Best & easiest way to create 2 separate home networks working off of the same Comcast modem?

freeTVEE · Nov 5, 2015

I have Comcast 150 MBPS coming into a Motorola SB6141 modem. I currently have an Asus-NT 56U wireless router connected for the entire home. Fortunately I have Cat5E running everywhere to utilize. I have a basement that I am renting out, so would like to use the same Comcast internet feed, but create a 2nd separate network that can't access my other home network.

I thought of setting up a new TP Link Archer A9 AC router for my main network & then resetting the old ASUS router and using that as possibly an Wireless Access Point-hardwired via Cat5E in the basement.

Would this work well or is there a better way to do this? Also, haven't ever done this before, what settings would I need to change on each of the routers too make them separate networks (wifi & hardwired)? Would I need to split the Cat5E coming out of the Modem & send it to each of the 2 Routers first or does that matter? Thanks for the advice and help!

kanewolf · Nov 5, 2015

What are you trying to separate?

You probably CAN'T have two IP addresses coming from the modem. You need to have a single "master" router that is connected to the modem. After that it depends on what you are trying to separate.

freeTVEE · Nov 5, 2015

kanewolf :

I want to have 1 network for the basement rental (separate & secured wifi & hardwired), and 1 network for the rest of the home (separate & secured wifi & hardwired)-all off of the same Comcast feed/SB 6141 Modem.

So are you saying hook up the new TP Link A9 router directly to the modem-got it. Can I then put the other ASUS router (hardwired via Cat5E from the main TP Link A9 Router/Ethernet Switch) in the basement? If so how can I ensure that the basement cant access the main TP Link A9 home network? Wifi I suppose is just a different SSID & password, but what about PCs that are hardwired through the Asus is there a way to block them from being able to access the main TP Link A9 network even though they are still physically connected with Cat5E?

So would this configuration be best??? Comcast-Motorola SB6141-main TP Link A9 Router-Cat5E to 2nd Asus basement Router

Any settings I need to tweak on either router???

madmatt30 · Nov 5, 2015

^ exactly the way to do it mate.
There should be settings in the tp link routers settings menu to limit access to internet only for connected devices.
Can't help you directly but it should be fairly easy

kanewolf · Nov 5, 2015

You can not isolate the basement so that it can't see any of the other hosts in your house with the hardware you have. You can create separate WIFI SSID and password. BUT once a device has connected to that SSID it will be in the same IP subnet as the rest of your network. You have no hardware to separate it. You could purchase a managed switch which could segregate the basement into a separate VLAN. OR you could purchase a better "master" router that can have multiple subnets. I don't think you can completely isolate the basement easily.

madmatt30 · Nov 5, 2015

^ kanewolf - I'm fairly certain he can with the setup he's describing.

Which is modem to main tp-link router which provides network acres to main residence.
Cat 5 from tp link to basement into Asus router acting solely as wireless access point & 3-4 port switch.

In fairly certain you can restrict access from the tp link to connected devices (in this case the Asus router in the basement) to disallow sharing on the network & only allow ipv4 internet access.

It'll be router setting dependant but you can certainly do it on mine as I do it myself.

kanewolf · Nov 5, 2015

Everything will be in a single subnet with DHCP provided by the TP-Link. Maybe the parental controls on the Asus could limit traffic. But most of the parental controls are not available with Access Point mode on the Asus. I am betting that somebody connected to the Asus will be able to ping any device on the network without a VPN enabled switch to limit it.

bill001g · Nov 5, 2015

You will not be able to do this with a consumer router running standard firmware. Consumer routers that have the ability to limit traffic can only do it for traffic going between the lan and wan they can not limit lan-lan. Even when you load other firmware it is tricky to limit this because the switch chip does not have the ability to filter traffic you must force all traffic to pass though the router chip. You pretty much have to use different vlan/subnets to do it on the same subnet you are better off with managed switch that has the ability to filter traffic.

madmatt30 · Nov 5, 2015

Just been looking into this a bit more.

Its looks like the introduction of another router makes it entirely possible.

Modem to main router.
Main router lan outs to wan connections on 2 other routers.
Separate dchp's set on both other routers & you should end up with 2 separate protected subnets both sharing internet but apart from that totally isolated from each other.

This is going to require more than a modicum of setting up though in all honesty & means some monetary outlay.

