cancel
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

Router Wifi main guest ethernet isolation

logical
3: Seeker
3: Seeker

Hi All

Just signed up and got my new router arrived a few days ago nd hoping someone can help me come up to speed with it.

 

Been googling without success on this- doesnt seem to be a full manual for the VF Connect (

Huawei 963168 /HHG2500) router and lots of posts on this forum are probably outdated due to firmware...

 

 If enabling the (main) and (guest) networks ...How do they interact? I presume they are isolated from each other? What about the ethernet ports on the router? Are they connected to the main wifi?

 

Previously I have been using 2 wifi routers - one as the modem and the other connected via uplink to provide isolation of both my secure and my guest networks which are both served by wires and wifi. Trying to figure out if/how to replicate this on just the vodafone router by itself.

 

TLDR: How do I isolate ethernet only IOT devices on the vodafone router or is it not possible?

 

11 REPLIES 11

Anonymous
Not applicable

The guest network has it's own subnet.  As such it *SHOULD NOT* have access to clients and servers on the main network, that would include the web management pages.  Some "guest networks" take this further and don't allow interactions between devices even if they are on the guest network subnet, but without testing I rather think that clients might be able to see each other on this router.  The router LAN ports share the same subnet as the main WiFi.

 

 

Anonymous
Not applicable

Regards isolation of IOT devices, you may need to give a bit of heads up as to what you are trying to do.  Generally IOT devices will require some level of interaction, if not with a local host then with remote server.

Well I maynot be fully utilising the local networking capabilities of some of the IOT devices but i think some of them e.g. TV, set top box operate just fine with internet access only as they have their own remote controls. I also have a cctv camera which i would open ports for and port forward, hence considering that network less secure and so desire to have it on an isolated network. I've gleamed that this router doesn't support VLANs which I'm guessing would have offered an answer.

Anonymous
Not applicable

I don't think you are going to replicate your old set upi with just the VF modem/router, it's really not up to much more than basic web browsing and basic streaming.  Regards the VLANS specifically; if one of your previous routers has that facility you should be able to connect it downstream of the VF modem/router as an access point to provide isolation.  Using one of the previous routers though in a "double NAT" configuration (as a router and not an access-point/bridge) tends to cause connectivity issues.

 

*Be prepared for people to get VLANs and VPNs mixed up here.

Anonymous
Not applicable

Did some quick tests with the VF router.

 

Isolation between the Main subnet and the Guest subnet is flawless.

 

There is no isolation between individual peers on the Guest subnet though which while disappointing is not unexpected.

Thanks KeithAlger, your replies and checking are most helpful and appreciated.

 

Seems to be differing opinions on the capabilities of this router. It's the most advanced router i've been supplied with by and ISP in terms of features. Does seem the hardware has been somewhat neutered by the firmware and port blocking not to mention the lack of manual.

 

Neither of my old routers seem to support VLANs on stock firmware. I did waste many an hour installing DDRT and tomato on them to find that flaky feature support and documnetation made it impossible to get them working.

 

I think i might just keep my daisy changed 2 router setup but swap out the first router with the VFC.  Ideally i'd like my "secure" wifi to run directly from this first VFC router as the wifi signal on the 2nd isnt great and it removes the latency of the 2nd router but thinking about it I'm not sure that would work as it would then have connectivity with my "insecure" ethernet network. Any thoughts on how to overcome this?

Anonymous
Not applicable

Personally, day to day I don't use the VF modem router, it just causes too many headaches!  So instead I use a Draytek Vigor 130 modem connected to an Asus RT-AC68U.  I also have a little 8 port TP-Link switch (which has VLAN abilities), and a few devices connected via powerline adaptersto keep them away from the main WiFi.  I can though if I want to test things REMOTELY Turn th VF modem/Router on (and the Asus router off) - the only thing I cant do remotely is swap the cable from the Openreach socket over!

 

The Asus router (and many other mid-range and above routers)  handle the guest network(s) differently to the VF modem router.  While the guest IP addresses exist within the main subnet, they can be isolated from their peers if needed and are (always) isolated from the router web administration.  I can't help but think that such as set up actually does everything you are looking at and more - in a pretty maintenance free and reliable setup.  In fact a decent midrange VDSL modem/router could handle most of your requirements on it's own!

That sounds like you have a good set up.

 

Does your router where you have isolation from peers on your guest network allow any kind of incoming connectivity from other devices on you non guest part? I'm thinking about whether you can control IOT devices from your main network?

I'll have to see if santa can bring me a new router. In the mean time I'll carry on as is.

I'm actually wondering if i can invert the "main" and "guest" networks on the VFC box without adverse side effects. Ie if it will then block admin access from my secure network while allowing if from the insecure parts.

 

It's not as though the "main" and "guest" wifi networks are explicit in the router config pages more that they are Wfif1 and wifi2 and that the suggested names ( "main" and "guest" ) which you can overtype. All about as clear as mud esp without the manual.

 

Anonymous
Not applicable

On the Asus RT-AC68U there are actually 3 guest networks, which can be controlled individually.  So you can turn peer to peer isolation on/off at the guest network level.  So yes you could set up IOT interaction that spans the main and guest network(s).  I say could because with a router that has good protection from internet attacks, I am still wondering if you are being a little over zealous regards isolating devices.

 

On the VF router the guest network by default is on the 192.168.5.x subnet, and has no access to the main 192.168.1.x subnet.  So there is no way to access the VF router web management interface from the guest network.  But there's no reason why you couldn't have your users set up on what would normally be the guest network, and have swap between networks on your own PC just by changing between "available connections".