Using Second Router as a Guest Network

[starbux]

Hi,

My current setup is asus merlin on my ac68u and rt-n16.

Internet-->AC68U-->Port #4 Ethernet on AC68U--> WAN port for RT-N16 (Guest Network)

I am trying not to mess with JFFS and scripts to configure the ethernet port on the router to be isolated since I have zero experience in that and am afraid of not getting it done correctly.

I currently have network services filtering enabled under Firewall settings on the rt-n16 and basically blocked all port ranges 1-65535 connecting to 192.168.1.x on both TCP and UDP.

Is this enough to isolate the guest network router from the primary router? The guest router is operating using IP ranges 192.168.2.x and on subnet 255.255.254.0

The idea is to prevent anyone from the guest network from accessing anything on the AC68U LAN.

Would this work?

 

[Deleted member 27741]

Mostly just replying to give you a bump, but- doesn't merely having the n16 on a different subnet (192.168.2.x) prevent access to the ac68 LAN when clients are connected to the n16 (guest network)?

 

[F5ing]

Mostly just replying to give you a bump, but- doesn't merely having the n16 on a different subnet (192.168.2.x) prevent access to the ac68 LAN when clients are connected to the n16 (guest network)?

I think it's the other way around. Anything connected to the n16 would be able to access anything connected to the AC68. But devices connected to the AC68 would not be able access devices connected to the n16.

https://www.grc.com/nat/nat.htm

https://www.grc.com/nat/nats.htm

 

[DallasFlier]

I guess I'm confused. Since the AC68U provides a built-in guest network capability with options to connect or not connect to the primary LAN, why bother with a second router just to implement a guest network (in a significantly more complicated manner, as shown by this thread?)

 

[starbux]

I guess I'm confused. Since the AC68U provides a built-in guest network capability with options to connect or not connect to the primary LAN, why bother with a second router just to implement a guest network (in a significantly more complicated manner, as shown by this thread?)

Ah sorry I should clarify. It's because I'm using QoS on the RT-N16 as a overall bandwidth limiter.

Unfortunately Asus Merlin firmware doesn't have a bandwidth limiter for the guest network, so I've set the QoS on the RT-N16 to a hard cap up/dl of 10mpbs, that way guests don't steal all the bandwidth.

 

[starbux]

I think it's the other way around. Anything connected to the n16 would be able to access anything connected to the AC68. But devices connected to the AC68 would not be able access devices connected to the n16.

https://www.grc.com/nat/nat.htm

https://www.grc.com/nat/nats.htm

Yep this is correct, I tested it out. Basically, from the point of view of the RT-N16, 192.168.1.x or any other addresses are all on the internet.

I unfortunately cannot reverse the setup since I am using it for a specific purpose (I want the RT-N16 to act as a bandwidth limiter using QoS) for the guest network/LAN.


Just need to make sure if my firewall setup on the RT-N16 covered all my bases, or if I have a network security hole I am missing.

 

[F5ing]

Yep this is correct, I tested it out. Basically, from the point of view of the RT-N16, 192.168.1.x or any other addresses are all on the internet.

I've tested as well, as I've been running this way for about 10 years. And to add to your explanation, from the point of view of your AC68, the N16 is just another device on its LAN, allowing the N16 (and its connected devices) to freely communicate with any other machines connected to that LAN.

I unfortunately cannot reverse the setup since I am using it for a specific purpose (I want the RT-N16 to act as a bandwidth limiter using QoS) for the guest network/LAN.


Just need to make sure if my firewall setup on the RT-N16 covered all my bases, or if I have a network security hole I am missing.

I can't confirm your firewall setup, but can you tell us what your testing has revealed?