Installing 2nd LAN

[RBJ2]

I will do my best to outline what I want and what I don't want.

I have a home LAN 'A' with my cable modem hooked in the WAN port of my router. I have one printer and 3 laptop wireless nodes through this LAN 'A' router. This LAN has internet access for all nodes via the WAN port to cable modem.

I want to install a second router LAN 'B' with no access to internet. But I want to make at least one laptop node 'X' of the original LAN 'A' have access into this second LAN 'B'.

I have the following questions:
(1a) Can the one node 'X' gain access to both LAN 'A' and 'B' simply by setting up and connecting wireless connections to both 'A' & 'B' wireless routers simultaneously ?

(1b) Or do I have to run a RJ45 cable from node 'X's ethernet port to a LAN port on router 'B'?

I.e. I'm thinking I cannot just connect the two routers via LAN ports or else all nodes on LAN 'B' would have access to the internet thru the LAN 'A' WAN connection to the cable modem.

Appreciate all input (or questions needing further delineation).

 

[Kartajan]

router make/ model?

some reading: https://hobo.house/2016/03/10/build-secure-vlan-networks-with-shibby-tomato-router-firmware/

 

[RBJ2]

router make/ model?

some reading: https://hobo.house/2016/03/10/build-secure-vlan-networks-with-shibby-tomato-router-firmware/

My current router is Linksys WRT54G v2.2, I'm looking to purchase a second. In fact one that caught my interest was the ASUS RT-N66U Dual-Band Wireless-N900. They have it at some resellers less than $100 with free shipping.

I read the link you gave and googled some others. Basically (if I deciphered them all correctly) with proper subnet masks you can do similar setups with either physical sub-nets or VLANs. The VLANs seemed easier to implement depending on variables of discussion. This would give access limited to masks allowance.

However some links stated for real security (even with the above stated scenarios) a DMZ or Firewall or LAN ACLs (or both) are still needed to secure.

I.e. short of all this I surmise I'd have to just disable my wireless card (on my laptop) and then enable the my wire card (on my laptop) to a second router. I.e. my laptop has both a Local Wire adaptor & a Local Wireless adaptor.
( . ? or . . . .)

 

[Kartajan]

if a new purchase is going to be involved, I would read up over at https://www.smallnetbuilder.com/ before deciding on your router... I would not stay wireless n on the infrastructure side, since any recent device would likely be built on the wireless ac standard...

It could be useful in providing feedback to know the purpose of LAN B being "without internet"... Most isolation sequences I have heard of involve separation of VLANs (to keep IoT or guest networks from seeing the private network), but not a internet-disabled segment...

 

[RBJ2]

if a new purchase is going to be involved, I would read up over at https://www.smallnetbuilder.com/ before deciding on your router... I would not stay wireless n on the infrastructure side, since any recent device would likely be built on the wireless ac standard...

It could be useful in providing feedback to know the purpose of LAN B being "without internet"... Most isolation sequences I have heard of involve separation of VLANs (to keep IoT or guest networks from seeing the private network), but not a internet-disabled segment...

Thanks, I'm currently reading the link you gave and any branches off it. But for now here are my existing ambiguities and answer your questions.

(1) Am I correct in ascertaining that a wireless VLAN capable router implements it's VLAN via different SSIDs. I surmise this may (?) be a similar implementation as how some routers do guest logins (?) or is that simply a different channel with it's own SSID?

(2) Whereas on a wired LAN you need a VLAN capable managed switch with specific QoS (?) to create a VLAN.

(3) For future VPN service I do plan to go with an AC router, probably one that I pay extra from a setup & support included vendor of my chosen VPN service. Since I just don't know enough to setup a router for a specific VPN provider. But all that is down the road a bit.
Currently I just want to isolate a segment of my lan for storage and also be nice to add a guest WAN capable router for smartphone visitors.
What I want for this particular added LAN or WLAN is to simply keep stored data on either laptop nodes and/or LAN USB external drives. But I don't want internet access to these either in nor out.
In fact the only logistical catch is that I want to be able to sign into this SSID or access this wired LAN via a node which is also part of my regular LAN/WLAN that does have WAN internet access.

(4) In summation unless I've yet not understood completely, a wireless VLAN router will allow more than one SSID to being active at once. Whereas I believe my laptop wireless adaptor will only allow one connection at a time(?).

 

[Kartajan]

1) I do not know- I have my network with my main (wired, private wireless) and 2 "guest" networks (1 for actual guests, 1 for IoT devices), but never went as far as a full on VLAN (ASUS RT-AC68R)
2) yes
3) You can run a separate "Guest Network" on most recent (non-mesh) routers (see #1)
4) start here: https://community.spiceworks.com/topic/1793244-virtual-local-area-networks-vlans
If set up properly, and configured to do so, you can access "isolated" from "private", but "isolated" cannot access "private"

I am NOT a VLAN Master, I don't need to be for my setup...

 

[ch33zw1z]

I would probably just assign static addresses to any node I don't want to have Internet access, leaving out the default gateway means LAN access but no WAN access

 

[RBJ2]

. . . .< > . .main (wired, private wireless) and 2 "guest" networks (1 for actual guests, 1 for IoT devices), but never went as far as a full on VLAN (ASUS RT-AC68R)
2) yes
3) You can run a separate "Guest Network" on most recent (non-mesh) routers (see #1)
4) start here . . . . .

Thanks again for the info Kartajan

I would probably just assign static addresses to any node I don't want to have Internet access, leaving out the default gateway means LAN access but no WAN access

ch33zw1z for the sake of a novice like me would you elaborate a bit on what implementation you refer to?
I know in my old Linksys Router setup I have an Internet Access Restriction ability. I could add a list of either MACs or IPs that would be denied internet access.
My router allows giving all my DHCP nodes a certain range of IPs. So I could also implement a given set of IPs outside this range with static IPs. Or possibly you refer to going totally static internal IPs for the whole LAN.
But this aspect of router restriction only stops WAN out, it doesn't really isolate a restricted node from the current LAN.
I sense I'm not quite knowledgeable enough in LAN addressing logistics to grasp what you refer to.

