Home Network Setup and Advice

Question

I am wanting some ideas and advice for how to do my home network. I am an IT Technician and know the basics, however networking is not my strong suite and I want to improve.

[Current setup]

There are two family's in my house so I need to segregate the networks. I have a TP-Link Arch c9 router(R1) connected to the internet box. Next I have my Asus RT68R (R2) connected to lan port of R1 and hosting the network for the reset of the house. The other family has their Linksys Router(R3) also connected to lan port on R1. All routers provide their own network with DHCP I understand that this is called triple nating and may cause some issue or latancy. R1 Has ip scheme of 10.0.20.x and R2 has IP scheme of 192.168.1.x R3 i dont know for sure but I believe it starts with 10.something. I belive all routers subnetmasks are set to 255.255.255.0 Not fully sure for R3 as I dont have access to their router.

Behind R2 is a file and domain server 2016 data center with 4-5 desktops and 2-3 wireless devices. R2 Also has a wireless ssid for the network and a guest ssid. R2 has a static ip from R1 and is on DMZ to allow for vpn access to R2 file server

[Problem]

The family that uses R3 has a problem every now and then were their router loses internet and the only thing that fixes it is rebooting R1 and some times even have to reboot all routers and internet box. To trouble shoot the issue I have tried scanning the network for R3 and pinging it from a device behind R2 But dose not find or see it how ever I can see R1 just fine. I talked with some co-workers and they believe the famly using R3 has configured something on their router that causes it to some times boot to a different setting like AP mode or bridge mode. Also discovered if I disable DHCP on R1 internet works fine for R2 and R3 but after a while R3 loses internet.

[What I would like to do]

I want to completely segregate R2 and R3 so they are not communicating at all to remove any type of conflict or issue that may be caused by the current setup. Behind R2 I would like to have a couple subnets for various devices to improve the security for more important devices. Example would be R2 main network With domain server and general home devices like media computer or roku or fire tv stick ect. Next would be a subnet for more personal device that may contain more important documents and files but I still want them to be able to communicate with the domain server and file server for network drive. Lastly I want two subnets one that is for testing purposes and fixing computers that may be infected so cant communicate with any other networks. The second would be for guests.

I understand some of what I want to do may cost more money and a firewall would be a good idea to help segragate R2 and R3 I just wonder if its at any way possible for me to do with type of setup with consumer grade routers and waps or if I really need business grade firewall/ managed switchs and waps

I have thought about buying some newer routers like netger xr500 or asus ac3100 and ubiquity waps.

Last question. is it possible to setup a guest ssid network on my asus router and assign devices on the lan ports to that network or is the guest network only accessible via wifi

I appreciate any help or advice any one has to offer.

Answer 1

1) One possible reason for the "internet trouble" on R3 is that R3 seems to rely on DHCP for the connection to R1, and if this doesn't work for some reason, R3 looses the lease and therefore connection to R1. To debug this one would need access to R3.

One way to avoid that is to give both R2 and R3 static addresses, then you can disable DHCP on R1 (or reserve a static range). You'll need to set up the static address on R3, so talk to the other family ("it will help with your internet problems" is probably a good argument for "I'll need to do something on your router").

2) Ideally, only R1 should do NAT, but setting this up will require routing rules on R1 and correct setup of R2 and R3. Given the situation, this may not be so easy, so I guess you are stuck with double NAT (not triple NAT - on each path R2-R1 and R3-R1 both routers are doing NAT).

3) R2 and R3 "communicating" and causing trouble is very likely not the issue. You can set up a firewall on R1 if you are really worried about this. This will probably require a custom firmware like OpenWRT on R1 (Archer C9 should be supported), and will require some expertise, so maybe it's easier to just leave it as it is.

As R2 and R3 do both NAT, the networks behind R2 and R3 are effectively separated, anyway, even with additional firewall stuff.

4) If you want different subnets behind R2, you should be aware that this will require routing between subnets, which in turn will require routes on all members of a subnet. You can distribute routes via DHCP. For a similar question, see e.g. here.

