Home setup with two routers (master/guest) behind modem

There is possibly an answer somewhere but I can't find it so please bear with me. A link is fine.

I have a cable modem and a master router behind it set up just fine with openwrt.
There is a managed netgear switch connected to the router and behind that switch a second router for guest access.

I would like to isolate the guest router.
I know I could do so by using a vlan on my master router but the guest router is connected to the switch and not to the master router.
It is in a vlan on the switch but that misses the point I guess since it can still route into the other vlan through the master router.

Thank you.

Is the guest router out of your control? I will assume it is, otherwise I do not see the issue here. I will also assume the master router is physically under your control.

In this case, I would configure the switch on the main router to separate one of the LAN ports into an isolated guest Network, and plug the guest router there. All VLAN configuration is done in the main router, and the guess router cannot connect to the other network, unless someone plugs it into a separate LAN port.

If you have a managed switch, you can do something similar, and reserve some port on the switch for the guess network.

You're right I don't have access to the guest router but access to the master and switch.
For technical reasons I can't connect the guest to the master directly only to the switch. I have only two ports to connect to in the master so I have to connect the master to the modem and with the second port to the switch. Otherwise you're right, wouldn't be an issue.

If I manage the second vlan on the managed switch the guest still gets an ip from the main router and is therefore on the same subnet. Would it be possible to somehow force the guest onto a different subnet and isolate it then?

You want the switch to send only tagged packets to the master router, then make the master router have two networks, and hook them up to tagged interfaces like eth1.3 and eth1.4 or whatever you choose for your LAN and guest tags.

1 Like

That is an interesting idea I haven't thought about yet. Let me see if I can get it to work. Thank you!