2 routers and 2 wireless networks

Discussion in 'Tomato Firmware' started by shadow2k6, May 18, 2011.

  1. shadow2k6

    shadow2k6 LI Guru Member

    I've looked around and there are several variations of what I'm trying to do on the forum, but can't find my exact scenario. Can someone let me know if this networking idea is sound and/or suggest how or where to find the solution?

    DSL Modem
    Router A: ASUS RT-N16 (2.6 version: tomato-K26USB-1.28.9045MIPSR2-beta-vpn3.6)
    Router B: Linksys WRTSL54GS (2.4 version: tomato-NDUSB-1.28.8754-vpn3.6)

    Configure Router A with mostly typical wireless/lan configuration. Configure Router B as an isolated guest wireless/lan network (frankly, I'm only concerned with wireless at this time) that only has access to the internet and NO access to wireless/lan devices attached to Router A. Both wireless segments would obviously have unique SSID.

    What I think may make my configuration different is that I would like Router A connected to the DSL modem, then having Router B connected via ethernet from Router A's LAN port to Router B's WAN port. I realize that a smarter network design would normally be to have my internal network behind the second router but I would like to connect my internal devices to the better ASUS router and therefore only hopping through one router for my internal network instead of 2 and therefore avoiding remote questions from my wife if 1 of the 2 routers became unresponsive.

    Thanks in advance for your time.
  2. shadow2k6

    shadow2k6 LI Guru Member

    Any help would greatly be appreciated
  3. Toastman

    Toastman Super Moderator Staff Member Member

  4. ntest7

    ntest7 Network Guru Member

    If you're using two routers, it's quite easy to isolate the second router without custom vlans.

    DSL <----> WAN/Router1/Lan1 <-----> Wan/Router2

    Router2 must be set to a network different from Router1, ie.

    On Router2, add to Admin/Scripts/Firewall :
    iptables -I wanout -d -j REJECT

    Router2 will have full internet access but zero access to Router1 or Lan1.
  5. TexasFlood

    TexasFlood Network Guru Member

    What about the clients? Do they get DHCP from router 2 or 1, and if 2 what is their gateway and how do they get to the Internet if the gateway router is on another subnet?
  6. ntest7

    ntest7 Network Guru Member

    The clients get DHCP in the normal manner from whichever router they're connected to. Each client uses the router they're connected to as their gateway.

    Router2 WAN port gets DHCP from Router1. Router2 uses Router1 as its WAN gateway; this will be set automatically by DHCP with no special settings required.

    Clients of Router2 have full internet access (traffic from Router2 <--> Router1 is allowed), but cannot access Lan1 or Router1 (traffic from Lan2 <--> Router1 is blocked by iptables).

    Router2 (and all its client traffic) looks like a normal single client to Router1. Router1 doesn't see Router2 clients directly because they're NATed behind Router2.

    Router2 needs a secure password so clients can't muck around with its settings, but that's a requirement anywhere you have "untrusted" clients.

    The only caveat is if you need port forwarding on Router2. That can be done, but is messy. Typically port forwarding is not needed for a "guest access" network such as this, so this isn't usually an issue.

    VLans are great for separating traffic on one router, but if you're using two routers anyway you can take advantage of the built-in VLans (WAN/LAN separation).
  7. TexasFlood

    TexasFlood Network Guru Member

    OK, thanks for the clarification. Wasn't clear that you were NATing so makes sense now.
  8. shadow2k6

    shadow2k6 LI Guru Member

    Many thanks, that simple solution works great! I ended up going with ntest7's solution which was really simple and worked like a champ. Toastman, thanks for all those great links. I will be checking many of them out and have also been viewing some of your other threads for some time on other custom versions of firmware for the RT-N16.

    I do have one one final question, though:

    With the different subnets and the "iptables -I wanout -d -j REJECT" statement on router2, is it still possible to manage router2 from a machine connected from router1? I can obviously manage this from the guest network (router2), but I would like the ability to manage router2 from router1 if this is still easily possible. I do see what TexasFlood and ntest7 were talking about with the NAT so I understand that I would need to access router2 by the IP assigned by router1 (I already created a static IP for router2 on router1 for this). I also tried enabling http and/or https access for the WAN connection on router2 in the administration section in hopes of this working, but that did not work.
  9. ntest7

    ntest7 Network Guru Member

    On router2, enable "remote access = http" on the administration->admin access page, using the default port 8080. Then to access router2 from Net1 (assuming Router2 WAN ip of

    I can confirm this works.
  10. shadow2k6

    shadow2k6 LI Guru Member

    Thanks ntest7, that did it. I actually had done that in my previous post, but had other security in place that was blocking connectivity. This was a very quick and easy configuration.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice