Setting up guest wireless on DLink is not giving security

I have two D-Link AC1200 routers. One is the main, the second is in the boardroom with the LAN cable from the first, to the LAN port into the second. DHCP turned off on the second one.  This configures the boardroom DLink as a wireless access point.

When I enable the guest network on the boardroom router, you cannot reach the Internet.  Is this because it is designed to get an IP only from its own self? (I have DHCP turned off because it is just an access point).

When I plug the LAN cable into the boardroom DLINK's WAN port instead, turn on DHCP (different subnet), all functions work as normal.  However, when you connect to the guest wireless in the boardroom, you can't ping anything on that router, but you *can* ping any IP address on the other network.  Connected to guest, I can get onto a computer on the other subnet via the Windows run line: \\192.168.2.100, for example.

The tick boxes for "enable routing between zones" are cleared.

How do I prevent the guest network from seeing other subnets?  The main DLink router is a DIR-850L, and the secondary Boardroom router is a DIR-820L

Thanks.
LVL 1
DaveWWWAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Davis McCarnOwnerCommented:
From your description, I think your best answer is going to be to buy another router for guest access because that DLink is insisting on using the WAN port.

But; otherwise, what is the subnet mask and did you turn off the NAT firewall? (Either would explain the \\192.168.2.100 issue)
0
vivigattCommented:
Guest Wireless on an AP that does not route anything seems quite strange to me.
Can you elaborate on your config, especially IP, type of gateway etc, on the 2 D-Links
0
DaveWWWAuthor Commented:
The current setup is now:
Main router 192.168.2.1.

Lan cable from router Lan port to wan port of secondary router in Boardroom, whose ip address is 192.168.3.1, dhcp on, guest network on.

Anyone connecting to the guest network gets ip 192.168.3.x.

Any guest cannot get a ping return when pinging 192.168.3.x. But they do get full connectivity including browsing PCs on 192.168.2.x. This very much surprised me.

Ideally, what I'd like is a second router in the boardroom where company people get onto the standard wireless and thus the entire company Lan. Guests connecting to the guest network in the Boardroom see only the Internet - everything else internally is blocked.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Davis McCarnOwnerCommented:
What is your subnet mask and did you turn NAT back on?
If the subnet is 255.255.255.0, .2 should not be able to access .3
0
vivigattCommented:
Correct me if I am wrong.
What you want is:
- WLAN 1 (standard wireless 192.168.2.0/24) on your 2 WiFi routers
- Guest WLAN (192.168.3.0/24) on the second router

To have WLAN1 on both your routers, you  need a special configuration. If there is a wire between both routers, it is not the same thing than if both routers must use a wireless link. In the later case, you may have to use something like WDS, OLSR, B.A.T.M.A.N...

You could set your 2nd router as an access point only but then, I don't think that the guest network can work, since it requires routing capacities, dhcp etc...
0
DaveWWWAuthor Commented:
Vivigat, I'm not on site with the client right now, but Router 1 is set up with IP address 192.168.2.1, with dual band wifi, standard config all round.

Router 2 is set up in the boardroom with IP address 192.168.3.1, with a LAN port cable from router one plugged into Router 2's WAN port.  On router 2, Guest network is turned on.

Guests (on router 2) cannot ping any 192.168.3.x address, but they *can* ping any 192.168.2.x address.
0
vivigattCommented:
It seems to my that your "Guest network" is isolated from (not routed) 192.168.3.x network, which makes sense for a guest network. My experience with guest networks is that they are totally isolated from the "non-guest" LAN
Now, 192.168.2.x being connected to the WAN port, it is considered to be "the Internet" for router 2 and thus, guest network and 192.168.3.x host can access it.
Actually, what you describes seems perfectly normal to me...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Davis McCarnOwnerCommented:
If 192.168.2.1 is the router's ip, change the wan/internet port's subnet mask to 255.255.255.254 and that should fix it.  Every ip other than 192.168.3.1 will be on a foreign network.
0
DaveWWWAuthor Commented:
Change it on router 1 or router 2?
0
vivigattCommented:
Davis McCarn, I don't think it will work :
If you change it on router 2, on the WAN port, thinking that everything that is not 192.168.2.1 will be considered to be "the Internet", this will not be not correct, since 192.168.2.1/24 (aka 192.168.2.0/255.255.255.0) is already "the Internet" for Router 2 .
Furthermore, the nodes connected to the non-guest network on Router 2 may have issues connecting to hosts in the 192.168.2.x (remember, router 2 is connected to router 1 on its WAN port).

