First time posting here, so please lmk if I should format this question differently or ask for this kind of help somewhere else.

What I’m trying to do: Have two WAPs that each have their own DNS servers. One of the DNS servers is a Pi-hole, and the other one being the regular dns server provided by my ISP.

Why I’m trying to do this: Been messing around with homelab stuff for a while and been having fun with it, and this is my next mini project. I have a crummy roku TV that I want to connect to a Pi-hole, problem is that I cant adjust the DNS settings on the TV, I can only select the network it can connect to. But I don’t want to change the primary DNS on my network. I have been messing around with this setup trying to get it to work for a couple days and its been a tough one. I’ve tried multiple different setups and nothing has really worked. I’ll probably type out what I’ve tried in the comments.

What I have to work with: I have a Netgear Wifi router connected to the internet from my Modem to my WAN port and I have a second Asus Wifi router that I planned on using for the second network which would have its default DNS server be the Pi-hole.

Also please correct me if I’m using terms/concepts wrong because part of the wider goal of my homelab is to have a better conceptual understanding of networking, so I want to make sure what I’m saying is correct.

  • biscuitswalrus
    link
    fedilink
    arrow-up
    8
    ·
    8 months ago

    Ok so you may need to translate a few things.

    Routers gateway networks. Networks are extended physically by Ethernet. The ether in Ethernet is basically “to the network it doesn’t matter the medium” and in days past that was coax, or whatever Cabling you had but today is almost exclusively in a house, fibre, WiFi, and cat[5/6/7].

    Why does this matter? The router is the pivot between networks. Wireless access points are just part of the network.

    A wireless router is a device with two functions!

    Ok so how does a router work? When you buy a home grade router like an Asus or netgear, you get a device which has a single routing statement “0.0.0.0/0 via connected interface WAN”. This works on almost everyones home network because they only have a single network.

    A local network doesn’t need a router to talk, you only talk when you need to talk to something on another network. Your devices automatically broadcast to every other device on connection or device start up “I’m [mac address] with ip [ip] can you introduce yourself?” and everyone who is online responds back not in broadcast, but unicast directly to that device about their mac address. Your device stores that info in a Mac address table with time outs. This applies to the router too, it knows all the ip addresses on the LAN interface.

    Ok now we want to add a second home network to segment IoT away from your highly personal devices with all your personal information. Good idea! So to do that on any “fully fledged” router it’s super easy you would connect a cable to LAN2 plan a second IP subnet and connect a switch or AP to that. The router is now a router for network LAN1 and LAN2. If a device needs to get from LAN1 it goes “this IP isn’t in my subnet therefore I will send it to the router”. It will have no idea if the device is online or offline, it just sends it blindly to the router. Your router gets that IP and now looks at its routing table which now looks like this,for example:

    • 192.168.0.0/24 via connected interface LAN1
    • 192.168.1.0/24 via connected interface LAN2
    • 0.0.0.0/0 via connected interface WAN

    So now the router who knows you tried to get to a device within LAN2 from LAN1 will check the mac address table it has for LAN2 and see if there’s a mac address it’s learned from that device connection. If it does it sends the packet on back unmodified. The packet has return address information saying who sent it, and the IoT device can talk back.

    Wonderful, that’s the most simplest type of multi-lan network you can create. There are no virtual lans and everyone expects networks to mostly work this way. This exact principle is how the rest of the whole internet works. What networks are via what interface and a traceroute will tell you the resulting path. A router doesn’t need to know the destination just the next network.

    One last note on the background info, if you don’t want to setup everything with static IP addresses, you’ll setup a DHCP server which gives out IP details to devices via a lease system, and included can be DNS settings. You must have a dhcp service within a local network. That can be on the router on the LAN1 interface, and another DHCP server with different details on LAN2.

    To apply this to your problem, I think you’ll want to review the features of your two WiFi routers that you have. Many home routers do not support two discrete LAN interfaces. If they have 4 LAN ports they could be already configured as a “bridge” which is to say they’re a switch. They’re all grouped all belonging to LAN1. Check to see if you can remove one from the bridge. BTW the WiFi is usually part of this bridge too.

    If I had to guess the Asus router is likely more featured and more likely to have the ability to create a new network on a different interface.

    The simplest design will be to have your one router be the router for both networks. One wireless router has the router function disabled and becomes a wireless access point connected to LAN2. The router will know all connected networks (WAN/LAN1MLAN2). You won’t even need to write in your own route.

    But if this is not possible, it is still possible to use NAT. network address translation is a technology for a router to re-write the “return address” on every packet it sends. The return address becomes the routers WAN interface IP. Your network already has NAT because your LAN IP would send to an external network like “1.1.1.1” and if your return l address was “192.168.0.2” then 1.1.1.1 wouldn’t know how to get back to you since your IP is used on millions of home private networks. Instead your router uses NAT to keep a table of every single connection to the internet and waits for replies and redirects them back to the right device. It replaces the source address with your ISP assigned public IP. So 1.1.1.1 could have got a return address of 12.23.34.45 your home internet ip.

    But this can work on your home network but there’s limitations. Just 1.1.1.1 can’t randomly reach back out to the original device ever. Only your device can ask 1.1.1.1. If 1.1.1.1 tried to reach back to your public IP the router has no NAT entry for this, and drops the connection.

    Do let’s take the real possibility that you can’t setup two LAN interfaces on your home grade routers. What would you do? Instead could have a second wireless router with NAT enabled (which it is by default). Your second wireless router could broadcast a different SSID and it’s network ip subnet address should be different to your home network IP subnet address. So if your home is 192.168.0.0/24 your IOT could be 192.168.1.0/24. Your WAN interface should be setup static on an address that does not conflict with your DHCP scope. Or if it does, go to the dhcp server and reserve it. It should be an ip that doesn’t change and can’t accidentally be given to another device thereby giving you IP conflicts.

    So then your IoT devices now will get that 192.168.1.2+ address and reach to your IOT router to get out of their network. Now this does allow them to talk to your home network devices on 192.168.0.0/24. But the downside is your home lan devices by default can not talk to your IOT devices. This is kind of the reverse of what you want from a security perspective. To configure your IOT you’ll need to join the IOT WIFI. Why is this? If you on your home network connected device on 192.168.0.1/24 try to go to the IOT network device on 192.168.1.0/24, then the home device first notes that the network is not local, so it will send the request to the configured gateway. Your home gateway has no idea where 192.168.1.0/24 is either. So it goes out to the 0.0.0.0/0 route which is to your ISPs router.

    I’m sure you’ll think: if this is backwards why not flip my home network behind my second NAT router? And the answer is NAT isn’t free, and you’ll probably have heard CGNAT or carrier grade NAT making a mess of games and services. Double NAT has problems too.

    So what about dhcp and dns? The simple answer is the IOT router becomes a dhcp server and offers your IOT pihole for DNS. Your home network shouldn’t need touching

    There are ways to band-aid these two networks. If you know your home router has a proper route table you can modify that. remember you setup the IoT router with a static IP? Well here’s why. If you setup a route statement 192.168.1.0/24 via IP 192.168.0.251 (whatever IP is the IoT router) then now your home router can find and redirect traffic. This still occasionally has issues though and this routing statement can create a triangle route which would take a long time to explain, and secondly a fix for that can be more NAT more translation so we can return communication from the same way, but the branching possibilities are still not fully defined. Alternative fixes are on your local computer add a single routing statement to find 192.168.1.0/24 via 192.168.0.251 (or whatever IoT router ip you assigned).

    Now my suggestion: get a router which handles two local networks. Then you’re topology is pretty much the simplest, easiest to troubleshoot later, avoid Nat.