I want to connect 2 Wi-Fi routers to create 2 separate networks

I have a Linksys WR54GS router as my main router attached to the internet. I run a Bed & Breakfast and I give my guests free access to the internet via WiFi. My problem is, I also use that network for my business and personal computers and I am afraid that a tech savvy guest could hack into my files. I thought that if I connect a second WiFi router, I could set up a second network which my guests could use to access the web thru my main router.

Does anyone have a clue if this is possible?
 
It mostly depends on the company that is your internet provider... With their sayso, you can do it easily... just be sure the channels are widely different, and that you can control them through your client setups so the customer understands what and where.
 
protected subnets

I want to connect 2 WiFi routers to create 2 separate networks. Is it possible to isolate the systems from one another?
yes it's possible ...

Basically the subnet router#1 for shared usage is attached to the modem and the protected subnet router#2 attaches to router#1

Each router has one default route and no static routes which then forces all outbound traffic on router#1
to the modem and away from router#2. Without a route, subnet#1 can not access subnet#2


Code:
modem====(wan)router[B]#1[/B](lan#1)-----(wan)router[B]#2[/B](lan ports) - - - private systems
            |       192.168.1.1                192.168.2.1
            V
           shared access systems
You can use WiFi on either or both routers; just set different SSID, Channels, and encryption codes

When setting the config's (both of them), be sure to set a new password which will disallow Internet access to the settings!

Get router#1 running first and test Internet access, then move on to router#2

*Caution* Always change router configurations using ONLY a wired connection!

On router #1
  • set the router address specifically to 192.168.1.1
    which serves as a note as to which router you're connected to
  • set the DHCP range to 2-10
  • save the settings
  • now setup any wifi changes as applicable
  • and change the admin password
  • when you save this time, the router will restart and you WILL loose the connection

On router #2
  • set the router address specifically to 192.168.2.1
  • set the DHCP range again to 2-10
  • set the WAN side address to 192.168.1.100 (notice it's above router#1 item (b)
  • set the MASK to 255.255.255.0
  • set the gateway to 192.168.1.100
  • set the DNS to 192.168.1.100
  • save the settings (which likely will drop your connection due to the router address change)
    just reconnect and continue
  • setup the WiFi settings
  • change the admin password and save again

Test router#2 connections with the browser. Good results prove you're getting proper routing through router#1 AND that any DNS requests are being resolve.

Now test isolation; connect one system to both routers
from a system connected to router#2
ping 192.168.2.1 (must succeed)
ping 192.168.1.1 (should succeed)
ping 192.168.1.2 (should fail)​
from a system connected to router#1
ping 192.168.1.1 (must succeed)
ping 192.168.1.2 (should succeed)
ping 192.168.2.1 (should fail)
ping 192.168.2.2 (should fail)​
We can enhance the protection on all systems attached to router#2 with firewall rules, but let's deal with that latter...
 
protected subnets

yes it's possible ...

Basically the subnet router#1 for shared usage is attached to the modem and the protected subnet router#2 attaches to router#1

Each router has one default route and no static routes which then forces all outbound traffic on router#1
to the modem and away from router#2. Without a route, subnet#1 can not access subnet#2


Code:
modem====(wan)router[B]#1[/B](lan#1)-----(wan)router[B]#2[/B](lan ports) - - - private systems
            |       192.168.1.1                192.168.2.1
            V
           shared access systems
You can use WiFi on either or both routers; just set different SSID, Channels, and encryption codes

When setting the config's (both of them), be sure to set a new password which will disallow Internet access to the settings!

Get router#1 running first and test Internet access, then move on to router#2

*Caution* Always change router configurations using ONLY a wired connection!

On router #1
  • set the router address specifically to 192.168.1.1
    which serves as a note as to which router you're connected to
  • set the DHCP range to 2-10
  • save the settings
  • now setup any wifi changes as applicable
  • and change the admin password
  • when you save this time, the router will restart and you WILL loose the connection
On router #2
  • set the router address specifically to 192.168.2.1
  • set the DHCP range again to 2-10
  • set the WAN side address to 192.168.1.100 (notice it's above router#1 item (b)
  • set the MASK to 255.255.255.0
  • set the gateway to 192.168.1.100
  • set the DNS to 192.168.1.100
  • save the settings (which likely will drop your connection due to the router address change)
    just reconnect and continue
  • setup the WiFi settings
  • change the admin password and save again
Test router#2 connections with the browser. Good results prove you're getting proper routing through router#1 AND that any DNS requests are being resolve.