I'd personally be wanting 3 routers of the same model to make it a little more foolproof.

freeTVEE · Nov 5, 2015

bill001g :

Thanks for your input, this does sound like it might be the easiest solution, but not sure if I understand exactly what I need to do... Buy a managed switch like this and then what, something like this??? http://www.amazon.com/forum/-/Tx3DWRA2B0EBMLD/ref=ask_dp_dpmw_al_hza?asin=B003KP8VSK

Any details would be appreciated, as I have never done this before...

freeTVEE · Nov 5, 2015

kanewolf :

Thanks for your thoughts!

So wifi only in the basement would work (through the ASUS) and be secure with my proposed Modem-TP Link A9-ASUS WAP solution, as long as the ASUS router wasn't physically located/accessible in the basement, right? ASUS would have a different SSID & Password for wifi than the main TP LINK, so home network would be separate and secure on main TP Link if I am thinking correctly???

freeTVEE · Nov 5, 2015

madmatt30 :

Thanks for your thoughts!

So why 3 routers instead of just 2? Why the same brand?

bill001g · Nov 5, 2015

If you are ambitious there might be another option.

You can load dd-wrt or one of the other third party firmwares on your router......maybe.

First challenge is to see if either of your routers can run third party firmware. My guess is both can because most tplink and asus routers can. You need to check because there is a small number that can not.

You would then use that router as your main router and define 2 subnets. You would plug the other router/ap into the first on some port that is set to a different vlan than your main network. A couple of firewall rules preventing access and you are done. It is not hard but it takes some reading to know which options you need to set and which to ignore. I am pretty sure all this can be done via tha gui, more advanced rules and you tend to have to edit files.

madmatt30 · Nov 6, 2015

As above , dr-wrt custom firmware would remove the need for a 3rd router - however as far as I know this is primarily confined to a small number of Linksys routers.

Using a 3rd router the configuration is the same as bill001g states above.
As per the info on this link.

http://www.smallnetbuilder.com/lanwan/lanwan-howto/24428-howtotwoprivlan?showall=&start=1

I suggest 3 routers the same simply to make setting up easier - I'm fairly sure you don't actually need 3 identical routers though.

..

freeTVEE · Nov 6, 2015

bill001g :

thanks for all of the details folks, much appreciated!

I think I would rather figure out a solution with hardware (the less complicated the better) as opposed to hoping that a software solution will work (and not crash at some point in the future).

Bill mentioned a managed switch earlier above, I have never used one, but this sounds less complicated, would it work?Buy a managed switch like this and then what, something like this??? http://www.amazon.com/forum/-/Tx3DWRA2B0EBMLD/ref=ask_d...

bill001g · Nov 6, 2015

The term managed switch means a lot of different things. You need to look for the features you need.

In this case even though there has been discussion of vlans that is only one way and it is not that simple when you want to run it on a switch. In addition to the separation you need a way to actually route the traffic. This means you need a layer 3 managed switch. Then you have the biggest problem is you still have a consumer router and it has massive restriction on what it will allow you to nat. There really is no managed switch that can do NAT.

The switch you would need must have the ability to filter traffic. The one you list does not. I do not know a cheap one that can do it. Things like cisco 2960 or some hp procurves can.

freeTVEE · Nov 6, 2015

Ok, so it's starting to sound like there really isnt a decent cheap and easy solution to this issue... ;-)

Maybe the most cost effective & somewhat easy way to do this is just dont have any of the Cat5E jacks in the basement live-Wifi only?

So would a solution like Comcast Modem-Main TP Link A9 Router-Cat5E WAP to old ASUS Router Wifi only (near basement but not accessible from basement). I assume I would just set up the WAP from the main TP Link to the ASUS and then just setup a different SSID & Password on the ASUS that I could give to my renter in the basement, right? Any reason this wouldn't work or anything special I would need to do to set this up? Thanks!

madmatt30 · Nov 6, 2015

It will still be a singular network just with a separate ssid/password for the tenants.
If this suits then its minimal setting up wise.

Someone with networking & technical expertise could still ping/see your own devices on the network & maybe access them if they put an awful lot of effort in.
I think maybe your average tenant will just be happy to have a stable WiFi connection & any of the above really isn't going to be any kind of issue.

Best & easiest way to create 2 separate home networks working off of the same Comcast modem?

Reputable

Titan

Reputable

Titan

Titan

Titan

Titan

Titan

Titan

Reputable

Reputable

Reputable

Titan

Titan

Reputable

Titan

Reputable

Titan

Share this page