An Accepted Solution is available for this post.
Re: Wired Guest Network to WAP with Quantum Router
viafax999
Community Leader
Community Leader
‎04-09-2016 06:40 AM
@Capricorn1 wrote:

A guest on the 192.168.200.x network had better not be able to see anything on the 192.168.1.x network or that firewall has serious issues. The manufacturer should be forced to eat their device. In your setup, the purpose of the firewall on the second router is to prevent traffic originating from the 192.168.1.x subnet (that the second router considers to be the WAN) from ever being seen on the 192.168.200.x network (that the second router considers to be the LAN). The exception is traffic that is specifically destined for the guest network (with a destination address of 192.168.1.2 in my example) that is in response to a request that originated within the guest LAN. (e.g., a request for https://www.google.com from a web browser on a guest's laptop). The NAT firewall will block everything else. 

Users on the guest network will be able to see and use devices on the 192.168.1 subnet.  The firewall for the g1100 router is on the WAN connection so the 2nd router is behind the firewall.

0 Likes
Reply
An Accepted Solution is available for this post.
Re: Wired Guest Network to WAP with Quantum Router
GuardianHope
Enthusiast - Level 3
‎04-09-2016 11:07 AM
@viafax999 wrote:
@Capricorn1 wrote:

A guest on the 192.168.200.x network had better not be able to see anything on the 192.168.1.x network or that firewall has serious issues. The manufacturer should be forced to eat their device. In your setup, the purpose of the firewall on the second router is to prevent traffic originating from the 192.168.1.x subnet (that the second router considers to be the WAN) from ever being seen on the 192.168.200.x network (that the second router considers to be the LAN). The exception is traffic that is specifically destined for the guest network (with a destination address of 192.168.1.2 in my example) that is in response to a request that originated within the guest LAN. (e.g., a request for https://www.google.com from a web browser on a guest's laptop). The NAT firewall will block everything else. 

Users on the guest network will be able to see and use devices on the 192.168.1 subnet.  The firewall for the g1100 router is on the WAN connection so the 2nd router is behind the firewall.

Ordinarilly I'd say that this wouldn't happen but with the Quantum Gateway (since it's been stupidly dumbed down for a device that could perform so much better if Verizon added an "Experienced Network Admin" mode to it and leave the "dumbed down" version for the layman), but unfortunately, if you do as proposed, the guest network and the private network will see each other. Heck, you can actually get a device on the guest network to quite literally connect to the "protected" private network and mount a drive.

Now, this isn't the fault of for example, ASUS. I've tried this with NetGear and even Ubuiqity. The Quantum Gateway's support for VLANs is abysmal at best and completely disasterous at worst.

What you can do is insert a device like a Fortigate (or other Firewall appliance) behind the Quantum Gateway and a switch to handle the multiple VLANs. Than plug in two different routers, one for the "private" network and one for the "guest" network. Add extenders as needed (even the new Verizon ones work very well but ASUS would be my top choice). 

If you try to do VLANs with the Quantum Gateway you'll be fighting with it until the end of eternity unless Verizon steps up and releases adequate firmware. Even the Actiontec's could handle VLANs.

Quick Edit - A device running pfSense would also be more than capable of doing what you need it to do as well. pfSense is free but you'll need a device to run it on which is why I proposed just buying a Fortigate device.

0 Likes
Reply
An Accepted Solution is available for this post.
Re: Wired Guest Network to WAP with Quantum Router
GFVALVO
Enthusiast - Level 3
‎04-10-2016 05:13 AM

Guess until VLAN support becomes available (if ever), I'll continue with what I'm already doing to get the Guest WiFi to cover the area I need. I have the Guest WiFi enabled on the G1100 and a remote WiFi extender positioned where it can still get the signal an broadcast an extended SSID to the rest of the house.

It works, but is not elegant.

0 Likes
Reply
An Accepted Solution is available for this post.
Re: Wired Guest Network to WAP with Quantum Router
Capricorn1
Community Leader
Community Leader
‎04-10-2016 08:16 PM
@viafax999 wrote:
@Capricorn1 wrote:

A guest on the 192.168.200.x network had better not be able to see anything on the 192.168.1.x network or that firewall has serious issues. The manufacturer should be forced to eat their device. In your setup, the purpose of the firewall on the second router is to prevent traffic originating from the 192.168.1.x subnet (that the second router considers to be the WAN) from ever being seen on the 192.168.200.x network (that the second router considers to be the LAN). The exception is traffic that is specifically destined for the guest network (with a destination address of 192.168.1.2 in my example) that is in response to a request that originated within the guest LAN. (e.g., a request for https://www.google.com from a web browser on a guest's laptop). The NAT firewall will block everything else. 

