Setting up a private network in shared apartment

Submitted ⁨⁨1⁩ ⁨day⁩ ago⁩ by ⁨Scrath@lemmy.dbzer0.com⁩ to ⁨selfhosted@lemmy.world⁩

Hello everyone, I will soon be moving into a shared apartment and want to set up a private network for myself so that my tinkering with DNS servers and other networking stuff won’t interfere with the other residents. I believe I have a decent idea of how to go about this but I wanted to get some more feedback from the experts before ordering a router for this scenario.

My situation for my new setup is as follows:

There is an existing network for the rest of the house to which I want to connect my own private network. From my understanding I can do this by setting up my router as a repeater and adding all my devices to a VLAN.
There is no LAN socket which I can use for a wired connection so I will need to set up my router as a WiFi repeater.
I want to be able to set up my own DNS server to be used by all devices in my private network. This is because I have a mediaserver which I access using my domain and I have a split-horizon DNS setup so that my traffic does not leave my home network just to come back in through my cloudflare tunnel.

Based on a discussion I had with another user in the comment section of an unrelated post I believe the MikroTik hap ax2 would be able to fulfill these needs and could also be reused as a simple access point in the future if I decide to upgrade.

I guess my question boils down to this: Am I misunderstanding the technological requirements (e.g. the requirement for the router to be able to setup a VLAN) and is there possibly a better device for my use case I don’t know about?

My previous networking experience is basically tinkering with the settings in a Fritzbox and setting up their propietary mesh network in my old home. I have never worked with a managed switch or VLANs before so going the MikroTik route might be kind of a jump into the deep end of the pool for me.

I appreciate your help.

source

Comments

Sort:hotnew top

9tr6gyp3@lemmy.world ⁨1⁩ ⁨day⁩ ago
Honestly, if you’re using your own router, you won’t need to worry about VLANs as long as your router separates your private network from the shared one.

For example, if the shared network is 192.168.0.0/24, you can make your private network 192.168.5.0/24 and have your router’s firewall block incoming traffic from 192.168.0.0/24. Only allow WAN traffic out, and allow return traffic.

Then have your router or connected server act as the authoritative DNS and DHCP servers for the 192.168.5.0/24 private network.

One wireless AP will be used in client mode to connect to the 192.168.0.0/24 shared network. The other wireless AP will be used as an access point for other devices to connect to the 192.168.0.5/24 private network.

source
- Scrath@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
  Ah that makes sense. I thought I needed the VLAN to separate my network out from the rest.
  
  I am a bit confused about your last paragraph though where you mention 2 APs. Do you mean my private AP and the AP used by the rest of the apartment or do you mean that I have to get 2 APs?
  
  source
  - 9tr6gyp3@lemmy.world ⁨1⁩ ⁨day⁩ ago
    You need VLANs if you want separate networks on the SAME router. But if you have separate routers, then you don’t need VLANs.
    
    You will need two wireless access points. If the router you mentioned has two wireless access points built in, then just set one to connect to the shared network, and the other will act as an AP for your private network. Then the router can be configured to send WAN traffic out of the shared network AP.
    
    If you use a router that only has a single AP built in, then you will need to purchase and additional AP to plug into one of your router’s LAN ports so that it has two total.
    
    source
    -> View More Comments
TexMexBazooka@lemm.ee ⁨1⁩ ⁨day⁩ ago
Hi, network engineer with a specialization in mikrotik, you’re on the right track.

You would configure the router to use one radio as your WAN connection, then NAT your internal connection using a masquerade rule. Pretty simple setup.

Some notable drawbacks for this dependent on model is that you will lose wireless speed as you will be using your wireless for upstream and downstream devices. This can be solved by using an AP on a different channel.

Note that mikrotik gives you a lot of ways to cut off your hands, so use safe mode for everything

source
- Scrath@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
  Thanks for the setup tips, especially about the masquerade rule and safe mode.
  
  I’m not too worries about the loss of speed since internet here in germany is on average slower than 250mbps and anything data intensive like access to my Mediaserver should be handled over Ethernet anyway. If it does become an issue I can always throw a second AP at it I guess?
  
  source
  - TexMexBazooka@lemm.ee ⁨1⁩ ⁨day⁩ ago
    Yeah, a 2nd AP wired into the first router would eliminate any performance hit of having the router do both. Hard to say what the impact would be without testing though.
    
    source
owenfromcanada@lemmy.ca ⁨1⁩ ⁨day⁩ ago
I’m not an expert, but any time I’ve needed to do this, I set up my own router as a client to the parent router, and I set my router (client) as the DMZ in the parent router. Effectively you end up with two routers that are both (more or less) connected directly to the internet, without the two networks messing with each other. It’s also minimally invasive to the parent router (even old stock firmware has always had a DMZ option).

The tricky part then is using the wireless connection as your “WAN port,” rather than a physical one. In which case, as long as you can install OpenWRT on it, you should be fine.

source
- Scrath@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
  I’ve heard about DMZ before but I never knew what it was. That will probably not be an option unfortunately. While I don’t know what router is currently used by the other residents I assume it will be either a FritzBox (which allow some configuration but are mostly idiot proof routers that are very popular here in germany) or a locked down router by the ISP. On neither case will I be able to configure a DMZ.
  
  Regarding the WAN port, I was planning to use the stock RouterOS from MikroTik but I believe that the router can be configured this way already without OpenWRT.
  
  source
IHawkMike@lemmy.world ⁨1⁩ ⁨day⁩ ago
The easiest way that doesn’t affect the main network would be to use a travel router. Its WAN IP would be the private IP it gets from the main network (over wireless since that’s your only option). And it would NAT your network onto that IP and then you can do whatever you want on your network.

I’m not sure if that Mikrotik router will do this but it might. You basically need something that can connect to an SSID and use that interface as its WAN interface. The wireless factor here is really limiting your choices. If you had a wired uplink to the main network you could use any router/gateway/firewall you wanted. You could also use an AP in bridge mode to connect to the main network’s SSID and wire it to the WAN port of any router of your choice.

You don’t really need to use VLANs to separate your network from the main network unless you want to share any of the same layer 2 segments (basically wired Ethernet) while keeping it isolated. But it doesn’t really sound like that applies in your scenario. Of course using VLANs within your network would still make sense if that applies (for example, to separate your server traffic from your IoT traffic).

source
- Scrath@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
  Thanks. I wasn’t sure about the VLAN thing so that’s one of my main reasons for this post. I will probably buy a VLAN capable router anyway because I am pretty into home automation stuff and the ability to separate the IoT traffic and play around with networking a bit seems nice
  
  source
i_am_not_a_robot@discuss.tchncs.de ⁨1⁩ ⁨day⁩ ago
VLANs are lower than IP so you don’t need a router to have a VLAN, but you will need a router to get packets between the networks. I don’t think a WiFi repeater works. You likely need separate WiFi client and AP devices so you can put your WiFi on a different channel. Otherwise you’re probably halving your WiFi performance when connecting to the other network over the same airwaves.

Unless you can convince the other network to route your IP addresses, this setup will give you another layer of NAT and may cause problems with online games.

source
- Scrath@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
  I read about the issue regarding the halved connection speed somewhere but I don’t believe that will be an issue. Considering the average internet speeds here in germany are below 250mbps I don’t expect to saturate the WiFi connection even with half speed. Anything data intensive like accesses to my mediaserver will primarily be over ethernet.
  
  source