Showing results for 
Search instead for 
Did you mean: 
  • Closed

Ethernet port isolation on a Swisscom "internet box" router

Contributor pec
1 of 2

I want to create a guest wifi access point in a specific home's emplacement. But the only way to bring internet in this place is to connect a wifi access point to an ethernet cable itself connected to the swisscom router.


To ensure guests connected to this wifi access point will not be able to explore my network, I want to isolate the router specific ethernet port used by the wifi access point.


How can I do that ?


the wifi access point I'm using is a TL-WR702N that can also be turned into a router, maybe it can help to find an alternative solution


a small schema of what I want to isolate (in red), the guest wifi (in pink) is already isolated by itself


                           _______ ethernet cable _______ wifi access point ))) guest wifi


internet __ router  ))) guest wifi

                          |    ))) home wifi
                          |______ ethernet cables ________ computer / NAS / etc....



1 Comment
2 of 2

I found this on the net. Some may claim it's not terribly clean, but it's the best I've come up with.


Further to what's described here, you may have to tinker with the DHCP addresses assigned by the main router, but it should be fairly obvious.


I got it to work with a little trick, using nonstandard subnet masks:


The primary router's internal LAN is set to: Router IP: Mask: (so valid IPs in this subnet are in the range


The secondary router is connected through its WAN port to the primary. Its internal LAN configuration is set to: Router IP(secondary router): Mask: (== .10000000b) (so valid IPs in this subnet are in the range


Its WAN Configuration is set to: Gateway: (The primary router) Router IP: (The secondary router's outward-facing IP) Mask: (== .11111100b) (so valid IPs in this subnet are in the range (this was necessary since WAN and LAN may not have overlapping subnets


This way, the secondary router can access the primary router, and clients connected to the secondary router can also access the primary router, and through it the internet. But clients on the secondary router cannot access any clients on the primary router's subnet with IPs between and That IP range is not forwarded by the secondary router, since that is also the local subnet of the secondary.


So guest mode is no longer required on the secondary router, clients on the secondary simply cannot see clients on the primary, unless those clients have an IP greater than It would be even better if I could block all IPs lower than 248, but I do not think that is possible with subnet masks.


Enabling guest mode with wireless isolation will additionally prevent guest machines from connecting to other guest machines or the secondary router.


Nothing prevents guest machines from connecting to the primary router, since those requests are still forwarded by the secondary, but a good password should suffice for that case