
Of course do some testing to make sure it is working and they are isolated. This definitely works on non-HND routers like the 68U, but your HND 86U is a bit different. However as far as I know it should work the same. Plug a laptop into the switch (one of the VLAN 501 ports if you didn't set them all to 501), it should get a 192.168.101.x IP. It should not be able to ping the router (192.168.101.1) or access the GUI. It should not be able to ping or otherwise access anything on your main LAN, including the main router IP (probably 192.168.1.1 or 192.168.50.1). But internet access should work as normal.
If you have/want a true guest wireless also (or if you're already using GW1), that can be done easily, I just didn't include it here for simplicity. There are a couple options, let me know if you want that.
You can also have two VLANs feeding that switch if you wanted to be able to have two different isolated segments, but doesn't sound like you have a need for that. If so I can tell you how to do that too, basically all the same as above but also enable 5ghz on GW1 and the VLAN will be 502, which you can tag on the uplink port along with 501, and set some switch ports into 502 untagged/pvid 502 for that second segment. So in that setup you could have your switch with LAN ports (VLAN 1) and two different wired guest segments (501 and 502).
