A question for the network gurus

[thaimite]

I admit I am not a networking Guru. I know enough for the basics, and to keep me out of trouble in most normal circumstances, However as usual I want to do something out of the ordinary and would appreciate some advice.

Current situation

I have a TOT FTTH connection which is connected to a TP-Link C7 Archer router. (Primary Router) Because I live in a very rural area this is the only option. ADSL etc is not available.

On my local network I have many PCs and devices NAS etc.

I also have a number of Wireless units to provide access to my local network from anywhere in my ouse or land. These are protected with a strong password and also theor rangew does not extend off my proprty so unless somebody is driving around with a high gain antenna Ithey should be safe.

Problem / question

Next to my house my brother in law has a small noodle shop for passing traffic, and I wish to provide a wirelss acccess point for him conected by cable to my network. Because of the location described above it is outside of budget for him to have his own Internet connection.

However I want this access point to have 2 limitations.

1. It will have internet access only and no access to my local LAN / subnet
2. Ideally I would like to be able to throttle the bandwidth from this port /IP address.

The router I intend to uise for this location is an old Linksys router with DD-WRT firmware. (secondary router)

I am thinking that if I connect the LAN port of my primary router to the WAN port of the secondary router which then issues IP adresses from it's own DHCP server (i.e. NAT enabled) This will go someway to segraating the LANs

The TP-Link Primary router has many security and management options so I am wondering what if any firewall rules I would need to add to its configuration

Thanks for the help

Thaimite

[Cloggie]

I would not recommend that as YOU are responsible for all 'postings' that people in the noodle shop make on the internet.

If they write something bad about the monarchy, Police will come to see you as it was your ip-number!

Just my 2 satang...

Edited October 12, 2015 by Cloggie

[thaimite]

I would not recommend that as YOU are responsible for all 'postings' that people in the noodle shop make on the internet.

If they write something bad about the monarchy, Police will come to see you as it was your ip-number!

Just my 2 satang...

Thank you. I understand that

However as tis was posted in a technical forum I am looking for technical and not legal or philosophical replies.

[fritzzz25]

This is what you are looking for

http://www.makeuseof.com/tag/set-free-wifi-hotspot-ddwrt/

[thaimite]

This is what you are looking for

http://www.makeuseof.com/tag/set-free-wifi-hotspot-ddwrt/

Thank you.

That looks very interesting. More com,pex than I was hoping for but I don't mind that too much.

Having to set up a Twit account is a downsyde, but it could be worse and expect me to siugn up for Faeces Book. You may gather I am not a great fan of the social media traps) Thaivisa being my main vice

[Cloggie]

Please delete, wrong post

Edited October 12, 2015 by Cloggie

[bodymassagemyfriend]

You can do this , its called 'daisy chain'

ADSL(whatever) MODEM -> PRIMARY ROUTER -> SECONDARY ROUTER

Primary router serves your LAN

Secondary roter servers the noodle shop's LINE and can't see the primary LAN.

Quota policy depends on what is available so either router ; you need to check each router settings to configure that.

Did that a long time ago. You might want to split DHCP address range to make sure each router allocates different local IPs. Otherwise inbound IP packet may randomly reach on PC or another.

Edited October 12, 2015 by bodymassagemyfriend

[RichCor]

If you connect the three routers serially then your middle LAN might be 'obscured' but it won't be 'isolated'. The downstream router will be on your LAN. The middle Router would need to have the ability to isolate LAN Switch Ports.

If you deployed 3 active Routers in a pyramid structure, One Router feeding Two Router, then the two networks would be completely isolated via their WAN/LAN NAT filter -- but then you'd be running a Double NAT environment for both LANs (having to carefully plan/manage any open ports you'd desire).

If your TP-Link C7 Archer had support for 'Virtual LANs' and a 'managed' Switch Port ... this would have been a piece of cake under DD-WRT Link#1 Link #2.

[thaimite]

Upde\ate

I connected the WLAN port of the DD-WRT router to a LAN port on the TP-Link. Thus the nooodle shop s now behind a double NAT which is not a problem nfor them but would be unacceptable for my own LAN.

This does NOT provide isolation in both directions as I suspected before I asked the queston. I cannot access devices on their LAN, but they can see devices on mine which is the situation I most wanted to avvoid.

The TP-Link does not support VLANS although I have seen a recomendation to make the DD-WRT WAN port part of a DMZ in the TP-Link. I have not tried this yyet.

I have not loaded the hotspot software yet, as I want to find out more abouit it. If it creates a VPN from the DD-WRT router to the hotspot server it should solve everythig. Hopefully I will get time to try that on Sunday when the Noodle shop is closed.

The TP-Link is DD-WRT compatible, and I could go that way if all else fails. That will allow me to create VPNs. I will leave that as a last resort. In my experience I have found DD-WRT to provide many extra features but to be generally less reliable than the manufacturers firmware.

Thanks again to everybody who offered advice ND suggestions, (even the non technical ones).

Edited October 16, 2015 by thaimite

[Cloggie]

Thanks for the update - look forward to the next post.