Hello everyone, I will soon be moving into a shared apartment and want to set up a private network for myself so that my tinkering with DNS servers and other networking stuff won’t interfere with the other residents. I believe I have a decent idea of how to go about this but I wanted to get some more feedback from the experts before ordering a router for this scenario.
My situation for my new setup is as follows:
- There is an existing network for the rest of the house to which I want to connect my own private network. From my understanding I can do this by setting up my router as a repeater and adding all my devices to a VLAN.
- There is no LAN socket which I can use for a wired connection so I will need to set up my router as a WiFi repeater.
- I want to be able to set up my own DNS server to be used by all devices in my private network. This is because I have a mediaserver which I access using my domain and I have a split-horizon DNS setup so that my traffic does not leave my home network just to come back in through my cloudflare tunnel.
Based on a discussion I had with another user in the comment section of an unrelated post I believe the MikroTik hap ax2 would be able to fulfill these needs and could also be reused as a simple access point in the future if I decide to upgrade.
I guess my question boils down to this: Am I misunderstanding the technological requirements (e.g. the requirement for the router to be able to setup a VLAN) and is there possibly a better device for my use case I don’t know about?
My previous networking experience is basically tinkering with the settings in a Fritzbox and setting up their propietary mesh network in my old home. I have never worked with a managed switch or VLANs before so going the MikroTik route might be kind of a jump into the deep end of the pool for me.
I appreciate your help.
You must log in or # to comment.
Honestly, if you’re using your own router, you won’t need to worry about VLANs as long as your router separates your private network from the shared one.
For example, if the shared network is 192.168.0.0/24, you can make your private network 192.168.5.0/24 and have your router’s firewall block incoming traffic from 192.168.0.0/24. Only allow WAN traffic out, and allow return traffic.
Then have your router or connected server act as the authoritative DNS and DHCP servers for the 192.168.5.0/24 private network.
One wireless AP will be used in client mode to connect to the 192.168.0.0/24 shared network. The other wireless AP will be used as an access point for other devices to connect to the 192.168.0.5/24 private network.
Ah that makes sense. I thought I needed the VLAN to separate my network out from the rest.
I am a bit confused about your last paragraph though where you mention 2 APs. Do you mean my private AP and the AP used by the rest of the apartment or do you mean that I have to get 2 APs?
You need VLANs if you want separate networks on the SAME router. But if you have separate routers, then you don’t need VLANs.
You will need two wireless access points. If the router you mentioned has two wireless access points built in, then just set one to connect to the shared network, and the other will act as an AP for your private network. Then the router can be configured to send WAN traffic out of the shared network AP.
If you use a router that only has a single AP built in, then you will need to purchase and additional AP to plug into one of your router’s LAN ports so that it has two total.
Some routers might have the ability to create multiple wireless networks on one router, but be sure the hardware can handle the load. I know my ubiquity UDR can create up to 5 wireless networks on that single device before you run into performance issues.
I’m not an expert, but any time I’ve needed to do this, I set up my own router as a client to the parent router, and I set my router (client) as the DMZ in the parent router. Effectively you end up with two routers that are both (more or less) connected directly to the internet, without the two networks messing with each other. It’s also minimally invasive to the parent router (even old stock firmware has always had a DMZ option).
The tricky part then is using the wireless connection as your “WAN port,” rather than a physical one. In which case, as long as you can install OpenWRT on it, you should be fine.
Hi, network engineer with a specialization in mikrotik, you’re on the right track.
You would configure the router to use one radio as your WAN connection, then NAT your internal connection using a masquerade rule. Pretty simple setup.
Some notable drawbacks for this dependent on model is that you will lose wireless speed as you will be using your wireless for upstream and downstream devices. This can be solved by using an AP on a different channel.
Note that mikrotik gives you a lot of ways to cut off your hands, so use safe mode for everything.
The specific topology you’re wanting to set up is something they teach you on day one at any mikrotik certification course.
Thanks for the setup tips, especially about the masquerade rule and safe mode.
I’m not too worries about the loss of speed since internet here in germany is on average slower than 250mbps and anything data intensive like access to my Mediaserver should be handled over Ethernet anyway. If it does become an issue I can always throw a second AP at it I guess?
VLANs are lower than IP so you don’t need a router to have a VLAN, but you will need a router to get packets between the networks. I don’t think a WiFi repeater works. You likely need separate WiFi client and AP devices so you can put your WiFi on a different channel. Otherwise you’re probably halving your WiFi performance when connecting to the other network over the same airwaves.
Unless you can convince the other network to route your IP addresses, this setup will give you another layer of NAT and may cause problems with online games.
The easiest way that doesn’t affect the main network would be to use a travel router. Its WAN IP would be the private IP it gets from the main network (over wireless since that’s your only option). And it would NAT your network onto that IP and then you can do whatever you want on your network.
I’m not sure if that Mikrotik router will do this but it might. You basically need something that can connect to an SSID and use that interface as its WAN interface. The wireless factor here is really limiting your choices. If you had a wired uplink to the main network you could use any router/gateway/firewall you wanted. You could also use an AP in bridge mode to connect to the main network’s SSID and wire it to the WAN port of any router of your choice.
You don’t really need to use VLANs to separate your network from the main network unless you want to share any of the same layer 2 segments (basically wired Ethernet) while keeping it isolated. But it doesn’t really sound like that applies in your scenario. Of course using VLANs within your network would still make sense if that applies (for example, to separate your server traffic from your IoT traffic).
Thanks. I wasn’t sure about the VLAN thing so that’s one of my main reasons for this post. I will probably buy a VLAN capable router anyway because I am pretty into home automation stuff and the ability to separate the IoT traffic and play around with networking a bit seems nice
