How do I isolate WiFi on second router from LAN on first router while providing internet through first...












0















resources: Buffalo router with DD-WRT, new Comcast Xfi Gateway
connections: Alexa devices, Chinese big screen TVs, android TV PCs, laptops, tablets, cell phones, PCs
objective: untrusted devices use WiFi on Buffalo for internet and isolated from LAN



My Buffalo router running DD-WRT was working well. For each of the two radios I had a VAP for guest use, isolated from the LAN. I decided to upgrade Comcast to the new Xfi Gateway for unlimited data and extra speed. The new modem/router combo works good, but of course is not as configurable. For instance I cannot create a VAP. The unit provides an isolated "Home Hotspot", but a Comcast login is needed and anyone on the street can connect. I could use the Home Hotspot for untrusted devices, but those won't show up on my list of connections and I can't follow use.



I decided to connect my Buffalo without DHCP and use for device isolation. Because I must connect the Buffalo with ethernet, if I isolate, I cannot get to the main router for DHCP, gateway, and internet.



It seems the best thing to do is use either port or IP filtering on the Buffalo. On the Access Restrictions tab the only section is WAN Access. Though there is a place to block services by port number, I don't think that will apply to LAN access because the settings are in the WAN Access section. I need advice how to do the port or IP filtering.










share|improve this question























  • You need a router that supports VLANs.

    – DavidPostill
    Jan 5 at 18:42











  • @DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

    – subjectivist
    Jan 5 at 18:51











  • I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

    – davidgo
    Jan 5 at 18:55











  • @davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

    – subjectivist
    Jan 5 at 19:16













  • I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

    – davidgo
    Jan 5 at 19:56
















0















resources: Buffalo router with DD-WRT, new Comcast Xfi Gateway
connections: Alexa devices, Chinese big screen TVs, android TV PCs, laptops, tablets, cell phones, PCs
objective: untrusted devices use WiFi on Buffalo for internet and isolated from LAN



My Buffalo router running DD-WRT was working well. For each of the two radios I had a VAP for guest use, isolated from the LAN. I decided to upgrade Comcast to the new Xfi Gateway for unlimited data and extra speed. The new modem/router combo works good, but of course is not as configurable. For instance I cannot create a VAP. The unit provides an isolated "Home Hotspot", but a Comcast login is needed and anyone on the street can connect. I could use the Home Hotspot for untrusted devices, but those won't show up on my list of connections and I can't follow use.



I decided to connect my Buffalo without DHCP and use for device isolation. Because I must connect the Buffalo with ethernet, if I isolate, I cannot get to the main router for DHCP, gateway, and internet.



It seems the best thing to do is use either port or IP filtering on the Buffalo. On the Access Restrictions tab the only section is WAN Access. Though there is a place to block services by port number, I don't think that will apply to LAN access because the settings are in the WAN Access section. I need advice how to do the port or IP filtering.










share|improve this question























  • You need a router that supports VLANs.

    – DavidPostill
    Jan 5 at 18:42











  • @DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

    – subjectivist
    Jan 5 at 18:51











  • I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

    – davidgo
    Jan 5 at 18:55











  • @davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

    – subjectivist
    Jan 5 at 19:16













  • I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

    – davidgo
    Jan 5 at 19:56














0












0








0








resources: Buffalo router with DD-WRT, new Comcast Xfi Gateway
connections: Alexa devices, Chinese big screen TVs, android TV PCs, laptops, tablets, cell phones, PCs
objective: untrusted devices use WiFi on Buffalo for internet and isolated from LAN



My Buffalo router running DD-WRT was working well. For each of the two radios I had a VAP for guest use, isolated from the LAN. I decided to upgrade Comcast to the new Xfi Gateway for unlimited data and extra speed. The new modem/router combo works good, but of course is not as configurable. For instance I cannot create a VAP. The unit provides an isolated "Home Hotspot", but a Comcast login is needed and anyone on the street can connect. I could use the Home Hotspot for untrusted devices, but those won't show up on my list of connections and I can't follow use.



I decided to connect my Buffalo without DHCP and use for device isolation. Because I must connect the Buffalo with ethernet, if I isolate, I cannot get to the main router for DHCP, gateway, and internet.