However, I am not sure what the OP actually wants...
Normally a "guest network" should allow only Internet access and no connection to your LAN/WLAN. If this is what you want, you may need to implement VLANs, since I am not sure that you can have a Guest Network working this way if the router is not directly connected to the Internet on its WAN port.
0
Davis McCarnOwnerCommented:
Router 2 and it will then be /31 vivigatt (only one ip not foreign).
0
vivigattCommented:
Yes, only one IP accessible to the WAN port, which would be a router IP. Routing should work, however if what the OP wants is to isolate completely guests from his LAN/WLAN, it wont help, will it?
0
Davis McCarnOwnerCommented:
Yes, because any attempt to access 192.168.3.2 through .255 will fail.
0
vivigattCommented:
I don't get you...
192.168.3.x is already unavailable to nodes of the guest network. Where would the improvement be?
Currently, according to the OP, guest can access anything but the 192.168.3.x network. My understanding is that he wants guest to access only Internet and nothing in 192.168.2.x nor 192.168.3.x.
Actually, I can't see why setting the WAN link on router 2 to use a /31 netmask can change anything, (except that it adds one hop when trying to reach a node in 192.168.2.x network. Packets received by 192.168.2.1 will be routed by router 1, and they will be routed to 192.168.2.x as well. It is my understanding that they won't be routed to 192.168.3.x (and they already aren't) because router 2 is a NAT between 192.168.2.x and 192.168.3.x.
I think I missed something, I'll wait for the OP to clarify, I don't want to add confusion to this thread...
0
Davis McCarnOwnerCommented:
1) We're getting pretty arcane her; because, 99.99% of the users on the planet would never have a clue they could access 192.168.2.2!  The whole question is borderline paranoia (though I do sympathize)
2) If the routers wan/internet subnet mask is 255.255.255.254 AND the gateway is at 192.168.2.1, the only address deemed local will be 192.168.2.1 (period).  Even if 192.168.2.2 responds to a ping, it won't be available because it is outside the scope of the network.
3) To Dave WWW:  Pinging is a long ways from R/W access.  Can you open the shares on the 192.168.2.xxx network?
0
vivigattCommented:
In your proposed setting, the WAN interface of Router 2 has the address 192.168.2.1 or 192.168.2.2 ?
I guess it has 192.168.2.2 because its gateway (192.168.2.1 then) must be in the same subnet.
Then 192.168.2.2 would be the address assigned to WAN port on router and it won't be in its own subnet!
Pretty weird!
dd-wrt firmware v24 sp2 does not allow me to set my WTR54G in such a way.
OTOH, using 255.255.255.252 as the subnet mask is legit. And then you have only 2 addresses in the subnet: 192.168.2.1 and 192.168.2.2. This might work better.
Yet, I still don't get what are the improvements compared to the current situation.
0
Davis McCarnOwnerCommented:
You wouldn't be able to browse 192.168.2.3-255; geeze.
0
vivigattCommented:
DavisMcCarn, are you familiar with "guest networks" on small Wifi routers?
If seems to me that you aren't, and also that you do not understand what the OP wants.
Let me explain what I understood (and if I am wrong, well, I'll apologize):
Guest WiFi networks are secondary WiFi networks, on another subnet, that are isolated from your "private" LAN/WLAN, but that exist on the SAME router that manages your private (W)LAN.
In the OP config, the private LAN/WLAN on router2 is 192.168.3.x, the guest network is something else (192.168.47.x for instance, he did not say and this is not important) and guest nodes cannot access anything on 192.168.3.x, yet they can access "the Internet", which is exactely what a guest network is made for. Since "The Internet" for router2 is actually "router1", I can't see how setting a subnet zero (/31 subnet mask) changes the routing scheme. 31 bits prefixes are used for point to point links only, but routing will still work on router1 (and that's what the OP wants for his 192.168.3.x network: hosts on 192.168.3.x must be able to "browse" 192.168.2.x nodes).
With your proposed config you should be able to "browse" 192.168.2.3-254 from Guest and private WLANs: the packets will be sent from 192.168.3.x and 192.168.47.x, NAT'ed and received by router1 on 192.168.2.1. Router1 can actually route them correctly to 192.168.2.x and to whatever is behind its default gateway (to keep it simple).
And I don't think that you can easily set a 31bits prefix to the link  between router1 and router2 (in that way, not the other way, from router2 to router1).
Furthermore, I don't think that DLink routers accept 31bits prefix on their WAN link, which would make this solution useless even if it worked.

Here is what cisco writes about /31 masks:
 Using 31-Bit Prefixes on IPv4 Point-to-Point Links

RFC 3021 describes using 31-bit prefixes for point-to-point links. This leaves 1 bit for the host-id portion of the IP address. Normally a host-id of all zeros is used to represent the network or subnet, and a host-id of all ones is used to represent a directed broadcast. Using 31-Bit prefixes, the host-id of 0 represents one host, and a host-id of 1 represents the other host of a point-to-point link.

Local link (limited) broadcasts (255.255.255.255) can still be used with 31-bit prefixes. But directed broadcasts are not possible to a 31-bit prefix. This is not really a problem because most routing protocols use multicast, limited broadcasts, or unicasts.

More about 31bits prefixes here: http://www.ietf.org/rfc/rfc3021.txt
0
DaveWWWAuthor Commented:
Sorry, I've been away for some time and am just getting back to this.  A couple of points:

DavisMcCarn, re your previous comments, the idea of subnet isolation in a business is hardly 'borderline paranoia'.  It's simply prudent.  And yes, going to the run box and typing \\192.168.2.100 would bring up the first device with an assigned IP, along with its shares. Running a network scan on the other subnet would likely work too.  Guest networks exist for a reason.


Based on many of the comments, perhaps a workable approach is to turn off DHCP on the boardroom router, put everything on the same subnet, and turn on the guest network on the boardroom.  I say this because all computers would be on the same subnet, and because the guest network does not browse computers on the same subnet, problem solved, correct?
0
DaveWWWAuthor Commented:
This was correct.  When using two routers, turning on the guest network on the inner router will allow it to access the router connected to the WAN.  I reconfigured the routers differently to avoid this.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.