Do is possible create two independent network with two different router ?

[Winterlight]

Do is possible create two independent network with two different router from single WAN ? I want one network use for main device and second network for less secure device like IoT. My main router use WPA3 Wi-Fi6 and I connect all my main device like PC, Phones, Tablet and I still have second router that I want use it as independent network for Iot devices.

[Needfuldoer]

Depending on how fancy your router is, you might be able to light up a second SSID that stays separate from your "regular" network. (Look for something like "guest WiFi".)

[Winterlight]

Guest ne

7 minutes ago, Needfuldoer said:

Depending on how fancy your router is, you might be able to light up a second SSID that stays separate from your "regular" network. (Look for something like "guest WiFi".)

Guest network is not solution due it ignore all firewall rules and have many other limitation. I want use second router as it have own network.

[Needfuldoer]

Just now, Winterlight said:

Guest ne

Guest network is not solution due it ignore all firewall rules.

If you can set one LAN port on your router as a DMZ, you can connect a second router's WAN port to that. Then all of that second router's firewall rules will apply to the IoT network.

 

Technically it's double NAT, but I think that's the easiest solution to accomplish what you want.

[Winterlight]

Sorry if my english is to bad. I want setup 2 router and have 2 separate network with own Wi-Fi do is possible do like that ? First router I want use with highest security devices while second keep for less security devices like IoT. Guest network problem that it have very limitation in customization and  firewall rules from main network for some reason not apply to guest network.

[Needfuldoer]

1 minute ago, Winterlight said:

Sorry if my english is to bad. I want setup 2 router and have 2 separate network with own Wi-Fi do is possible do like that ? First router I want use with highest security device while second keep for less security device like IoT.

I told you how.

 

You only have one WAN (Internet) connection, so one router has to daisy-chain off the other. You need to create a DMZ port on your current router, which will be "wide open" to the Internet but separate from the rest of your network. Then you can connect a second router's WAN port to that DMZ LAN port on your first router. Configure the firewall on it however you want. All your IoT devices connect to that second router.

 

You could put your "more secure" router behind the "less secure" IoT router, then connect your important devices to that, but you could run into issues with some gaming services because you'd be behind a "double NAT".

[Alex Atkin UK]

1 hour ago, Needfuldoer said:

I told you how.

 

You only have one WAN (Internet) connection, so one router has to daisy-chain off the other. You need to create a DMZ port on your current router, which will be "wide open" to the Internet but separate from the rest of your network. Then you can connect a second router's WAN port to that DMZ LAN port on your first router. Configure the firewall on it however you want. All your IoT devices connect to that second router.

 

You could put your "more secure" router behind the "less secure" IoT router, then connect your important devices to that, but you could run into issues with some gaming services because you'd be behind a "double NAT".

Surely DMZ is the opposite of what they want, as it forwards all ports to the destination which would prevent port forwarding on the main network.  In that setup you'd want IoT devices to be on the main router, as it would be the more restricted network.

 

This is why I hate consumer routers, they don't give you enough granular control.  As if you're wanting to create strict firewall rules, you need a proper router OS (eg pfSense) where you can define multiple LANs with different rules, use blocklists, etc.

[Needfuldoer]

29 minutes ago, Alex Atkin UK said:

Surely DMZ is the opposite of what they want, as it forwards all ports to the destination which would prevent port forwarding on the main network.  In that setup you'd want IoT devices to be on the main router, as it would be the more restricted network.

 

This is why I hate consumer routers, they don't give you enough granular control.  As if you're wanting to create strict firewall rules, you need a proper router OS (eg pfSense) where you can define multiple LANs with different rules, use blocklists, etc.

I probably minced terminology again. I thought that was basically a "pass all unsolicited traffic to this device, regardless of firewall rules, and keep it separate", then the firewall on the second router takes care of everything. I suppose it would have to be its own VLAN for that to work...

 

Maybe it's been too long since I've messed with consumer grade routers...

[Alex Atkin UK]

56 minutes ago, Needfuldoer said:

I probably minced terminology again. I thought that was basically a "pass all unsolicited traffic to this device, regardless of firewall rules, and keep it separate", then the firewall on the second router takes care of everything. I suppose it would have to be its own VLAN for that to work...

