How do I isolate WiFi on second router from LAN on first router while providing internet through first...












0















resources: Buffalo router with DD-WRT, new Comcast Xfi Gateway
connections: Alexa devices, Chinese big screen TVs, android TV PCs, laptops, tablets, cell phones, PCs
objective: untrusted devices use WiFi on Buffalo for internet and isolated from LAN



My Buffalo router running DD-WRT was working well. For each of the two radios I had a VAP for guest use, isolated from the LAN. I decided to upgrade Comcast to the new Xfi Gateway for unlimited data and extra speed. The new modem/router combo works good, but of course is not as configurable. For instance I cannot create a VAP. The unit provides an isolated "Home Hotspot", but a Comcast login is needed and anyone on the street can connect. I could use the Home Hotspot for untrusted devices, but those won't show up on my list of connections and I can't follow use.



I decided to connect my Buffalo without DHCP and use for device isolation. Because I must connect the Buffalo with ethernet, if I isolate, I cannot get to the main router for DHCP, gateway, and internet.



It seems the best thing to do is use either port or IP filtering on the Buffalo. On the Access Restrictions tab the only section is WAN Access. Though there is a place to block services by port number, I don't think that will apply to LAN access because the settings are in the WAN Access section. I need advice how to do the port or IP filtering.






networking wireless-networking router wireless-router dd-wrt







share|improve this question























  • You need a router that supports VLANs.

    – DavidPostill
    Jan 5 at 18:42











  • @DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

    – subjectivist
    Jan 5 at 18:51











  • I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

    – davidgo
    Jan 5 at 18:55











  • @davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

    – subjectivist
    Jan 5 at 19:16













  • I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

    – davidgo
    Jan 5 at 19:56
















0















resources: Buffalo router with DD-WRT, new Comcast Xfi Gateway
connections: Alexa devices, Chinese big screen TVs, android TV PCs, laptops, tablets, cell phones, PCs
objective: untrusted devices use WiFi on Buffalo for internet and isolated from LAN



My Buffalo router running DD-WRT was working well. For each of the two radios I had a VAP for guest use, isolated from the LAN. I decided to upgrade Comcast to the new Xfi Gateway for unlimited data and extra speed. The new modem/router combo works good, but of course is not as configurable. For instance I cannot create a VAP. The unit provides an isolated "Home Hotspot", but a Comcast login is needed and anyone on the street can connect. I could use the Home Hotspot for untrusted devices, but those won't show up on my list of connections and I can't follow use.



I decided to connect my Buffalo without DHCP and use for device isolation. Because I must connect the Buffalo with ethernet, if I isolate, I cannot get to the main router for DHCP, gateway, and internet.



It seems the best thing to do is use either port or IP filtering on the Buffalo. On the Access Restrictions tab the only section is WAN Access. Though there is a place to block services by port number, I don't think that will apply to LAN access because the settings are in the WAN Access section. I need advice how to do the port or IP filtering.






networking wireless-networking router wireless-router dd-wrt







share|improve this question























  • You need a router that supports VLANs.

    – DavidPostill
    Jan 5 at 18:42











  • @DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

    – subjectivist
    Jan 5 at 18:51











  • I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

    – davidgo
    Jan 5 at 18:55











  • @davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

    – subjectivist
    Jan 5 at 19:16













  • I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

    – davidgo
    Jan 5 at 19:56














0












0








0








resources: Buffalo router with DD-WRT, new Comcast Xfi Gateway
connections: Alexa devices, Chinese big screen TVs, android TV PCs, laptops, tablets, cell phones, PCs
objective: untrusted devices use WiFi on Buffalo for internet and isolated from LAN



My Buffalo router running DD-WRT was working well. For each of the two radios I had a VAP for guest use, isolated from the LAN. I decided to upgrade Comcast to the new Xfi Gateway for unlimited data and extra speed. The new modem/router combo works good, but of course is not as configurable. For instance I cannot create a VAP. The unit provides an isolated "Home Hotspot", but a Comcast login is needed and anyone on the street can connect. I could use the Home Hotspot for untrusted devices, but those won't show up on my list of connections and I can't follow use.



I decided to connect my Buffalo without DHCP and use for device isolation. Because I must connect the Buffalo with ethernet, if I isolate, I cannot get to the main router for DHCP, gateway, and internet.



It seems the best thing to do is use either port or IP filtering on the Buffalo. On the Access Restrictions tab the only section is WAN Access. Though there is a place to block services by port number, I don't think that will apply to LAN access because the settings are in the WAN Access section. I need advice how to do the port or IP filtering.






networking wireless-networking router wireless-router dd-wrt







share|improve this question














resources: Buffalo router with DD-WRT, new Comcast Xfi Gateway
connections: Alexa devices, Chinese big screen TVs, android TV PCs, laptops, tablets, cell phones, PCs
objective: untrusted devices use WiFi on Buffalo for internet and isolated from LAN



My Buffalo router running DD-WRT was working well. For each of the two radios I had a VAP for guest use, isolated from the LAN. I decided to upgrade Comcast to the new Xfi Gateway for unlimited data and extra speed. The new modem/router combo works good, but of course is not as configurable. For instance I cannot create a VAP. The unit provides an isolated "Home Hotspot", but a Comcast login is needed and anyone on the street can connect. I could use the Home Hotspot for untrusted devices, but those won't show up on my list of connections and I can't follow use.



I decided to connect my Buffalo without DHCP and use for device isolation. Because I must connect the Buffalo with ethernet, if I isolate, I cannot get to the main router for DHCP, gateway, and internet.



