Networking – Guest wifi mode on a secondary router

I am trying to configure a router as a secondary WiFi access point, that provides internet access but prevents access to the local network.

The router supports both, but I cannot get it to work.

My setup is as follows:

primary Router + Modem issued by my provider, located in the cellar (WiFi capable, but no reception outside the cellar)
various PCs connected by LAN cable to the primary router
secondary router (NetGear WGR614v10) connected by LAN cable to the primary router. The NetGear router should serve as a wireless access point, but wireless clients should not see the machines on the local network. To this end, the NetGear router supports "guest mode", which does exactly this: it lets WiFi clients access the internet but not other local machines.

I tried various configurations:

NetGear connected through WAN port to the local network.
Internet works this way, but wifi machines can access other local machines.
This is logical: the local network are on the WAN side of the netgear router, so from the perspective of the router they belong to the internet, not the LAN
NetGear connected through LAN port. DHCP disabled on NetGear.
Internet works if I also allow access to the local network, but does not work with guest mode.
This is logical: the gateway to the internet has a local address, and wifi clients are not allowed to access local addresses.
NetGear connected trough LAN and WAN ports.
Does not work either, i guess because the DHCP server is still the primary router, so it will send the wrong route to the wifi clients. It might work if the wifi clients had fixed IP settings, but that is not an enforceable option for guests.
NetGear connected trough LAN and WAN ports, and DHCP re-enabled; using both routers as DHCP servers with non-overlapping IP ranges on the same subnet.
Does not work either, and I have no idea what is happening anymore.

Basically I mostly understand why the first two configurations do not work.
But I have no idea what the correct configuration could be, for something that seems like a basic feature of almost any modern router.

My replies to some of the questions below, since there were too many for comments:

Did you try connecting the WAN of NetGear to a LAN on the other router
and then disabling DHCP on NetGear and enabling "Guest mode"?

I think if I do that there will be no DHCP server left on the Wifi network.
The netGear router does not bridge DHCP requests between LAN and WAN, so guest machines would not work unless their IP is configured manually

The solution would be to reverse the routers, connect the WAN port of
the NetGear to the modem, and connect the other router's WAN to a LAN
on the NetGear.
[…]
Plug the both routers into the modem (if possible – if you don't have
enough ports, but a switch in between).

Unfortunately the first router is the modem. I cannot exchange that one since it is configured by the provider.

Suggestion

You could try having one subnet with two DHCP servers, serving a
different range.

I tried that, basic connectivity does work, but I am a bit concerned what would happen if new computers get connected to the network. as far as I understand, they will randomly choose one of the two DHCP servers to get a lease from. The major killer however is that as soon as I enable guest mode it stops working again.

Best Answer

If you consider the LAN/WLAN side of the primary router (that is, the network segment(s) between the primary router and the secondary router) to be part of "the local network" that the Guest Network devices should not have access to, then a secondary router cannot provide Guest Network access only to the Internet without cooperation from the primary router.

The Guest Network's traffic to/from the Internet has to cross the same link between the two routers as local network traffic. But if you want it segregated from the local network, it has to be tunneled or tagged in some way that segregates it from the local network traffic. But if that traffic is segregated through, say, VLAN tagging or some kind of higher-layer tunneling, the primary router needs to know how to do the right thing with that traffic (that is, decapsulate it and send it only to the Internet, and not let it route back onto the LAN).

I don't know if any Netgear equipment has support for this kind of "Guest Network Extension" functionality, where the primary router acts as a VLAN-aware device or tunnel endpoint so that secondary routers can forward segregated Guest Network traffic to it.

I know that Apple AirPort Extreme/Express/Time Capsules as of firmware 7.6.3 support this. If you have an Apple AP as your primary router (in NAT mode), and have Guest Network enabled, and another Apple AP as your secondary "router" (actually in bridge mode, not really being a "router" per se), also with Guest Network enabled, then the secondary AP will forward Guest Network traffic toward the primary AP, but will VLAN tag it so it's segregated from local LAN traffic. The primary AP also subscribes to the same VLAN, and knows to forward traffic from that VLAN to the Internet, but not back onto the local LAN.

Best Answer

Related Solutions

Networking – How to add a wireless router to a wired router

Networking – no internet access on guest SSID on netgear WNR2000 router

Related Question