How do I set up a second Wi-Fi router just for guests or IoT?

I happened to see this question on a forum and this is an extended version of my response.

The forum answers went on for 3 or 4 pages, with varying success. Some used blacklists, some used static routes, some used filters, some went as far as getting to the command-line of the router and typing in firewall rules by hand.

My answer is actually pretty simple, and there is only one trick to it.

So let’s assume that you have a working router with real devices like phones, computers, printers, tablets, and other things that you don’t mind having on your main network. You want to have a secondary network for your connected imbedded devices that you really don’t want on your regular network.

Let’s also assume that you have another Wi-Fi router lying around, or you are willing to spend some money to get a new router.

The neat thing here is that we shouldn’t have to make any changes to your existing, working router. All of the configuration we will do is on the secondary router we are adding.  You don’t have to destroy your current working network to get the new additional network up an running.

The first router we will call Router 1 MAIN Network Router. The second router we will call Router 2 IoT (or guest) Isolated Network Router.

Let’s also say that the standard LAN network address for your current working router is 192.168.1.1. This changes by router manufacturer. Some use 192.168.0.1 instead. Just remember that when you look here. I originally wrote this up with both options listed (192.168.1.1 or 192.168.0.1) but it got very confusing. If there is any demand for it, I will gladly repost this with the other numbers.

So here we go.

Connecting the the routers together

Connect one end of an Ethernet cable to a LAN Ethernet port on Router 1 and then connect the other end to the WAN Ethernet port on Router 2.

Router 1 MAIN Network Router Settings

There should be no changes needed here, as long as things match up closely enough.
WAN Address:ISP provided address
WAN Network: ISP provided
WAN Subnet mask : ISP provided
LAN Address: 192.168.1.1
LAN Network: 192.168.1.0
LAN Subnet mask: 255.255.255.0
DHCP server DNS: Whatever you use (either ISP provided or user-specified DNS servers or 192.168.1.1)


Router 2 IoT (or guest) Isolated Network Router

Nothing here is default.
Everythng has to be set by hand.
WAN Address: 192.168.1.2
WAN Network:192.168.1.0
WAN Subnet mask: 255.255.255.252  This is the key element
WAN Gateway: 192.168.1.1
WAN DNS: 192.168.1.1 only
LAN Address: 192.168.2.1
LAN Subnet mask : 255.255.255.0
DHCP Server DNS: 192.168.2.1 only

Your particular router may ask for the network in slash notation, which is normally like 192.168.1.0/24 for a standard Class C network. The key element here would be 192.168.1.0/30. Most routers I know of ask for a subnet mask notation, not slash.

 


What’s going on here

  • The WAN subnetting on Router 2 stops the routing of 192.168.2.xxx to anything but 192.168.1.1 on that subnet.
  • The 255.255.255.252 subnet mask is limited to 4 total addresses, two of which are eaten up in administration.
  • So this .252 subnet only allows traffic between 192.168.1.1 and 192.168.1.2 on the 192.168.1.0 subnet as far as Router 2 (and anything behind it) is concerned.
  • Here is link that describes this .252 network.

    Ping Examples

  • Client MAIN1 has in IP address on the Main Network of 192.168.1.100.
  • Client IoT1 has in IP address on the IoT (or guest) Isolated Network of 192.168.2.100.
  • LAN side of Router 1 has in IP address of 192.168.1.1.
  • LAN side of Router 2 has in IP address of 192.168.1.2.
  • WAN side of Router 2 has in IP address of 192.168.2.1.

MAIN1 can ping google.com.
MAIN1 can ping LAN side of Router 1.
MAIN1 cannot ping WAN side of Router 2.
MAIN1 cannot ping LAN side of Router 2.
MAIN1 cannot ping IoT1. MAIN1 can’t see IoT1.

IoT1 can ping google.com.
IoT1 can ping LAN side of Router 2.
IoT1 can ping WAN side of Router 2.
IoT1 can ping LAN side of Router 1 (required to get out to Internet).
IoT1 cannot ping MAIN1. IoT1 can’t see MAIN1.

So both MAIN1 and IoT1 can each see the Internet but they can’t see each other. Job Done.

Here is screenshot of the Router 2 WAN setup page, based upon an ASUS router. Your page may vary, but the information required will be very similar.
asus_wan_router2.jpg

Leave a Reply

Your email address will not be published. Required fields are marked *