Now test isolation; connect one system to both routers
from a system connected to router#2
ping 192.168.2.1 (must succeed)
ping 192.168.1.1 (should succeed)
ping 192.168.1.2 (should fail)​
from a system connected to router#1
ping 192.168.1.1 (must succeed)
ping 192.168.1.2 (should succeed)
ping 192.168.2.1 (should fail)
ping 192.168.2.2 (should fail)​
We can enhance the protection on all systems attached to router#2 with firewall rules, but let's deal with that latter...


Hey Jobeard,

I joined this site just to be able to ask you a few questions to this post of yours. I printed it out and went to Bestbuy computer geeks today to collaborate regarding this post, but I still have a couple questions.

Like the guy who originally wrote about his Bed & Breakfast, I simply want to put my WiFi cameras onto the general shared router, and add a 2nd router to keep my own banking affairs private from the Chinese company (YI Technology) that provides the WiFi cameras which required my giving up the SSID and PW to my main router in order for me to be able to access the cameras on my smart phone. I've order an identical 2nd router (Asus rt-n66u) that I will receive in a couple days.

I follow most of the logic in your post, but can you answer these?:

1) Regarding router #2, you wrote: set the router address specifically to 192.168.2.1. Does this mean I am setting a static IP for this 2nd router, and I do so under the LAN tab?

2) Regarding the WAN, Gateway, and DNS of router #2, why is the last number "100" rather than just the single digit "1"?

3) When pinging, what is the difference between "must succeed" and "should succeed"?

4) On my system today (only 1 router presently), I pinged 192.168.1.1 and it succeeded, I believe, by this result:
Packets: Sent = 4, Received = 4, Lost = 0.

But when I pinged 192.168.1.2, I obtained:

Reply from 192.168.1.146: Destination host unreachable. (4 times), and
Packets: Sent = 4, Received = 4, Lost = 0.

So in this 2nd situation, no packets were lost, but it said Destination host unreachable.

What's the meaning of that?

Lastly, when I pinged 192.168.2.1, it failed as expected by the following response:

Request timed out.

Am I interpreting this 3rd ping correctly?
 
Hey Jobeard,
I follow most of the logic in your post, but can you answer these?:

1) Regarding router #2, you wrote: set the router address specifically to 192.168.2.1. Does this mean I am setting a static IP for this 2nd router, and I do so under the LAN tab?
Not quite. It's the general router setup, same page where you set Provide DHCP service
2) Regarding the WAN, Gateway, and DNS of router #2, why is the last number "100" rather than just the single digit "1"?
this is the Static address on #2 where #1 will ALWAYS find router number 2. Notice lanslot on #1 -> WAN slot on #2; this makes router#2 visible to #1
3) When pinging, what is the difference between "must succeed" and "should succeed"?
I never worry on this, take the default
4) On my system today (only 1 router presently), I pinged 192.168.1.1 and it succeeded, I believe, by this result:
Packets: Sent = 4, Received = 4, Lost = 0.

But when I pinged 192.168.1.2, I obtained:

Reply from 192.168.1.146: Destination host unreachable. (4 times), and
Packets: Sent = 4, Received = 4, Lost = 0.

So in this 2nd situation, no packets were lost, but it said Destination host unreachable.

What's the meaning of that?
Lastly, when I pinged 192.168.2.1, it failed as expected by the following response:

Request timed out.

Am I interpreting this 3rd ping correctly?
it means everything on #2 is hidden from #1; aka a private subnet which can send out, but not receive unsolicited inputs from #1 and therefore not the internet either.

If you don't want router#2 to be private, the we need a Persistent Route to be added to router#1 to see all of router#2's devices
 
It seems to me you did not answer my question #2. I'm specifically asking why the number 100 is used rather than 1.

If the 2nd router's WAN, Gateway, and DNS ended in 1 (rather than 100), then both routers would have identical addresses and be able to communicate.

But you have the last numbers on the WAN, Gateway, and DNS as 100 (99 greater than 1).

That's what I do not understand. Why 100?