Users on the guest network will be able to see and use devices on the 192.168.1 subnet.  The firewall for the g1100 router is on the WAN connection so the 2nd router is behind the firewall.


The second router is also a firewall. It would be pretty trivial to put rules in place on that firewall to lock down everything down to only allowing http and https out of the guest network.

If the devices on the 192.168.1.x network also have web servers built-in (many printers do, for example), that might take a bit more work.

0 Likes
Reply
An Accepted Solution is available for this post.
Re: Wired Guest Network to WAP with Quantum Router
Capricorn1
Community Leader
Community Leader
‎04-10-2016 08:34 PM
@GuardianHope wrote:
@viafax999 wrote:
@Capricorn1 wrote:

A guest on the 192.168.200.x network had better not be able to see anything on the 192.168.1.x network or that firewall has serious issues. The manufacturer should be forced to eat their device. In your setup, the purpose of the firewall on the second router is to prevent traffic originating from the 192.168.1.x subnet (that the second router considers to be the WAN) from ever being seen on the 192.168.200.x network (that the second router considers to be the LAN). The exception is traffic that is specifically destined for the guest network (with a destination address of 192.168.1.2 in my example) that is in response to a request that originated within the guest LAN. (e.g., a request for https://www.google.com from a web browser on a guest's laptop). The NAT firewall will block everything else. 

Users on the guest network will be able to see and use devices on the 192.168.1 subnet.  The firewall for the g1100 router is on the WAN connection so the 2nd router is behind the firewall.

Ordinarilly I'd say that this wouldn't happen but with the Quantum Gateway (since it's been stupidly dumbed down for a device that could perform so much better if Verizon added an "Experienced Network Admin" mode to it and leave the "dumbed down" version for the layman), but unfortunately, if you do as proposed, the guest network and the private network will see each other. Heck, you can actually get a device on the guest network to quite literally connect to the "protected" private network and mount a drive.

Now, this isn't the fault of for example, ASUS. I've tried this with NetGear and even Ubuiqity. The Quantum Gateway's support for VLANs is abysmal at best and completely disasterous at worst.

What you can do is insert a device like a Fortigate (or other Firewall appliance) behind the Quantum Gateway and a switch to handle the multiple VLANs. Than plug in two different routers, one for the "private" network and one for the "guest" network. Add extenders as needed (even the new Verizon ones work very well but ASUS would be my top choice). 

If you try to do VLANs with the Quantum Gateway you'll be fighting with it until the end of eternity unless Verizon steps up and releases adequate firmware. Even the Actiontec's could handle VLANs.

Quick Edit - A device running pfSense would also be more than capable of doing what you need it to do as well. pfSense is free but you'll need a device to run it on which is why I proposed just buying a Fortigate device.

Years ago, I set up an game server behind a firewall/router within my (at that time fixed IP) network because I wanted to isolate it in case the game server was compromised. I used a simple Netgear router/firewall. The "game" network could not see or mount drives from the subnet in front of it. Nor did that work in the other direction. Even the cheap Netgear router/firewall will not route Netbios and RPC ports. Unless they've gotten a lot more lax, that should still be the case. I was able to trim it down to the four or so ports incoming and something along the same lines outgoing from the game network even with that little box. I think I paid around $80-$100 for it at the time.

0 Likes
Reply
An Accepted Solution is available for this post.
Re: Wired Guest Network to WAP with Quantum Router
GFVALVO
Enthusiast - Level 3
‎04-12-2016 07:05 AM

I’m thinking the best way to go may be to use a VLAN-aware Layer 2 switch to separate the Private and Guest networks. The Netgear GS108E is available from Amazon for less than $50. See attached drawing. The Private network ports on the switch would be assigned to one VLAN (blue) and its Guest network ports to another VLAN (red). One port would be assigned to both VLANs and connect to the G1100 router which would continue to provide DHCP and gateway services.

The only downside I see to this setup is that the G1100’s own WiFi should be disabled and it’s other Ethernet ports left unused since they would be visible to both Private and Guest networks.

image

0 Likes
Reply