14-11-2016 21:04 - edited 15-11-2016 10:09
I want to create a guest wifi access point in a specific home's emplacement. But the only way to bring internet in this place is to connect a wifi access point to an ethernet cable itself connected to the swisscom router.
To ensure guests connected to this wifi access point will not be able to explore my network, I want to isolate the router specific ethernet port used by the wifi access point.
How can I do that ?
the wifi access point I'm using is a TL-WR702N that can also be turned into a router, maybe it can help to find an alternative solution
a small schema of what I want to isolate (in red), the guest wifi (in pink) is already isolated by itself
_______ ethernet cable _______ wifi access point ))) guest wifi
internet __ router ))) guest wifi
| ))) home wifi
|______ ethernet cables ________ computer / NAS / etc....
21-11-2016 10:22 - edited 21-11-2016 10:27
I found this on the net. Some may claim it's not terribly clean, but it's the best I've come up with.
Further to what's described here, you may have to tinker with the DHCP addresses assigned by the main router, but it should be fairly obvious.
I got it to work with a little trick, using nonstandard subnet masks:
The primary router's internal LAN is set to: Router IP: 192.168.1.252 Mask: 255.255.255.0 (so valid IPs in this subnet are in the range 192.168.1.0-192.168.1.255)
The secondary router is connected through its WAN port to the primary. Its internal LAN configuration is set to: Router IP(secondary router): 192.168.1.1 Mask: 255.255.255.128 (== .10000000b) (so valid IPs in this subnet are in the range 192.168.1.0-192.168.1.127)
Its WAN Configuration is set to: Gateway: 192.168.1.252 (The primary router) Router IP: 192.168.1.249 (The secondary router's outward-facing IP) Mask: 255.255.255.248 (== .11111100b) (so valid IPs in this subnet are in the range 192.168.1.248-126.96.36.199) (this was necessary since WAN and LAN may not have overlapping subnets
This way, the secondary router can access the primary router, and clients connected to the secondary router can also access the primary router, and through it the internet. But clients on the secondary router cannot access any clients on the primary router's subnet with IPs between 192.168.1.0 and 192.168.1.128. That IP range is not forwarded by the secondary router, since that is also the local subnet of the secondary.
So guest mode is no longer required on the secondary router, clients on the secondary simply cannot see clients on the primary, unless those clients have an IP greater than 192.168.1.128. It would be even better if I could block all IPs lower than 248, but I do not think that is possible with subnet masks.
Enabling guest mode with wireless isolation will additionally prevent guest machines from connecting to other guest machines or the secondary router.
Nothing prevents guest machines from connecting to the primary router, since those requests are still forwarded by the secondary, but a good password should suffice for that case