Also, I just got told by a person I was discussing this with that I need to call my ISP and see if they allow a 2nd router to be connected. Does this sound like something that a cable internet company would prevent?
 
Also, I just got told by a person I was discussing this with that I need to call my ISP and see if they allow a 2nd router to be connected. Does this sound like something that a cable internet company would prevent?
They can't tell it exists
It seems to me you did not answer my question #2. I'm specifically asking why the number 100 is used rather than 1.

If the 2nd router's WAN, Gateway, and DNS ended in 1 (rather than 100), then both routers would have identical addresses and be able to communicate.

But you have the last numbers on the WAN, Gateway, and DNS as 100 (99 greater than 1).

That's what I do not understand. Why 100?
yes it did answer.
Inside router#1, x.100 is just a device on the same subnet as router number 1. From inside router#2, the gateway address x.x.2.1 connects to the x.100 on the other router. Chose 100 to be sure it didn't conflict with any DHCP assignments starting from 2--up
 
They can't tell it exists
yes it did answer.
Inside router#1, x.100 is just a device on the same subnet as router number 1. From inside router#2, the gateway address x.x.2.1 connects to the x.100 on the other router. Chose 100 to be sure it didn't conflict with any DHCP assignments starting from 2--up


Forgive me, I'm really an amateur with routers. Just to be clear, the address 192.168.1.100 is not codified anywhere inside router #1, right? It's just that router #1 will be able to see that specific device address in router #2 due to the way these things work given the respective codes you wrote initially. Yes? 192.168.1.1 is not equal to 192.168.1.100, but the router #1 will be able to see 192.168.1.100. Right? lol

Thanks so much for all your time. I'm getting excited about setting this up tomorrow evening after the 2nd router arrives. :)
 
Last edited:
Correct. There are other choices, but start here and we'll deal with your needs as we go.
 
Correct. There are other choices, but start here and we'll deal with your needs as we go.

Working! Thanks Jobeard.

I left the automatic DHCP numbers as router #2 selected which were from 2 to 254, rather than 2 to 10. It seems to be working fine with those numbers.

And the 2nd router objected to my setting the WAN IP to be 192.168.1.100, but I chose an option to ignore that display page, and forced an accept. When I did all the pinging on both machines, I got the results you said they should be.

So both routers and their WiFi's are working and the 2nd is now hidden from the 1st. I've now reconnected & reassigned (everything with all new passwords) the WiFi cameras I bought for router #1 and they are working just fine, too.

Thanks again.
 
Last edited:
You should be able to ping router#2 but NOTHING attached to it - - that's what makes it PRIVATE.

If in router #1 you access Attached Devices, you can use the MAC of router#2 to create an Address Reservation for the x.100 address. WHY? you may which to Port Forward from the Internet->Router#1->router#2->something attached there
 
Couple follow-up questions:

1) IF we wanted to, could we have chosen any type of number for the 3rd set, so rather than "2" we might have used a "3", I.e. 192.168.3.1, or even 192.168.250.1? In fact, could we just make up a number for the whole thing? Does it have to start with 192 for the IP of the 2nd router?

2) It was suggested to me to turn off the radio broadcast for greater security, and when I did that the router did become hidden but the devices that were hooked up via WiFI stopped working. I experimented with reconnecting them to the "hidden" network, but they still did not function. Message "Out of range" was displayed.

Is it possible to turn off the radio but still maintain connection with devices that use that WiFi? Seems like a silly feature if by turning off the radio nothing works any longer.
 
Couple follow-up questions:

1) IF we wanted to, could we have chosen any type of number for the 3rd set, so rather than "2" we might have used a "3", I.e. 192.168.3.1, or even 192.168.250.1? In fact, could we just make up a number for the whole thing? Does it have to start with 192 for the IP of the 2nd router?
Yes, you can have several down stream routers attached to router#1 as long as there are slots for the connection.
All LAN addresses must be within one of these:

  • 192.168.0.1 - 192.168.255.255
  • 172.16.0.1 - 172.31.255.255
  • 10.0.0.1 - 10.255.255.255
2) It was suggested to me to turn off the radio broadcast for greater security, and when I did that the router did become hidden but the devices that were hooked up via WiFI stopped working. I experimented with reconnecting them to the "hidden" network, but they still did not function. Message "Out of range" was displayed.

