Static routing to avoid 7 routers for guest network?

[RadicalDad]

My home needs 3 wireless router locations to cover it well. There is wired Ethernet to these locations. I've started working out of my home, and we often host guests, which means It would be smart to isolate my network from the guest network. I can do this with 7 routers, but that seems silly.

Lets say I put router 1 at the cable modem and treat it as a perimeter router. It has no wireless. Now I cascade two chains of wireless routers off the perimeter router, one chain of 3 routers (numbers 2, 3, and 4) for my secure network, a second chain of 3 routers (numbers 5, 6, and 7) for the guest network. I had the foresight to pull two Cat 6 wires to each location, so I can physically do this, and I've got a bunch of old WRT54G routers to do it with, but I'm going to run out of wireless frequencies before I'm done, not to mention annoy the neighbors by using up all the available frequencies.

Modern routers, such as the Linksys E4200, come with a guest network which works on the same radio frequency - perfect! - but it won't work on cascaded routers. The guest network IPs are simply routed out the WAN port without being able to touch the LAN ports or other wireless clients. If you cascade out the WAN port, you've lost your security one level up. If you cascade out the LAN port, you must turn off DHCP, losing the guest network ability (which is also lost because the WAN port isn't connected). If you don't cascade the three E4200's but instead connect them (via the WAN ports) directly to the perimeter router's LAN ports, you lose the ability for devices on my secure side network to talk to each other due to the different subnets.

Or do you? It seems that this entire problem could be solved by static routing, but so far my efforts haven't gone anywhere. Assume for discussion that Router one is at 192.168.1.1, Router 2 is at 192.168.2.1, etc. What do I put in the Static Routing entry on the Advance Routing tab? I've searched in vain for anything that even approaches a tutorial or explanation of the Linksys implementation.

(And if I link the main addresses of the routers with static routes, do the guest networks, which each router forces to 192.168.33.0, remain secure and isolated? I'm happy to experiment and report back if someone will help me with the static route part. I've already got a pair of E4200's to test with.)

Thanks!

 

[thiggins]

Just get a smart switch that supports VLANs and assign the APs to separate VLANs. See VLAN How To: Segmenting a small LAN

 

[RadicalDad]

Thanks Tim -

A vlan aware managed switch is a slightly more elegant solution, but in the end it does little more for me than a router in this situation. Lets assume I have a master router at position 1 to handle the transition between internal network and the cable modem. This router does DHCP and NAT for the whole network. From here I insert a managed switch with vlans. I don't see how this stops the cascade of independent wireless routers, whether they are routing or merely set as an AP. Indeed, the managed switch is doing nothing more in this situation than router #1 that it doesn't completely replace. I've essentially got vlans now with the different router chains.

The problem is the way the guest network is implemented by Linksys (and most others, I would guess). If I go into the routers into APs, not using the WAN ports and DHCP on each one, then I lose the inherent guest network function of the E4200 (and most others). Now I'm into multiple routers, one set for the guest network, one set for the secure internal network. If I go into the E4200 via the WAN ports, then I get one router in each location doing both guest internal secure network using only one wireless channel, but I lose the ability for the subnets to communicate properly on the secure side. Since I wrote the OP, I've discovered that SMB (Windows) shares don't play well between the subnets, even with static routes defined and enabled. Turns out this is also a problem for my Sonos system if the controller is not on the same (wireless) subnet as the rest of the system. I was hoping there was a way to use static routes to force 192.168.33.0 guest packets to "skip" to the next router up the chain to keep those IPs from looking at the rest of my network, but I've learned that isn't how static routing works.

What I need is connectivity to the next router up the chain from both the LAN and WAN port of the same E4200 router. WAN port for the guest network, LAN port in AP mode for the internal secure network. Of course, that doesn't work either! Unless there is a way of implementing this with a managed switch VLAN that is totally escaping me now, this seems to be a limitation of the router and a VLAN doesn't really change this.

Sigh.

 

[thiggins]

I can't tell whether you are familiar with how VLANs work or not. VLANs are exactly what is needed for your situation.

Using VLANs, it wouldn't matter whether your APs have a "guest" function or not. All you need to do is assign the "guest" APs a unique SSID so that you can tell them apart and assign them to one VLAN. Assign your home wireless network and wired traffic to another VLAN. Internet access (via your main router) goes on a third VLAN.

Then assign the switch ports connected to the "guest" APs to the "guest" and Internet VLANs. Assign the ports connected to your wired clients and home network AP to the "home" and Internet VLANs.

Since there are no subnets, file and printer sharing will work just fine within VLANs.