Isolated Guest router/network setup on existing network

[enthusiast29]

Hi, I need a little help from networking experts here...

I have the following setup at my home:

Spoiler: Network Layout

I have set up same IP range for both current routers (ISP provided and 2nd router):
192.168.1.x
DHCP allocation on 2nd router is OFF and is handled by the main router itself. So all devices on both routers exist on same network and can talk to each other.

main router clients - office equipment, VOIP, LAN/WLAN connections, basically things I own
Router 2 clients - other family devices connected via WLAN

The above network has a self hosted DNS server solution using pihole + unbound running on static IP 192.168.1.2.

3rd router (connected directly with main through LAN) would be for guests with complete isolation from all other networks and bypassing pihole + unbound solution and instead using Cloudflare DNS. I also need this in case of emergencies and troubleshooting as well if something is blocked on pihole and I don't have time to figure out but need a temporary solution to check.

My plan is to use 192.168.0.x range on this 3rd router and enable DHCP allocation on that router itself which should according to my understanding isolate the clients on this router from the main/2nd router.

My problem:
I am able to set this up easily and 3rd router works and all my clients on 3rd router get assigned an IP in 192.168.0.x range but still can access and talk with all devices of 192.168.1.x range but vice-versa is not true, i.e., I cannot access 192.168.0.x range using the main router or 2nd router (192.168.1.x range) not that I need to (better that I can't) but why the reverse is possible? In any case I don't want guest network to be able to access the main.

What's happening...
-------------------------------------------------------
Main can access 2nd (both 192.168.1.x subnet) <-- intended
2nd can access Main (both 192.168.1.x subnet) <-- intended
3rd can access Main and 2nd (even when 3rd is on 192.168.0.x subnet) <-- not intended, I don't want this!
Main and 2nd cannot access 3rd (which is fine) <-- intended
-------------------------------------------------------

I am unable to figure out how to isolate the 192.168.0.x network on the 3rd router. Can anyone help me with this?

 

[tech.monk]

I'm no expert into this but isn't this is a scenario that utilizes VLANs? I'll let others comments who have knowledge or working on VLAN

 

[bobbyprajan]

Is the third router connected to the Main router through it's WAN port ?

 

[enthusiast29]

I'm no expert into this but isn't this is a scenario that utilizes VLANs? I'll let others comments who have knowledge or working on VLAN

It should, I've heard of it but I'm not familiar with it. I'm not even sure if it's supported by my main router provided by ISP (huawei hg8145v5)

Is the third router connected to the Main router through it's WAN port ?

Yes it is. 3rd router's WAN is connected to Main's LAN.

 

[bobbyprajan]

Yes it is. 3rd router's WAN is connected to Main's LAN.

In that case the main router may be assigning a default gateway to the third router and the mode of the third router is NAT gateway. To solve this you will need to disable NAT and set static IP for the WAN interface of the third router. You will need to add static route on the main router pointing to the static IP of the third router. To discard the undesirable traffic, either null routes or access rules (whichever is available) in appropriate routers needs to be set

Without seeing the configuration it is difficult to guide you in more detail

 

[enthusiast29]

In that case the main router may be assigning a default gateway to the third router and the mode of the third router is NAT gateway. To solve this you will need to disable NAT and set static IP for the WAN interface of the third router. You will need to add static route on the main router pointing to the static IP of the third router. To discard the undesirable traffic, either null routes or access rules (whichever is available) in appropriate routers needs to be set

Without seeing the configuration it is difficult to guide you in more detail

Thanks for giving the idea, you're right that the default gateway on the 3rd router is the Main router. I have set a static IP for 3rd router on the main router as 192.168.1.127 and then I let the 3d router dynamically assign an IP on WAN and it picks the same.
Maybe I'm doing something wrong as probably subnet mask and Gateway needs to change?

The 3rd router does have a feature called Access rules. However I'm unfamiliar to it.

I'll definitely get back to you with proper screenshots of the interface of both routers after work hours and that'll help in understanding. Thanks again!

 

[gwrench2000]

You can have both the guest and private network on **all** routers other than ISP modem/ONT, using VLAN's, provided you have routers which support openwrt and they are directly connected to each other via wired cable without a switch inbetween.. If you need a switch in between, you would require a smart switch and an ordinary will not do. If you use the app at https://app.creately.com/ to draw a driagam which includes all your gear and their IP allocation. It will be easier to help as well as for reference.

watch both video's.

 

[enthusiast29]

@bobbyprajan Here are the settings on the 3rd router.
While it shows "Dynamic IP" as connection type, I have reserved the static IP 192.168.1.127 on the main router for the MAC address of the WAN interface of the 3rd router. So it's technically Static IP I suppose?

Spoiler: 3rd router settings

Here's the Access control feature you describe about...

Spoiler: Access control UI

However I'm unfamiliar with how to use this feature. If anyone can guide or point to a resource?


@gwrench2000 thanks, I'll check that. However I'm avoiding flashing custom firmware for now unless absolutely necessary. I tried DD-WRT with the 3rd router and it's very unstable as web UI tends to crash often. It's an old cheap router.
Here's my network layout.