Is it possible to turn off the radio but still maintain connection with devices that use that WiFi? Seems like a silly feature if by turning off the radio nothing works any longer.
hmm; THAT SHOULD HAVE WORKED - - suggesting you need to update the router firmware.
1) Make sure you are disabling BROADCASTING and not disabling wifi altogether.
2) Personally, I let it broadcast so I don't have to manually reconnect all devices every time. Just be sure to use a good passphrase as your wifi key and DO NOT use WEP.
 
Jobeard,

I was mistaken. Things were not setup the way you told me. When I reexamined router #2 tonight, the WAN IP information reverted back to "Automatic IP".

In order to set the WAN IP with the values you suggested, from the dropdown box I selected "Static IP", which then produced the following fields (and I typed the values you had told me):
IP address: 192.168.1.100
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.100
and
DNS Server1: 192.168.1.100
DNS Server2: (left blank)

Those fields disappear when "Automatic IP" is selected from the dropdown box for WAN.

The router would not allow the Gateway to have the same value as the WAN IP address (the error message stated that), so it kept reverting back to Automatic IP.

When I incremented the Default Gateway by 1 to 192.168.1.101, well then the router would allow me to save my settings, but then I lost internet access. I put it back to "Automatic IP" for the WAN, and regained internet access.

When I pinged the system yesterday, it was using the Automatic IP on router #2 (for the WAN), and getting the results we were looking for.

The LAN IP remains 192.168.2.1

So what's going on now using WAN Automatic IP on the 2nd router?
 
Last edited:
Use whatever pleases you.
The RIGHT way to connect #1->#2 is
1) find the MAC address of the #2 WAN
2) in #1, use address reservation on that MAC to set 192.168.1.100
3) remove any manual settings in #2
4) set the #2 router address to 192.168.2.1
 
Hi, I know this chat is kinda old but happen to chance upon this yesterday.

I'm looking into separate my IOT devices on Router 1 and other important devices on Router 2 and yet I can connect to the internet from Router 2. Also, I can still access devices on Router 1 with device on Router 2.

Does the above mention work?

Can I use subnetting instead? Is it similar to the above setup?

My idea of subnetting is set Router 1 to 192.168.0.10 with subnet mask of 255.255.255.128 and Router 2 to 192.168.0.254 with subnet mask of 255.255.255.128.

Also, using M.A.C. address to set reserved ip for the devices I want them to be with Router 2. Will those device be able to access internet? Or do I need to set them on Router 1 instead?
 
Hi, I know this chat is kinda old but happen to chance upon this yesterday.

I'm looking into separate my IOT devices on Router 1 and other important devices on Router 2 and yet I can connect to the internet from Router 2. Also, I can still access devices on Router 1 with device on Router 2.

Does the above mention work?

Can I use subnetting instead? Is it similar to the above setup?

My idea of subnetting is set Router 1 to 192.168.0.10 with subnet mask of 255.255.255.128 and Router 2 to 192.168.0.254 with subnet mask of 255.255.255.128.

Also, using M.A.C. address to set reserved ip for the devices I want them to be with Router 2. Will those device be able to access internet? Or do I need to set them on Router 1 instead?

The first scenario would be exactly the same as specified in this post. It depends what you are trying to achieve and what routers you have. For example a simpler way to segment networks instead of subnetting would be to incorporate VLAN's in your network.

Also currently with the mentioned subnetting setup just be aware of the default gateway setup on both routers, also be aware of the subnet mask specified and ensure that default gateway is only specified on Router 1.

Router 1 and its devices require a default gateway as its the "door" in your network to the internet. If Router 2 doesn't have a route which specifies router 1's subnet being 192.168.1.0-127 for obvious reasons it wont be able to access those.
 
The first scenario would be exactly the same as specified in this post. It depends what you are trying to achieve and what routers you have. For example a simpler way to segment networks instead of subnetting would be to incorporate VLAN's in your network.

Also currently with the mentioned subnetting setup just be aware of the default gateway setup on both routers, also be aware of the subnet mask specified and ensure that default gateway is only specified on Router 1.

Router 1 and its devices require a default gateway as its the "door" in your network to the internet. If Router 2 doesn't have a route which specifies router 1's subnet being 192.168.1.0-127 for obvious reasons it wont be able to access those.

Thanks for replying. I'm currently using Dlink DIR895L for Router 1 and DIR880L for Router 2.