It seems the best thing to do is use either port or IP filtering on the Buffalo. On the Access Restrictions tab the only section is WAN Access. Though there is a place to block services by port number, I don't think that will apply to LAN access because the settings are in the WAN Access section. I need advice how to do the port or IP filtering.






networking wireless-networking router wireless-router dd-wrt




networking wireless-networking router wireless-router dd-wrt






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 5 at 18:38









subjectivistsubjectivist

3651212




3651212













  • You need a router that supports VLANs.

    – DavidPostill
    Jan 5 at 18:42











  • @DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

    – subjectivist
    Jan 5 at 18:51











  • I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

    – davidgo
    Jan 5 at 18:55











  • @davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

    – subjectivist
    Jan 5 at 19:16













  • I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

    – davidgo
    Jan 5 at 19:56



















  • You need a router that supports VLANs.

    – DavidPostill
    Jan 5 at 18:42











  • @DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

    – subjectivist
    Jan 5 at 18:51











  • I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

    – davidgo
    Jan 5 at 18:55











  • @davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

    – subjectivist
    Jan 5 at 19:16













  • I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

    – davidgo
    Jan 5 at 19:56

















You need a router that supports VLANs.

– DavidPostill
Jan 5 at 18:42





You need a router that supports VLANs.

– DavidPostill
Jan 5 at 18:42













@DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

– subjectivist
Jan 5 at 18:51





@DavidPostill I should be able to enter appropriate router commands such as IPTABLE, but these are complex, and I don't want to do that if there's a better way.

– subjectivist
Jan 5 at 18:51













I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

– davidgo
Jan 5 at 18:55





I don't understand the question. Why don't you connect the WAN interface if the buffalo to a LAN interface on the Comcast router (disabling wifi on the Comcast router) and run everything through the Buffalo, using VAPs and network isolation there?

– davidgo
Jan 5 at 18:55













@davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

– subjectivist
Jan 5 at 19:16







@davidgo The Xfi combo unit has a bridge mode. Documentation says that turns off WiFi and I assume the modem would then be available through one or both ethernet ports. I don't want to do that because the Xfi has better WiFi and whiz bang features are disabled such as getting notifications on my phone and using the phone app.

– subjectivist
Jan 5 at 19:16















I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

– davidgo
Jan 5 at 19:56





I don't think AP Isolation does does what you claim.Specifically you should be able to get to the main router for Internet and gateway, provided the buffalo router WAN port connects to the XFi. I'm not sure this helps you, as it will put the traffic on the LAN side of the XFi and allow access to resources. I expect you will need to resort to iptables rules to get your desired outcome. I do note that if you switch things arround so your "trusted" network connects to your Buffalo and everything else connects to your Xfi it will have the desired affect...

– davidgo
Jan 5 at 19:56










1 Answer
1






active

oldest

votes


















0














What I want to do with the question is not possible for the model of Buffalo router. IPTABLE commands apply to routing, when I want to affect switching. It is not possible to filter IP addresses or ports within the LAN on the router. A router with VLAN capability is needed as mentioned in comments.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1390958%2fhow-do-i-isolate-wifi-on-second-router-from-lan-on-first-router-while-providing%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    What I want to do with the question is not possible for the model of Buffalo router. IPTABLE commands apply to routing, when I want to affect switching. It is not possible to filter IP addresses or ports within the LAN on the router. A router with VLAN capability is needed as mentioned in comments.






    share|improve this answer




























      0














      What I want to do with the question is not possible for the model of Buffalo router. IPTABLE commands apply to routing, when I want to affect switching. It is not possible to filter IP addresses or ports within the LAN on the router. A router with VLAN capability is needed as mentioned in comments.






      share|improve this answer


























        0












        0








        0







        What I want to do with the question is not possible for the model of Buffalo router. IPTABLE commands apply to routing, when I want to affect switching. It is not possible to filter IP addresses or ports within the LAN on the router. A router with VLAN capability is needed as mentioned in comments.






        share|improve this answer













        What I want to do with the question is not possible for the model of Buffalo router. IPTABLE commands apply to routing, when I want to affect switching. It is not possible to filter IP addresses or ports within the LAN on the router. A router with VLAN capability is needed as mentioned in comments.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 13 at 17:01









        subjectivistsubjectivist

        3651212




        3651212






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1390958%2fhow-do-i-isolate-wifi-on-second-router-from-lan-on-first-router-while-providing%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Сан-Квентин

            Image
            Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но...
            Read more

            8-я гвардейская общевойсковая армия

            Image
            8-я гвардейская общевойсковая ордена Ленина армия Награды: Войска: РККА → Советская армия → СВ России Род войск: Формирование: 1943 Расформирование (преобразование): 1992 Предшественник: 62-я армия (1942—43) → 8-я гвардейская общевойсковая армия (1943—92) → 8-й гвардейский армейский корпус (1992—98) Боевой путь Изюм-Барвенковская операция Донбасская операция Запорожская операция Битва за Днепр Днепропетровская операция Березнеговато-Снигирёвская операция Одесская операция Люблин-Брестская операция Варшавско-Познанская операция Восточно-Померанская операция Берлинская наступательная операция У этого термина существуют и другие значения, см. 8-я армия. Фотография Гвардейского Красного Знамени (лицевая сторона) 8-й гвардейской армии , образца 1943 года. Фотография Гвардейского Красного Знамени (оборотная сторона) 8-й гвардейской армии , образца 1943 года. 8-я гвардейская общевойсковая ордена Ленина армия  — гвардейское фор...
            Read more

            Алькесар

            Image
            Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове...
            Read more