Multiple Secure Routers On One Modem

networkmage · Dec 31, 2015

I have a Cisco modem/router combo (DPQ3925). Set up in a duplex. I want to add a separate network for the second unit, completely separate and secure from my network. Is this as simple as just adding another router to the LAN connection(Labeled Ethernet) on my Cisco combo router, with it's own separate pre-shared key and user? Would using both routers bog down my bandwidth at all?

Would it be better to get a stand alone modem, and connect 2 independent routers to their own LAN on the modem, or would I need get 2 modems for each individual router, is that even possible without having to set up 2 internet accounts with the ISP (COX)?

My goal is to set up 2 separate networks that are completely separate and secure from each other, so if a tenant is using one network, they have no way to access or view my network unless they try to hack it.

Thanks for any help!!

RealBeast · Dec 31, 2015

You do not need a second modem.

You can attach the second router and create an isolated subnet by going from the Cisco LAN port to the new until WAN port, give the new unit the Cisco gateway address as its WAN address, and use different radio channels/SSID/passkey, also a different network address on the tenant router. So if your gateway is 192.168.0.1, make their router gateway address 192.168.x.1 where 1 is not 0.

HERE is what it looks like, and the tenant has the "shield" router as shown in that picture. Use a good password on your router (so they cannot make changes to your configuration) and they cannot access your network. Also disable WPS if you have not yet done so, in order to make your WPA2 wireless much more secure.

The tenant router will use your bandwidth, so it depends how much you have to start with, and just make it clear that they are not allowed to run a torrent server.

networkmage · Dec 31, 2015

RealBeast :

Thanks. That was very helpful and clear.

I have 100mbps... although it always averages 80mbps, from Cox. I think that is enough for normal internet stuff.

Couple more questions:

Can the second network also operate off a wired Ethernet if I ran it from the second router to their unit where they would have a laptop?

Is there anyway to set up the second network without it using my bandwidth? How do businesses do this with their LAN's? Take, for instance, a small business like a Starbucks shop, they have their secured network, then the open network, and everyone is using the same bandwidth..assuming they have one modem, is it because they have more bandwidth under a commercial account with the ISP?

Thanks!

RealBeast · Dec 31, 2015

The second router that is set up as an AP will have both wireless and 4 wired LAN ports available just as if it were directly attached to the Cox modem.

The only way that it will not use some of your 80Mbps bandwidth would be if they had their own router and account with Cox.

Businesses use commercial grade equipment that has good QoS settings to limit bandwidth to guest networks. Indeed, if it becomes an issue you can set up QoS on the second router, but I would not worry about it for now.

networkmage · Jan 29, 2016

Do you have a good router to suggest.

RealBeast · Jan 29, 2016

Any will do really, but I've picked up a couple of ASUS RT-N56U (dual band N) routers off Newegg for $19.99 AR ($10) lately.

You can use an AC router as the AP if you have devices with AC adapters -- I would go with a Netgear R7000, excellent AC1900 radio at a lower price than the latest crazy stuff that doesn't perform any better really.

networkmage · Apr 19, 2017

Hi, I really need help and can't find anyone locally that knows how to do this and online videos don't clearly address this in specific detail...I am still having difficulties when trying to create separate networks on my home LAN.

When I setup a second router, I keep having challenges in what to set the routers static IP to and gateway address to, pus it has 2 sections in the interface, one called INTERNET SET UP and the other LAN SETUP.

I'm using Netgear routers now. So in the "Internet setup" tab of the Netgear it asks if I want to enter a static IP...or get dynamically from ISP.

Is this where I enter a static IP (the new network range) network address of 192.168.2.1? And in the same panel is asks what subnet mask..I'm assuming it is still...255.255.255.0...and a Gateway IP address: Is this the WAN address you were referring to before, whereby I use the default gateway of the main front router (which is: 192.168.1.1) and enter it in this space?

Now, there is one more tab on the netgear interface...it';s just called LAN Setup:

So in here it asks for an IP address also, then a subnet mask, then asks if I want DHCP on or off. So I am assuming this is the INTERNAL IP info, correct? So I would just list the something in range like: 192.168.2.5 here and same subnet mask of 255.255.255.0?

My goal now is to set up a ultra secure network, private network, that will also have a SonicWall appliance added into it.

Thank you very much for helping me with this

Dana

RealBeast · Apr 19, 2017

From above so as not to repeat this section: attach the second router and create an isolated subnet by going from the Cisco LAN port to the new until WAN port, give the new unit the Cisco gateway address as its WAN address, and use different radio channels/SSID/passkey, also a different network address on the tenant router. So if your gateway is 192.168.0.1, make their router gateway address 192.168.x.1 where 1 is not 0.

So for example say the Cisco router is 192.168.0.1, set the IP address as static in each of the tenant routers to be 192.168.1.1, .2.1, .3.1 for three different units. All are still 255.255.255.0 because they are still standard /24 subnets (allowing each tenant router to use 256 addresses minus the two for the gateway tenant router address and its broadcast address). They can each use DHCP to assign their own internal addresses for their subnet (LAN from their viewpoint).