 

Maybe it's been too long since I've messed with consumer grade routers...

Consumer routers just aren't designed for this kind of thing.

 

There's also the fact that sticking another layer of NAT on top of your existing router, only isolates the devices on the first router from accessing devices on the second, not the other way around.  Malware on the second router network can still access every device on the main router (as the second router is treating it as the Internet where everything is open), if the person writing it assumes someone has created a double NAT under the false impression its isolation.

 

So the main router would need to be the IoT network to isolate them from clients on the second router, which would now be your main LAN.  This is why you would put the second router as the DMZ in the main routers configuration, so that uPNP can still work on the second router to automatically port forward for games, but this can still cause some problems due to double-NAT.

There can also be disadvantages in that some apps expect to be able to see IoT devices on the same network your phone is connected to.

[TheGreatestGazoo]

If you don't have a router that can create and separate segmented LANs, then a three router solution may be best as far as security is concerned. This website explains how it would work and the differences between a two router solution. Either way, it's not ideal.

 

I don't entirely trust "guest" networks on some basic routers because I have seen in the past that all they actually do is create a guest wifi SSID/password and not actually segment the network.

[Winterlight]

Shoud I connect second router LAN to LAN or LAN to WAN?

[Needfuldoer]

7 hours ago, Winterlight said:

Shoud I connect second router LAN to LAN or LAN to WAN?

The second router's WAN port connects to a LAN port on the first router.

[Winterlight]

19 minutes ago, Needfuldoer said:

The second router's WAN port connects to a LAN port on the first router.

As I understand it will be two diference network ? With own Wi-Fi , Firewall rules, settings and etc ? I looking for more info and found actually that some router have option called VLAN that can create mutiple seperate network as I understand but sad mine router not have this. Btw shoud I conect newer router to IPS switch or older ? I'm stupid actually that bought Asus router they are lack actually so many option as I see. I probably need get some better router like Netgear but they so expensive.

[Alex Atkin UK]

On 2/10/2024 at 6:59 PM, TheGreatestGazoo said:

I don't entirely trust "guest" networks on some basic routers because I have seen in the past that all they actually do is create a guest wifi SSID/password and not actually segment the network.

That depends, did you test if the router was allowing guest clients to talk to each other and/or clients on the normal SSID?  Or did you just see it was using the same IP subnet and assume its part of the main LAN?

 

As every WiFi client is technically handled as an independent network to the LAN but bridged by the router, the router can block WiFi clients from talking to each other as well as clients on the LAN or other WiFi SSIDs.  You don't necessarily need VLANs and it can still be the same IP subnet, if the router is segmenting the traffic internally.  As its actively routing that traffic due to WiFi not actually being Ethernet, its just a means to carry traffic over the airwaves that gives the illusion of being Ethernet.

 

That's why good WiFi routers need a fast CPU, as they aren't just routing WAN to LAN, they have to route WiFi to LAN too.

[TheGreatestGazoo]

1 hour ago, Alex Atkin UK said:

That depends, did you test if the router was allowing guest clients to talk to each other and/or clients on the normal SSID?  Or did you just see it was using the same IP subnet and assume its part of the main LAN?

 

As every WiFi client is technically handled as an independent network to the LAN but bridged by the router, the router can block WiFi clients from talking to each other as well as clients on the LAN or other WiFi SSIDs.  You don't necessarily need VLANs and it can still be the same IP subnet, if the router is segmenting the traffic internally.  As its actively routing that traffic due to WiFi not actually being Ethernet, its just a means to carry traffic over the airwaves that gives the illusion of being Ethernet.

 

That's why good WiFi routers need a fast CPU, as they aren't just routing WAN to LAN, they have to route WiFi to LAN too.

It was a while ago but I seem to remember it was a cheapo Trendnet N-band router. I could ping an IP from the guest SSID to the main SSID - I didn't test much further than that.

[Alex Atkin UK]

27 minutes ago, TheGreatestGazoo said:

It was a while ago but I seem to remember it was a cheapo Trendnet N-band router. I could ping an IP from the guest SSID to the main SSID - I didn't test much further than that.

That is disappointing, as you might as well not have a Guest network at all if its allowing the same access as your main SSID.