One Broadband Connection, Two Lans... How To?

[Gronnie]

My brother lives in a very large, old duplex. The landlord provides all utilities, including internet. However, the internet is shared between the two units. This pose a couple of problems: 1. My brother gets a terrible signal upstairs as the internet comes in downstairs 2. I am worried about them being on the same LAN and the other tenants being able to access his devices

My plan is to run an ethernet cable upstairs and put in another router and / or AP in his apartment, which solves the signal issue. However, it doesn't solve the being on the same network issue.

What will be the best way to accomplish this? I know I could do double NAT, but will that effect his ability to play games, forward ports if needed, etc?

 

[Cmustang87]

Hi Gronnie,

1.) Signal can be addressed by placing the access point in a more centralized location, so that's a good call on that one. I would suggest something like a UniFi system for a centralized controller and will be much better than any wireless system you will buy off the shelf.

• https://www.ubnt.com/unifi/unifi-ap-ac-pro/

An alternative would be to get something like Eero, Netgear Orbi, or Google Wifi for a "home mesh WiFi", which can extend over wireless. I don't believe these options are as good as the primary recommendation above.

• http://www.netgear.com/home/products/networking/orbi/
  • https://www.cnet.com/products/netgear-orbi-wifi-system/review/
• https://madeby.google.com/wifi/
  • https://www.cnet.com/products/google-wifi/review/
• https://eero.com/
  • https://www.cnet.com/products/eero-wi-fi-system/

However, it doesn't solve the being on the same network issue.

2.) What will be the best way to accomplish this?

• The real bugger is that your brother and his neighbor (how many neighbors, just one family next door?) are sharing the same Internet (WAN here forward). Off the bat, I can see some legality concerns (say, if his neighbor was downloading illegal torrents, child pornography, etc.), but there's a problem that needs to be solved regardless. Realistically, the best way to solve this would be if the landlord had a firewall connected to the ISP, and he broke off two different interfaces from that with access rules that prevented traffic from crossing between the two networks (Brother LAN to WAN is allowed, Neighbor LAN to WAN is allowed, but Neighbor LAN to Brother LAN is explicitly denied bi-directionally). I doubt this is possible, however... as the landlord probably wouldn't be willing to do this.
• His ability to port forward sounds like it is already limited because the router that current serves wireless and WAN connectivity is controlled by the landlord. Your only solution if you don't want to get the landlord involved is to place another router and double NAT as you suggested - Ubiquiti also has a router you can use for this. I recommend the EdgeRouter PoE (https://www.ubnt.com/edgemax/edgerouter-poe/) to give your APs power.
• So yes, port forwards would require you to permit inbound traffic from the landlord's router INTERNAL IP (probably something like 192.168.1.1/24, or whatever) since that router does NAT to inbound traffic source IP. Since your landlord's router would now kind of be like your brother's ISP in a way, you'd also have to make port forward rules on the landlord router to port forward the to the WAN IP address of your new router's IP address (something like 192.168.2.1/24, or whatever) if that makes sense.

To visualize it in text forms, it would look like this:

Internet -> Landlord Router WAN Interface (w/ a public IP) -> Whatever Landlord Router LAN Interface you can use -> Your router WAN interface (with a private IP address - just make sure it is a static IP and the landlord router isn't giving it a DHCP address, I used 192.168.2.1/24 in my example above) -> Access Points

I hope this clarifies and helps you. Let me know if I need to expand on anything.

 

[Gronnie]

Hi Gronnie,

1.) Signal can be addressed by placing the access point in a more centralized location, so that's a good call on that one. I would suggest something like a UniFi system for a centralized controller and will be much better than any wireless system you will buy off the shelf.

• https://www.ubnt.com/unifi/unifi-ap-ac-pro/

An alternative would be to get something like Eero, Netgear Orbi, or Google Wifi for a "home mesh WiFi", which can extend over wireless. I don't believe these options are as good as the primary recommendation above.

• http://www.netgear.com/home/products/networking/orbi/
  • https://www.cnet.com/products/netgear-orbi-wifi-system/review/
• https://madeby.google.com/wifi/
  • https://www.cnet.com/products/google-wifi/review/
• https://eero.com/
  • https://www.cnet.com/products/eero-wi-fi-system/

2.) What will be the best way to accomplish this?