The WAN address (and DNS address) for each of them will be 192.168.0.1 -- your Cisco IP -- so that all their requests will pass out through you to the Internet. Any address that cannot be resolved by their router (that is any not in their subnet range) will be sent to the Cisco router and then passed on the the ISP, etc.

While you *could* give their routers 192.168.x.5 addresses, it would be confusing to anyone used to dealing with a network -- since most devices have a default of x.1 -- I would stick with that for simplicity.

Make sense?

networkmage · Apr 19, 2017

Ok this is starting to make sense, but what about the host devices on tenant network, what should I do with the IP config in the host computers, leave it in "get automatically from ISP" mode or assign the hosts to have static IP's, gateway and DNS ?

Also do I turn off DHCP off on the second router?

Thanks

RealBeast · Apr 19, 2017

Each tenant will manage their own host devices with DHCP or statically as they see fit. You should not turn their DHCP off as you would if you were just giving them access points.

networkmage · Apr 19, 2017

I think part of the problem is the thta Netgear itnerface is confusing to me. They have a WAN setup option which is subcategorized at "default DMZ server" which I assumed I am not supposed to touch.

however, I adjusted the settings as follows on tenant router:

Internet IP (WAN): 192.168.1.1 (same as front end)
Gateway: 192.168.1.1 (same as front end)
DNS: 192.168.1.1 (same as front end)

I get an error stating invalid DNS.

I made my router internal LAN IP at: 192.168.2.1 /255.255.255.0

What am I doing wrong?

RealBeast · Apr 19, 2017

No you should not need to use a DMZ setting, which bypasses ports past any security -- that is needed by some applications like games for network play.

Perhaps the Gateway in that context may be the gateway address for *that* router (so it would not be the same as the WAN) and you can always use 8.8.8.8 for the DNS (the Google public domain DNS, which I use since it works better than my ISP DNS servers anyway). I haven't used a Netgear router for a while so I would have to review the manual, what model?

networkmage · Apr 19, 2017

My main router is the Nighthawk R7000 and the tenant router is Netgear WNR2000v4 but their interface are almost identical. Nighthawk just has more options under security and administration. IP sections are the same.

SO if that is true then what would I enter in for the gateway in the WAN section of second router. Even if I place Googles in there I still get DNS or Gateway error. More specifically, it accepts the google DNS, bit then says I have a gateway error.

So here is what happened since last message: I did get the second network to work, but it only works if I change the (second router) WAN IP, Gateway and DNS to "Get IP, gateway and DNS automatically from ISP" ..and the LAN IP in second router is 192.168.2.1 with DHCP set on and a range of 192.168.2-245

I tried pinging my hosts on other network from this second one and only the ROKU stick will respond...strange..?

RealBeast · Apr 19, 2017

Check your wired connection, it must be from your LAN port to the tenant WAN port.

The WAN gateway in the tenant router must be the gateway address of your R7000 router.

Don't worry about the hosts on the tenant router until after you can make a good connection to the main router. You will of course also have to insure that the DHCP range on the R7000 excludes the range of the static addresses for the tenant routers -- so set the R7000 DHCP range to 192.168.1.12 to .254 so you will have plenty of static addresses available. Insure that you see the tenant routers as static devices in the Cisco router when they are connected. Otherwise you will experience IP conflicts that will cause unpredictable results.

You should not be able to ping devices between the different subnets or from your R7000 with this setup. The security goes both ways.

You should be able to ping 192.168.1.1 from tenant hosts once you have the tenant routers connected to the R7000 router correctly. And once they can ping the R7000, you should be able to get Internet access with a DNS address of the R7000 gateway or an Internet connected DNS (such as the Google DNS).

networkmage · Apr 20, 2017

I get an error front he tenant router if I attempt to make the WAN gateway the Main router address, which is 192.168.1.1.
Same thing with DNS on the tenant router, it won't allow me to input the Main router DNS in there, but it does accept Google DNS. The only way it works is if I select the automatic ISP information in the Internet WAN set up for secondary router. I think it's just the netgear router, I need to get one with a better configuration interface.

But it looks like I got the same result anyways, even though the tenant router won't display what it is actually puling from the ISP for WAN and DNS and gateway. The network is separate.

Do you have a better router to suggest that that costs under $100? I don;t really like Netgear's interface.

THanks

RealBeast :

networkmage · Apr 20, 2017

You wouldn't be referring to the non-private WAN, gateway and DNS address my ISP assigns me and are in my front router settings under WAN are you? Like the public IP, gateway and DNS?

RealBeast · Apr 20, 2017

No, your R7000 is the ISP gateway for all purposes to the tenant routers.

Did you set each of the tenant routers as a static device in the R7000 and insure that the R7000 DHCP does not conflict with those subnets?

Multiple Secure Routers On One Modem

Distinguished

Titan

Distinguished

Titan

Distinguished

Titan

Distinguished

Titan

Distinguished

Titan

Distinguished

Titan

Distinguished

Titan

Distinguished

Distinguished

Titan

Share this page