Screen Shot 2020-05-14 at 12.27.43 AM.png

I found this VLan setup page in the Router. Is this the one you mention as I'm new to this. I'm not sure how to configure using this but it looks like hardware configuration.

About subnetting that you mention a specific route for Router 2 so that it can access Internet via Router 1, is it that the default gateway and Pri DNS Server for Router 2 I used Router 1's ip address? Or is it as you mention before, set Static ip for Router 2 in Router 1 and keep all the Gateway & DNS Server in Router 2 WAN blank?
 
Thanks for replying. I'm currently using Dlink DIR895L for Router 1 and DIR880L for Router 2.

View attachment 86607

I found this VLan setup page in the Router. Is this the one you mention as I'm new to this. I'm not sure how to configure using this but it looks like hardware configuration.

About subnetting that you mention a specific route for Router 2 so that it can access Internet via Router 1, is it that the default gateway and Pri DNS Server for Router 2 I used Router 1's ip address? Or is it as you mention before, set Static ip for Router 2 in Router 1 and keep all the Gateway & DNS Server in Router 2 WAN blank?
Router 2 cant have a default gateway in the router 1 subnet without a static route specifying a next hop ip address which resides on that network (This would be the uplink from R2-R1) Simply put if u use the subneting that you've provided only r1 will have network connectivity and r2 wont. If u dont specify a default gateway on r2 thats enough. From R1 if u want devices to atleast be able to connection to the R2 devices specify a default route 192.168.1.128 255.255.255.128 "R2s uplink IP" and you should be good to go.

As for vlans router that you have seems limited however the gist if you dont want R2 to have internet would be to setup r1 on Vlan 2 and R2 on V3 "If no trunk is setup on the interface bridge they wont be able to speak vice versa. However I dont quite know how to implement these on those models.
 
Greetings all,

First, thank you for the informative thread and discussion here. It has been invaluable and has validated some of my understanding around this scenario/space.

In my case, I was actually able to get everything exactly as desired by simply plugging in the subnet router into the primary network. From there, I was able to ping IP addresses in the primary network from the subnet but not vice versa. This is exactly what I had/have in mind.

However, the only issue that remains now that I am battling with is that I cannot ping by hostname into the primary network from the subnet. I can ping primary devices in the primary network from the subnet by IP address, but I cannot ping by hostname. For instance, I cannot setup a printer in the subnet by default resolution, but if I add by IP address it works as expected.

Is there something obvious I am overlooking here? Is it even possible to configure this or am I SOL?

Again, everything works exactly as expected but I cannot ping devices in the primary network by hostname (but can by IP address).

Thanks for any assistance you can provide!
 
Greetings all,

First, thank you for the informative thread and discussion here. It has been invaluable and has validated some of my understanding around this scenario/space.

In my case, I was actually able to get everything exactly as desired by simply plugging in the subnet router into the primary network. From there, I was able to ping IP addresses in the primary network from the subnet but not vice versa. This is exactly what I had/have in mind.

However, the only issue that remains now that I am battling with is that I cannot ping by hostname into the primary network from the subnet. I can ping primary devices in the primary network from the subnet by IP address, but I cannot ping by hostname. For instance, I cannot setup a printer in the subnet by default resolution, but if I add by IP address it works as expected.

Is there something obvious I am overlooking here? Is it even possible to configure this or am I SOL?

Again, everything works exactly as expected but I cannot ping devices in the primary network by hostname (but can by IP address).

Thanks for any assistance you can provide!
What youre looking for here is your dns server configured local or your hosts file.

if you have 8.8.8.8 as dns, locally you cant ping a local hostname as public dns doesnt record private records for obvious reasons.
Either set a static a record entry in your dns server or edit hosts file in system32 with the hostname and address you need.
On mobile bad formating will update later.
 
Thank you for the pointer @MattS. Formatting is not important, only the information. :)

I should mention this is a basic home setup, so no DNS server. The hostnames are being resolved by the DHCP server on the primary network, I believe. Or NETBIOS. Maybe it's a Windows thing?

As a worst-case scenario I am planning on setting the printer and media server to static IPs and then updating my local HOSTS to point to those, but I would prefer things to work by magic if possible. I was hoping there would be a "use the DHCP table in the subnet but if not, then use primary DHCP table" setting somewhere.
 
Back