• The real bugger is that your brother and his neighbor (how many neighbors, just one family next door?) are sharing the same Internet (WAN here forward). Off the bat, I can see some legality concerns (say, if his neighbor was downloading illegal torrents, child pornography, etc.), but there's a problem that needs to be solved regardless. Realistically, the best way to solve this would be if the landlord had a firewall connected to the ISP, and he broke off two different interfaces from that with access rules that prevented traffic from crossing between the two networks (Brother LAN to WAN is allowed, Neighbor LAN to WAN is allowed, but Neighbor LAN to Brother LAN is explicitly denied bi-directionally). I doubt this is possible, however... as the landlord probably wouldn't be willing to do this.
• His ability to port forward sounds like it is already limited because the router that current serves wireless and WAN connectivity is controlled by the landlord. Your only solution if you don't want to get the landlord involved is to place another router and double NAT as you suggested - Ubiquiti also has a router you can use for this. I recommend the EdgeRouter PoE (https://www.ubnt.com/edgemax/edgerouter-poe/) to give your APs power.
• So yes, port forwards would require you to permit inbound traffic from the landlord's router INTERNAL IP (probably something like 192.168.1.1/24, or whatever) since that router does NAT to inbound traffic source IP. Since your landlord's router would now kind of be like your brother's ISP in a way, you'd also have to make port forward rules on the landlord router to port forward the to the WAN IP address of your new router's IP address (something like 192.168.2.1/24, or whatever) if that makes sense.

To visualize it in text forms, it would look like this:

Internet -> Landlord Router WAN Interface (w/ a public IP) -> Whatever Landlord Router LAN Interface you can use -> Your router WAN interface (with a private IP address - just make sure it is a static IP and the landlord router isn't giving it a DHCP address, I used 192.168.2.1/24 in my example above) -> Access Points

I hope this clarifies and helps you. Let me know if I need to expand on anything.

Thanks for the reply. I don't think the landlord is willing to do much of anything with this, so I guess double NAT it is. I think my brother uses it mostly just for basic web browsing anyway, so I doubt he will run into any issues and if he does we can cross that bridge when we come to it I guess.

 

[Cmustang87]

Sounds good.

I hope you had some valuable takeaways from the post. Good luck!

 

[wolfofone]

Couldn't you just put your brother's router off a LAN port set to DMZ on the Landlord's router and avoid the double NAT? I don't think this solves the being on the same LAN thing, but they wont be able to easily see each other's devices -- I'm not sure how foolproof that is in terms of security though tbh.

 

[Cmustang87]

Couldn't you just put your brother's router off a LAN port set to DMZ on the Landlord's router and avoid the double NAT? I don't think this solves the being on the same LAN thing, but they wont be able to easily see each other's devices -- I'm not sure how foolproof that is in terms of security though tbh.

DMZs are designed for public facing servers, and are considered untrusted networks. Technically this would work, but most home routers DMZs are not the same as you'd expect for a typical DMZ. Home router DMZs permit all traffic in general to a single IP address - major security and design concerns

 

[Gronnie]

I don't think he needs his devices to be able to talk to each other at all, and I think he uses wifi for everything. What if I just run a cable upstairs, set up an access point with guest network capability, and have him only connect to the guest network?

 

[Cmustang87]

I don't think he needs his devices to be able to talk to each other at all, and I think he uses wifi for everything. What if I just run a cable upstairs, set up an access point with guest network capability, and have him only connect to the guest network?

This will only work if the wireless can do the routing.

 

[Gronnie]

This will only work if the wireless can do the routing.

Why would it need to do the routing? Wouldn't this bypass the need to be on a separate LAN as all the devices are isolated?

 

[Cmustang87]

Access points are generally network bridges - you can't isolate a guest network without a router doing the work.

Look at it this way -

You have your landlord's router, and you connect an access point to that to create your brother's wireless network, right? If that's the case, you are just broadcasting an SSID to give a wireless "network" (meaning, it's just a wireless medium, not an actual separate subnet) for clients to connect to, but they will belong to the landlord's router network. It's just like wiring clients to a switch, but it's just done wirelessly, it's a different layer 1. If you created a "Guest Wireless" on a traditional home router, that usually just gives you client isolation, but it's mostly used for if that device is configured as a wireless router and it can broadcast two wireless networks.

Let me know if I've made too many assumptions with your setup.

 

[Gronnie]

Interesting. Before I changed to Google WiFi I used to have a router downstairs and another router upstairs configured as an AP. Both had "guest network" features. I guess I never checked that the "guest network" on the AP was actually isolating clients connected to it from other devices on my network.

 

[Cmustang87]

Interesting. Before I changed to Google WiFi I used to have a router downstairs and another router upstairs configured as an AP. Both had "guest network" features. I guess I never checked that the "guest network" on the AP was actually isolating clients connected to it from other devices on my network.

AP mode on wireless routers only function as access points; which means this will disable NAT, firewalling, DHCP, and other major services. In order to have a guest network and a private LAN network, it needs to operate as a router since both networks will have a default gateway on a different IP network (eg. 192.168.1.1/24 and 172.16.1.1/24 respectfully).