Spoiler: Network Layout

 

[bobbyprajan]

Please try the following
1. Disable NAT in the third router
2. Add a static route to 192.168.0.x subnet in the main router via the third router's WAN IP address

Check if you have internet access in the 192.168.0.x subnet. To configure access control, see this. Instead of website see if you can select an address range (192.168.1.2-192.168.1.255). Set the router to deny packets matched by your policy

 

[gwrench2000]

Hi, According to your diagram, if you connect the WR740 **internet** port to HG8145 then you can use the WR740 and whatever is **below** it as private network. Every thing above WR740 is public and can be acceseed by all. If you dont want to flash means you cannot use VLAN. So the way you have this currently the 192.168.0.XX **is** actually the private network and not vice-versa as you seem to think.. 192.168.1.XX **will not** be able to access 192.168.0.XXX. while 192.168.0.XX will be able to access all.

 

[enthusiast29]

Please try the following
1. Disable NAT in the third router
2. Add a static route to 192.168.0.x subnet in the main router via the third router's WAN IP address

Check if you have internet access in the 192.168.0.x subnet. To configure access control, see this. Instead of website see if you can select an address range (192.168.1.2-192.168.1.255). Set the router to deny packets matched by your policy

Thanks, I tried this and it worked like charm.
Although I didn't do 1 and 2 and just setup Access control settings and all IP range (192.168.1.2-192.168.1.255) is blocked on the 3rd router now. Thank you so much for this.
Just a question although I didn't try it yet. Can I also block 192.168.1.1 for all clients of 3rd router? I hope that won't stop internet access because Router is communicating with Main (192.168.1.1) and not the clients directly? Or is my understanding wrong?

EDIT: I tried blocking 192.168.1.1 and that also worked. So everything 192.168.1.X is blocked on 3rd router and it works fine. Internet access is there.

Hi, According to your diagram, if you connect the WR740 **internet** port to HG8145 then you can use the WR740 and whatever is **below** it as private network. Every thing above WR740 is public and can be acceseed by all. If you dont want to flash means you cannot use VLAN. So the way you have this currently the 192.168.0.XX **is** actually the private network and not vice-versa as you seem to think.. 192.168.1.XX **will not** be able to access 192.168.0.XXX. while 192.168.0.XX will be able to access all.

Thanks, I tried the other way round as well. Assigned DHCP with 192.168.127.X range to all clients of 3rd router and Main + 2nd are on 192.168.1.X range and they were still able to access the ...1.X range clients. So this didn't work. Not sure if I did something wrong. Anyways, the router feature of Access Control worked.

 

[gwrench2000]

Hi, just to clear-up some confusion. What IP can access what other IP is determined by firewall and/or routing rules and not the IP range as is being implied. So it does not matter what IP is issued by router DHCP (LAN) as-long as it upstream (Internet/WAN) is configured correctly, and its IP-range does not conflict with another allocation on the upstream network

 

[bobbyprajan]

EDIT: I tried blocking 192.168.1.1 and that also worked. So everything 192.168.1.X is blocked on 3rd router and it works fine. Internet access is there.

Glad to know that you got it working. If you dont do the first 2 steps, you will have double nat for the 192.168.0.x subnet. Some applications may misbehave with such a setup. If you dont have any issues then leave it as such

 

[enthusiast29]

Glad to know that you got it working. If you dont do the first 2 steps, you will have double nat for the 192.168.0.x subnet. Some applications may misbehave with such a setup. If you dont have any issues then leave it as such

yeah I don't think my cheap router allows disabling NAT but everything seems to work just fine.
I'll try applications which use UPnP like torrent clients if they work on guest router.

EDIT: Torrenting working fine to download legit Ubuntu ISOs

 

[gwrench2000]

Access control Lists block is based on MAC or IP and can be easily over-come by using a static IP or MAC spoofer. ACL does not offer a true guest network. The video covered that. My 740N v4 runs OpenWRT stable and nice albeit a dated 18.XX version. VLAN's and all on a cheap router bought on TE for very less.

 

[enthusiast29]

Access control Lists block is based on MAC or IP and can be easily over-come by using a static IP or MAC spoofer. ACL does not offer a true guest network. The video covered that. My 740N v4 runs OpenWRT stable and nice albeit a dated 18.XX version. VLAN's and all on a cheap router bought on TE for very less.

Yes, you are definitely right that anyone can avoid the access rules if they assign a static IP for their device outside the range I blocked access for. Thing is, I blocked 192.168.0.1 - 192.168.0.254 (full range). So any static IP in that pool is also in the blocked range and rules will still be applied on them.

Interesting that Open-WRT works on this model. I also have the v4. I think you would have done the experimenting to find out which build is stable and which is not so may I ask specific build are you using, can you link me to it? Maybe I can try it later.

 

[gwrench2000]

Yes, you are definitely right that anyone can avoid the access rules if they assign a static IP for their device outside the range I blocked access for. Thing is, I blocked 192.168.0.1 - 192.168.0.254 (full range). So any static IP in that pool is also in the blocked range and rules will still be applied on them.

Interesting that Open-WRT works on this model. I also have the v4. I think you would have done the experimenting to find out which build is stable and which is not so may I ask specific build are you using, can you link me to it? Maybe I can try it later.

Its in the bottom line of screenshot. It is the highest supported revision for that ancient router.
BTW OpenWRT is exceptionally stable on Qualcomm Athreos chipsets such as this, from my experience.