Sometimes we want to split our home private network to two separate subnets, but want to maintain connectivity to the Internet/outside world. The following article tries to explain the basics and internals of most home WiFi routers in the market.
First, let see what are the basic components of a Wi-Fi router:
The following is an example of topology and connection of typical home network:
Now the tablet has a valid private address, now it can connect to the Internet via router-2. All requests from the tablet is network-translated to public address and vice-versa. So, if the public IP is a.b.c.d, tablet' IP address is 192.168.1.5 and it is requesting access to www.google.com (http www.google.com:80) from a local tcp port xxxx, the actual packet in the public wire is "a.b.c.d:yyyy", where xxxx is a the original tcp port and yyyy is the translated tcp port by NAT (router-2 maps local to public IP via port) [ Click this for more info about NAT/PAT mechanism].
OK, everything seems to work. Wait...what about all other devices connected to router-1? What happens if we want to watch Netflix on Roku?
When Roku device is turned on, it sends DHCP REQ similar to tablet above. The sequence is the same, but the difference is, because router-1 doesn't run DHCP server, all DHCP packets are forwarded to router-2. So, it is assigned an IP address in the same subnet (sorry, the diagram above is wrong, the subnet should be the same). When the Roku starts sending tcp packets, the packets not-intended to the private subnet and coming to router-1 are assumed to be forwarded to its gateway (router-2). Router-1 sees these packets coming from its DMZ and do the same translation to public IP.
An alternative is to subtend router-1 to router-2 directly, not via ethernet switch. The rest is the same.
First, let see what are the basic components of a Wi-Fi router:
The following is an example of topology and connection of typical home network:
Router-1: Linksys WRT-54G running DD-WRT firmware
Router-2: NETGEAR Genie WNDR3400v2
The cable modem (DOCSIS modem) is connected to cable provider thru coax cable and its main function is to modulate/demodulate DOCSIS signal to regular ethernet frames (it might bind multiple channels [channel bonding] to increase bandwidth). The cable provider assigns a public IP address to us to use. This single public IP cannot be shared if we don't use router.
Router-1 and Router-2 see packets coming from modem, but they don't know how to route them to our devices at home yet. Assume router-1 is the router that assigns DHCP IP address (running DHCP server), while DHCP server on router-1 is set to forwarder to router-2. Router-2 is chosen as the main router because it has more recent hardware, supports 11n Wi-fi and supports IPv6 (PS3 is actually better to be connected to router-2 to lower the latency).
Other clients such as as Ooma, Roku and PS3 don't support IPv6 yet, so it's Ok to connect them to Router-2.
On Router-1:
- Set DHCP to DHCP forwarder (forward DHCP requests) to router-2 IP address
- Set router IP address to 192.168.0.1/24
- Set DNS to either public DNS (such as Google: 8.8.8.8, opendns's IPs or our own local DNS server)
- Operation mode: router
- Set wireless to bridged mode (so router-1's wifi is like another L2 ethernet device in our private LAN)
- WAN type: Static IP. If it is set to DHCP and the WAN port of router-1 is connected to the ethernet bridge, DHCP server at the ISP site may deny the request or even worse, shutdown the connection completely (thus require modem reboot to fix the problem).
- Set WAN static IP to router-2 ip address. This way, we assume router-2 is the gateway and delegates NAT work to router-2 (that's why we set the operation mode of router-1 to "router")
Router-2:
- Enable AP mode
- Set router IP address to 192.168.1.1/24
- Internet IP: Get dynamically from ISP
- Set DMZ to Router-1
How it works:
A tablet is trying to connect to the Internet via router-2. All Wi-fi transactions have been done and now it sends DHCP request to router-2. If this is an initial request made to router-2, router-2 doesn't learn any IP yet so it first learns for the tablet's MAC. Because router-2 runs local dhcp server, it snoops any DHCP request and serves it. In this case, router-2 then assigns an address in the subnet 192.168.1.0/24 along with DNS addresses and gateway IP (in this case, an ISP-assigned IP address) back to the tablet as DHCP RESP packet.Now the tablet has a valid private address, now it can connect to the Internet via router-2. All requests from the tablet is network-translated to public address and vice-versa. So, if the public IP is a.b.c.d, tablet' IP address is 192.168.1.5 and it is requesting access to www.google.com (http www.google.com:80) from a local tcp port xxxx, the actual packet in the public wire is "a.b.c.d:yyyy", where xxxx is a the original tcp port and yyyy is the translated tcp port by NAT (router-2 maps local to public IP via port) [ Click this for more info about NAT/PAT mechanism].
OK, everything seems to work. Wait...what about all other devices connected to router-1? What happens if we want to watch Netflix on Roku?
When Roku device is turned on, it sends DHCP REQ similar to tablet above. The sequence is the same, but the difference is, because router-1 doesn't run DHCP server, all DHCP packets are forwarded to router-2. So, it is assigned an IP address in the same subnet (sorry, the diagram above is wrong, the subnet should be the same). When the Roku starts sending tcp packets, the packets not-intended to the private subnet and coming to router-1 are assumed to be forwarded to its gateway (router-2). Router-1 sees these packets coming from its DMZ and do the same translation to public IP.
An alternative is to subtend router-1 to router-2 directly, not via ethernet switch. The rest is the same.