 

[ch33zw1z]

I mean if you assign a static ip to a device, and don't give a default gateway, then your node doesn't have a place to send wan traffic when it can't find the ip locally.

 

[RBJ2]

I mean if you assign a static ip to a device, and don't give a default gateway, then your node doesn't have a place to send wan traffic when it can't find the ip locally.

Oh ok, I see what you mean, even on an individual laptop. I had always assumed that it would default to the gateway of the LAN router. But I can see if the node's connection were set to static this would not necessarily be the case.

On this thought direction but expanded logistics, I'm wondering if I could possibly bridge my existing LAN to another router and accomplish something of that nature that would encompass all devices behind the second (bridged in) router.

Say like use a lone laptop not currently logged into any other LAN to setup a second router. I'm thinking I could set that laptop to a static IP to whatever DNS. And then I could hook the new router hard wired to this laptop. And then log into the setup of the new router and set it's IP to static something like 192.168.1.-> something non conflicting outside my other router's DHCP range in any case.

But don't give the second router any gateway IP (if that's possible?) but I surmise this would depend on whatever router's setup logistics.

Anyhow in time I'm going to go with an ASUS wireless VLAN capable with at least one guest so most of this is purely recreational learning at this point. I like ASUS routers since it appears they offer encryption security for the guest also and some others don't. Appreciate any input though.

 

[NesuD]

I know a way to do what you want but I am pretty certain your router doesn't have the needed capability. I do it at work all the time but I can statically configure different subnets on each router interface then block wan access in the firewall rules for that interface and allow your single node access to the blocked subnet with another rule. Doing it that way makes both subnets autonomous networks requiring no vlan configuration. All access is controlled using firewall rules.

 

[RBJ2]

I know a way to do what you want but I am pretty certain your router doesn't have the needed capability. I do it at work all the time but I can statically configure different subnets on each router interface then block wan access in the firewall rules for that interface and allow your single node access to the blocked subnet with another rule. Doing it that way makes both subnets autonomous networks requiring no vlan configuration. All access is controlled using firewall rules.

Thanks for the reply. As soon as I buy my 2nd router I'm going to play around with such. I thinking of making my old Linksys the 2nd Lan router. It does have an ability to block just about any port service. Also if I ran (bridged) a 2nd LAN like after doing the pre-setup I outlined in my previous post, I could hook my old linksys router into a LAN port on the primary (new) router. My old Linksys allows a Static IP setup under it's Internet Setup. If I left the gateway out as the one poster said it might not be able to access the WAN on the 2nd router. I might could just run wire out of the Linksys WAN port that way. Anyhow some stuff to fool around with.

Still looking to which new router to buy. I'm a bit disillusioned that WPS is so prevalent still in routers. I know it's a convenience that apparently sells, but I've never trusted it's 8 bit generated pin and read negative reviews on it a few yrs ago. And also it's OFF settings for WPS were unreliable in some reports at doing any good. Some now say most router brands offer a reliable OFF setting to WPS, although data is still a bit ambiguous as to whether any generated pin is still there afterwards.

I realize it's not a quick slam dunk for brute force software to hack an 8 bit pin unless it's get's lucky pretty soon out of the chute. But it's just kind of amazing in this day in time of long complex passwords that WPS would come up with an 8 digit pin. I surmise the Alliance was catering to some devices with smaller chip address buses or something of that nature. But still crazy to me.

 

[NesuD]

What you want is a router where you can configure the individual switch interfaces to operate in different modes. The small SonicWALL routers can do it but those aren't really practical for home with their annual licensing model. There are devices purpose built for Pfsense that have 4 interfaces rather than the basic 2 which makes me suspect that they might be capable of configuring static networks independently on each interface but I cannot say for sure never having had one in hand to verify. https://www.amazon.com/Firewall-mic...e=UTF8&qid=1493227898&sr=8-1&keywords=pfsense

That one is ready to go but you can get then with more ram and storage or barebones and set it up yourself. If I were building a Pfsense box today I would probably snag one of those. 2of the ports are labeled opt so I am pretty certain you could configure them for different operating modes.

 

[RBJ2]

Well the replies and links you guys gave helped me a great deal in deciphering my options. I'm now honing in on my decision of necessary ability and price of my new router. To which will replace my old router offering VLAN(s) capability and a secured guest WAN login separate from my main VLAN. Which kinda supercedes my original question in that it offers a type of separation sufficient for my needs.

However in retrospect to my original question, after deciphering within my grasp it appears the most practical way to accomplish my original Lone LAN scenario (with older technology routers) is not the bridging or joining of two routers as I kept chasing. But rather (as some replies implied) just create a separate LAN with my old router that has no internet line. I.e. it has no ISP service line connected to it.

And then just create an additional wireless connection to the Lone LAN directly from any laptops that desire connections into this isolated LAN. Then simply (from aforesaid laptops) disconnect from the main wireless LAN and connect to the isolated wireless LAN when desired.

If I wanted to attempt the metric priority takeover thing and connect the isolated LAN thru the wire card (in some laptops have both wire and wireless cards) I could set that in the advanced properties of the IPv4 settings of each adapter card. But I really need both access to be wireless. Besides the metric would only be a priority semantic that is not pertinent to my needs that possibly could breach the isolation of my original curiosity.

I thank all of you for your input on this thread. It has pretty much answered or enlightened my original curiosity and showed me other more appropriate options to boot.