It seems the best thing to do is use either port or IP filtering on the Buffalo. On the Access Restrictions tab the only section is WAN Access. Though there is a place to block services by port number, I don't think that will apply to LAN access because the settings are in the WAN Access section. I need advice how to do the port or IP filtering.










share|improve this question














resources: Buffalo router with DD-WRT, new Comcast Xfi Gateway
connections: Alexa devices, Chinese big screen TVs, android TV PCs, laptops, tablets, cell phones, PCs
objective: untrusted devices use WiFi on Buffalo for internet and isolated from LAN



My Buffalo router running DD-WRT was working well. For each of the two radios I had a VAP for guest use, isolated from the LAN. I decided to upgrade Comcast to the new Xfi Gateway for unlimited data and extra speed. The new modem/router combo works good, but of course is not as configurable. For instance I cannot create a VAP. The unit provides an isolated "Home Hotspot", but a Comcast login is needed and anyone on the street can connect. I could use the Home Hotspot for untrusted devices, but those won't show up on my list of connections and I can't follow use.



I decided to connect my Buffalo without DHCP and use for device isolation. Because I must connect the Buffalo with ethernet, if I isolate, I cannot get to the main router for DHCP, gateway, and internet.



It seems the best thing to do is use either port or IP filtering on the Buffalo. On the Access Restrictions tab the only section is WAN Access. Though there is a place to block services by port number, I don't think that will apply to LAN access because the settings are in the WAN Access section. I need advice how to do the port or IP filtering.







networking wireless-networking router wireless-router dd-wrt






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 5 at 18:38









subjectivistsubjectivist

3651212




3651212













  • You need a router that supports VLANs.

    – DavidPostill
    Jan 5 at 18:42











  • @DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

    – subjectivist
    Jan 5 at 18:51











  • I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

    – davidgo
    Jan 5 at 18:55











  • @davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

    – subjectivist
    Jan 5 at 19:16













  • I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

    – davidgo
    Jan 5 at 19:56



















  • You need a router that supports VLANs.

    – DavidPostill
    Jan 5 at 18:42











  • @DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

    – subjectivist
    Jan 5 at 18:51











  • I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

    – davidgo
    Jan 5 at 18:55











  • @davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

    – subjectivist
    Jan 5 at 19:16













  • I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

    – davidgo
    Jan 5 at 19:56

















You need a router that supports VLANs.

– DavidPostill
Jan 5 at 18:42





You need a router that supports VLANs.

– DavidPostill
Jan 5 at 18:42













@DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

– subjectivist
Jan 5 at 18:51





@DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

– subjectivist
Jan 5 at 18:51













I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

– davidgo
Jan 5 at 18:55





I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

– davidgo
Jan 5 at 18:55













@davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

– subjectivist
Jan 5 at 19:16







@davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

– subjectivist
Jan 5 at 19:16















I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

– davidgo
Jan 5 at 19:56





I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

– davidgo
Jan 5 at 19:56










1 Answer
1






active

oldest

votes


















0














What I want to do with the question is not possible for the model of Buffalo router. IPTABLE commands apply to routing, when I want to affect switching. It is not possible to filter IP addresses or ports within the LAN on the router. A router with VLAN capability is needed as mentioned in comments.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1390958%2fhow-do-i-isolate-wifi-on-second-router-from-lan-on-first-router-while-providing%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    What I want to do with the question is not possible for the model of Buffalo router. IPTABLE commands apply to routing, when I want to affect switching. It is not possible to filter IP addresses or ports within the LAN on the router. A router with VLAN capability is needed as mentioned in comments.






    share|improve this answer




























      0














      What I want to do with the question is not possible for the model of Buffalo router. IPTABLE commands apply to routing, when I want to affect switching. It is not possible to filter IP addresses or ports within the LAN on the router. A router with VLAN capability is needed as mentioned in comments.






      share|improve this answer


























        0












        0








        0







        What I want to do with the question is not possible for the model of Buffalo router. IPTABLE commands apply to routing, when I want to affect switching. It is not possible to filter IP addresses or ports within the LAN on the router. A router with VLAN capability is needed as mentioned in comments.






        share|improve this answer













        What I want to do with the question is not possible for the model of Buffalo router. IPTABLE commands apply to routing, when I want to affect switching. It is not possible to filter IP addresses or ports within the LAN on the router. A router with VLAN capability is needed as mentioned in comments.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 13 at 17:01









        subjectivistsubjectivist

        3651212




        3651212






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1390958%2fhow-do-i-isolate-wifi-on-second-router-from-lan-on-first-router-while-providing%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Plaza Victoria

            Puebla de Zaragoza

            Musa