Different behavior for wired and wireless clients Archer A6
Hello,
I'm not sure of the correct terms to use to describe this so please bear with me. I have a Netgear router connected to my modem that I use as an isolated network for things like security cameras and other devices that I don't want connected to my personal network. I have an Archer A6 that is connected to the Netgear. The Netgear's WAN is connected to my modem and the Archer's WAN is connected to the Netgear. The Netgear's LAN IP is 192.168.1.1 and the Archer's LAN IP is 192.168.0.1.
1. When I am connected to the Archer via WiFi I am able to make a connection to 192.168.1.1 (Netgear) in my browser (unexpected).
2. When I am connected to the Netgear via WiFi I am unable to make a connection to 192.168.0.1 (Archer) (expected).
3. When I am connected to the Archer via Ethernet I am unable to make a connection to 192.168.1.1 (expected, but not expected to be different than case 1).
My question is why are cases 1 and 3 different? Is there a setting that controls this behavior? Ultimately I think I would prefer case 3, but case 1 is ok too.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Yes, you can continue to use the seperate SSIDs, but that would only be seperating the devices based on what router they are wirelessly connected to. With the A6 in AP mode they would all still be on the same physical subnet. This does mean that all devices would have an IP from the Netgear and as such possibly exposed to a comprimise should one client become infected.
As you stated the best solution would be to go with one router and use the guest network to issolate specific devices from the main network. The security of this is no different than using the two seperate routers, but it does remove the complexity and issues cause by a double NAT enviroment.
2 other things you could do but both have added cost are:
1. Replace your router with a VPN/Load balance router. While this is a business router you would be able to create seperate VLANs for the devices thus completly isolating devices from each other. With this you could put the A6 or Netgear in AP mode and connect it to the business router to provide wireless access for your clients as typically these business routers do not have built in wireless.
2. Upgrade the A6 to one of our HomeCare or HomeSheild routers. These products include all of the features like guest isolation that the A6 provides but all enhances the router with security features like Device ioslation and intrusion detection. HomeCare is a free service and powered by TrendMicro. HomeSheild is a subscription service and powered by Avira.
- Copy Link
- Report Inappropriate Content
What is likely happening is related to double NAT. Each of your routers is creating its own LAN on its own Subnet. So traffic from the Archer has to be translated twice before its sent out ot the WAN/Internet. You best solution if you have to use the Netgear router is to place the Archer A6 in AP mode. This will disable all of its routing functions but will place both routers in the same subnet. The Archer A6 would then just be a Wireless AP. But it would still create its own wireless network. So you would still be able to at least wirelessly keep the networks seperate.
- Copy Link
- Report Inappropriate Content
@Carl Thanks for the reply. As it is now the Netgear has a different SSID for its wireless network. Would I be able to keep that if I use the Archer in AP mode? Also I wonder about the security of that. Let me explain further: The reason I have done things like this is because I have had devices on the Netgear that are exposed to the internet and I wanted to keep those isolated from my home use network as best as I can. If one becomes compromised because of its exposure to the internet I don't want it to be able to effect anything on my private network, but I am not as concerned about other devices on the exposed network. Another reason it was done that way was that I was unable to configure the Netgear (before I bought the Archer) to allow devices on the guest network to see each other (required) but not allow them to see the non-guest network. So to solve that I bought another router and am using that one (Archer) for my non-guest network. Now I see that the Archer has the option to create a guest network and 1. allow guest devices to see each other, and 2. not allow them to access the non-guest network. I think that option would solve my problem and simplify things by allowing me to use only one router, but I question whether the isolation between the guest network and non-guest network on one router (Archer) would be as strong as the isolation between the two separate networks that I have now.
- Copy Link
- Report Inappropriate Content
Yes, you can continue to use the seperate SSIDs, but that would only be seperating the devices based on what router they are wirelessly connected to. With the A6 in AP mode they would all still be on the same physical subnet. This does mean that all devices would have an IP from the Netgear and as such possibly exposed to a comprimise should one client become infected.
As you stated the best solution would be to go with one router and use the guest network to issolate specific devices from the main network. The security of this is no different than using the two seperate routers, but it does remove the complexity and issues cause by a double NAT enviroment.
2 other things you could do but both have added cost are:
1. Replace your router with a VPN/Load balance router. While this is a business router you would be able to create seperate VLANs for the devices thus completly isolating devices from each other. With this you could put the A6 or Netgear in AP mode and connect it to the business router to provide wireless access for your clients as typically these business routers do not have built in wireless.
2. Upgrade the A6 to one of our HomeCare or HomeSheild routers. These products include all of the features like guest isolation that the A6 provides but all enhances the router with security features like Device ioslation and intrusion detection. HomeCare is a free service and powered by TrendMicro. HomeSheild is a subscription service and powered by Avira.
- Copy Link
- Report Inappropriate Content
As you stated the best solution would be to go with one router and use the guest network to issolate specific devices from the main network. The security of this is no different than using the two seperate routers, but it does remove the complexity and issues cause by a double NAT enviroment.
This sounds like a good option for me. Can you explain further the differences between my current environment and what it would look like with only one router. I.e. how is the isolation implemented for me currently (what is stopping a device on my guest network (Netgear) from contacting a device on my personal network (A6))? And what would be the mechanism in the case of having the internet exposed devices on the built in guest network functionality of the A6?
Another question is does the A6 support the guest network for wired devices? I have some wired devices that I would like to keep isolated also that are currently connected to the Netgear.
- Copy Link
- Report Inappropriate Content
In your current evnviroment you are running two subnets 192.168.0.1 and 192.168.1.1. This is like running two seperate VLANs where each subnet is its own network. Because the IP addresses are different clients and each subnet cannot communicate with each other unless you did something like port forwarding or port triggering. In a single router network everything exist in the same subnet as all devices have a IP assigned from just one router. This means that all devices have the potential to speak to each other, unless you use a feature like Guest network and make sure that you do not allow guests to communicate with host network devices. Even if they are the same subnet because these guest devices are isolated to their own SSID and you do not allow them to communicate with host network they are esentially firewalled from the Host.
No, the guest network only applies to the wireless clients. Wired clients would be part of the main or host network.
- Copy Link
- Report Inappropriate Content
@Carl Thanks!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1351
Replies: 6
Voters 0
No one has voted for it yet.