Q&A Can I use two routers to create a more secure guest network

jetman

Level 8
Verified
Jun 6, 2017
383
I have set up a guest network on my router which I use to connect to smart devices, an old Android phone I use for browsing and also looking at websites that are possibly insecure. I like to keep these activities separated from my main home network to reduce the chances of malware spreading.

Within the router's settings I have configured the guest network so that devices connected to it are unable to communicate with each other. I assume this helps to make it more secure.

However, I read somewhere that there is an even more secure way of creating a guest network using a second router. This configuration would apparently reduce the chances of a person's "main" router becoming hijacked or infected by malware (the main router being the one that your home network and everyday computers are running on).

Can anyone tell me how to achieve this and also whether it really would help to protect my primary router ?
I have a spare router which my ISP provided and it still gets updates so I might as well make use it.
 

Lenny_Fox

Level 21
Verified
Oct 1, 2019
1,065
Apply all best practices of router hardening (there is a guide on this forum also)

Most important (IMO) are to
1. Install latest patches of the router firmware (and all devices when possible)
2. Enable all build-in security fetures
3. Use the longest pass phrase possible for your home network

Limit exposure of (and access to) your guest network (on which you host the weak devices)
1. Reduce the lease time of connected devices of your guest network to say 6 hours
2. Reduce the number of IP's which are available for DHCP/device allocation on your guest network (when you only have three devices reduce it 5 maximum)
3. Reduce the "up time" or "internet connection time"" by assigning a parental control schedule to the devices on the guest network for the hours you use them

When you use two routers:
1. Allocate a different range of IP-addresses in each router.
2. Block the IP-addresses of the router with the weak devices on the guest network from the other router on your home network
3. Search for network partitioning feature on the router with the weak devices and enable this (this will prevent clients in the network to communicate with each other)

Before getting my latest tri-band router I had an old 2.4 Ghz router which I used for IOT devices and phones. I disabled the 2.4 Ghz network on the modem/router of my ISP and only used the 5GHZ frequency of my ISP-router. You don't need to bridge the router, just plug old 2.4 Ghz router into the first network cable port of your ISP-router and you have two different network names on two different routers on two different frequencies. It is a cheap way to create a dual cpu/dual band solution with two relatively low range routers.

This won't prevent a hacker to get in, but makes it harder for script kiddies to sniff your network and find the pass phrase to access network and/or router.
 
Last edited:

jetman

Level 8
Verified
Jun 6, 2017
383
Lets say Router A connects to my main home network and Router B connects to less secure devices.
Which would be the most secure configuration ? .....


Internet connection----Router A------Router B

or

Internet connection----Router B------Router A

Does it make any difference which way around they are connected ?
The aim would be to try to protect Router A from malware as much as possible.
 

Lenny_Fox

Level 21
Verified
Oct 1, 2019
1,065
The router with less secure devices (B) last. My old router had an email function which could be triggered by events. So when you use DHCP reservation (based on Mac address the devices are allocated dynamically to the same IP, to get the advantage of static IP-allocation while using dynamic IP address allocation with DHCP) you could send yourself an email when a new IP is allocated on the network (and close down the router immediately).
 
Top