This will require a very custom setup on R2, and again possibly open firmware on R2 if the provided firmware doesn't allow it. It's certainly possible to set something up like that, but it again requires some networking expertise.

5) A guest network on LAN isn't that different from a guest network on WLAN. But again, the firmware needs to support it. If the provided firmware doesn't, you need OpenWRT etc., and need to set it up yourself (which in addition needs a working understanding of firewall rules/iptables).

All of what you want to do is doable. Even without additional hardware (though you may need some LAN switches for all the devices if you don't have them yet). If you are doing it for the first time, don't underestimate the learning curve - you'll need to do quite a bit of reading up on networking fundamentals.

Answer 2

Segregation

This can be accomplished by using subnetting. Subnetting is the division of Network bits and host bits. I don't know if you know this or not so I'll list it out.

For Private IP Addresses:

+-------+-------------------------+-------------+-------------------------------+
| Class |     Private Network     | Subnet Mask |             Range             |
+-------+-------------------------+-------------+-------------------------------+
| A     | 10.0.0.0                |   255.0.0.0 | 10.0.0.0 - 10.255.255.255     |
| B     | 172.16.0.0 - 172.32.0.0 | 255.240.0.0 | 172.16.0.0 - 172.31.255.255   |
| C     | 192.168.1.0             | 255.255.0.0 | 192.168.0.0 - 192.168.255.255 |
+-------+-------------------------+-------------+-------------------------------+


+-------+-------------------+-----------------+-------------+----------------+----------------------+-----------------------+
| Class | First Octet Range | High Order Bits | Notation ID | Default Subnet |   Num of Networks    |     Num of Hosts      |
+-------+-------------------+-----------------+-------------+----------------+----------------------+-----------------------+
| A     | 1 – 126           |               0 | N.H.H.H     |      255.0.0.0 | 126 (2^7 – 2)        | 16,777,214 (2^24 – 2) |
| B     | 128 – 191         |              10 | N.N.H.H     |    255.255.0.0 | 16,382 (2^14 – 2)    | 65,534 (2^16 – 2)     |
| C     | 192 – 223         |             110 | N.N.N.H     |  255.255.255.0 | 2,097,150 (2^21 – 2) | 254 (2^8 – 2)         |
|       |                   |                 |             |                |                      |                       |
+-------+-------------------+-----------------+-------------+----------------+----------------------+-----------------------+

See IP address classes, if you have tabs.

Using the above tables, and the data from your question:

• R1 is using a Class A address.
• R2 is using a Class C address.
• R3 is using a Class A address.

---

1. Surely you don't need 16,777,214 LAN devices on your network. Let's put them all in the Same Class, which should be Class C.
2. Make sure all Routers are set to the same IP Protocol. If your ISP and modem support IPv6, and it's currently set to IPv6, all devices in the line must support IPv6. If one device only does IPv4 then you must set all devices to IPv4.
3. Decide on a topology. There are some options here:
   • Remove all Routers except the one connected to the ISP: Replace Both routers with one switch, with enough ports to support all family members. Buying say three switches and bridging 2, also works. Using a switch would alleviate subnetting all together, as each device is now all in one subnet, and share only the wireless password between the families.
   • Let each router be its own subnet: Use MAC Address filtering so that the DHCP service in R1 always gives the same IP addresses to R2 and R3, since you have them uplinked. @djkrt alluded to this in his suggestion regarding static IP addresses.
4. After choosing a topology, read Subnetting Made Easy, and then use this Subnet calculator, to calculate the proper subnet for R2, and again for R3.

Note that R3, must be in a different subnet to divide the traffic, and will not communicate with R1 or R2 unless you enable routing rules, like port forwarding etc. Also note that if you want R1 and R2 to communicate together they must be in the same Class and subnet. NAT Translation only occurs once if this is fixed. R3 may be losing connection because NAT has occurs twice. Once from the original translation and again when R3 adds the information to it's own ARP table.