Correct way to configure multiple routers in rental apartments for privacy / usability

I have a set of six vacation rental apartments in the same building that all share a common router in the main office that serves internet to all the apartments.

Each apartment has its own individual wireless router which is connected to the main router in the office via ethernet. Each individual router is configured as an AP and the main router in the office performs DHCP for the whole network. The system works okay with some problems:

Devices connected to the same AP often can't see each other. For example AirDrop devices or internet games become unusable for my guests.
Devices not connected to the same AP sometimes appear in all the apartments. For example a guest's PC appears in another guest's list of networked devices.

What I would prefer is that each apartment is "firewalled" from the other apartments so that guests cannot see one another's devices; but within each apartment, all local devices are reliably visible to each other.

The main router in the office is a Vodafone Station Revolution and the APs are little Intellinet devices.

What is the best way to configure my network to do what I want?

Edit: turns out the network is set up even stranger than I realized.

Internet arrives at the Vodafone Station Revolution. From here is connected a WNAP-6305 wireless gateway configured as a wireless AP that serves two of the apartments on two different SSIDs. From there are connected four of the Intellinet wireless APs each serving one apartment each.

I was able to resolve my privacy problem by enabling SSID isolation on all of the devices. So far this seems to solve that problem. However I still have the issue of devices often not being able to see one another within a single SSID.

Richard Lee

Posted 2019-08-18T13:59:08.320

Reputation: 31

An easy way is to turn on NAT on all apartment routers: This leads to double NAT towards the internet (normally not recommended), but will quickly isolate the router networks from each other. You can achieve the same with firewall settings, but then you need to know what you are doing. Also make sure all APs use a different frequency, and have a different SSID and password. – dirkt – 2019-08-18T15:44:35.023

And the passwords shouldn't be guessable by the users. Don't use passwords like "app1" & "appt2", although this doesn't matter for the SSIDs. – harrymc – 2019-08-18T16:29:58.087

@dirkt turns out the network is set up even stranger than I realized. Internet arrives at the Vodafone Station Revolution. From here is connected a WNAP-6305 wireless gateway configured as a wireless AP that serves two of the apartments on two different SSIDs. From there are connected four of the Intellinet wireless APs each serving one apartment each.

This setup doesn't look particular efficient, but that's a different problem. For the problem of devices not being able to see each other within a single SSID, the cause can only be the apartment AP. To narrow down the problem, it might help to list the exact circumstances under which that doesn't work, and if it's random or reproducable. E.g. AirDrop devices will use broadcast and mDNS, and it's possible you need to change something in the configuration of the AP to make it work. – dirkt – 2019-08-19T19:11:52.213

Answers

For problem 1 it would help to know the exact model of the Intellinet router. As it seems that the only router made by Intellinet is the Wireless 300N Dual-Band Router, I will assume that this is the case.

You should connect the Ethernet cable to the Intellinet WAN port and enable the DHCP function on each Intellinet. See this answer of mine for understanding LAN-to-WAN.

This will make every apartment into a separate network, and all devices should be better separated and should see each other.

Unless you physically isolate the apartments, every wireless device will show up on every wireless computer within range, as this is how it works (that does not mean that it can connect).

harrymc

Posted 2019-08-18T13:59:08.320

Reputation: 306 093

In point #2, the OP isn't talking about wireless devices being accessible in different suites due to WiFi penetrating the walls. He says, "For example a guest's PC appears in another guest's list of networked devices." So there's no need for "physical isolation of the apartments" (i.e. preventing WiFi from traversing the suites). If shared devices are visible to users on different APs over the network, then packets are being routed between the APs via Ethernet and the LAN ports on the router. VLANing would be the way to go; the six APs need to be segregated by the router. – Mr Ethernet – 2019-08-18T15:11:18.310

@wrecclesham: If they are visible because everything is currently one network with one central DHCP server, then subdividing the network as above will solve that problem. But it's a weird setup if this is so. In any case, wireless devices will still see each other across apartments. – harrymc – 2019-08-18T15:16:43.357

I think that's what's happening here for sure. That's why he's asking how he can carve it up into smaller, isolated networks. He's just plugged everything together at this point and is now realizing there's still a bit more work left to be done! – Mr Ethernet – 2019-08-18T15:27:56.500

It all depends on the type of routers you are using or rather the features your routers are offering. (I assume all your devices are "internet routers" for end-consumer and not "real routers").

If your main router (the one that is connected to your ISP) has VLAN capabilities you just need to configure you're the ports to the APs (your other "routers") properly so that they can talk with you're ISP but not each other.

If your "main router" doesn't have VLAN, you can't use it's DHCP function to give IP addresses to the end devices connected to the "sub routers". For this, you have to configure your sub routers as "routers" and not as "APs" and configure them as well as your main router correctly so each sub router has it's own "private network". There are several solutions for this depending on the available features of your devices.

Albin

Posted 2019-08-18T13:59:08.320

Reputation: 3 983