Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Resolved Question

Connecting Shop to Home Network

Jul 17, 2017 7:54AM PDT

I'm trying to help a friend set up their shop back behind his friends house with internet. Currently his friends home has internet and he has a shop building about 100 or so feet behind the house that he's renting out to my friend. He already ran a network cable in conduit in the ground from his friends house to the shop.

There is cable internet coming into the house and has a cable modem and router set up already for home internet. He would like to be able to keep shop separate or on it's own network so the shop can't see the house network and the house can't see the shop (for the most part or at least with a password or something).

I'm no pro but know more than my friend and before he called me he got hooked up with a Mikrotik CRS112-8G-4S-IN Router and a Unifi Access Point Pro. I believe he was sold the Access Point because he told the guy he wanted wireless in the shop and the Mikrotik has a built in switch for some other wire runs he's done in the shop but is he going to be able to lock down the shop network from the house network? The Mikrotik router doesn't have a WAN port but doesn't seem like it would need it seeing it will be going through the house router for NAT anyway.

Does it sound like this setup will work or is there a better way to do this?

Discussion is locked

duece7 has chosen the best answer to their question. View answer

Best Answer

- Collapse -
In closing.
Jul 17, 2017 11:30AM PDT

Maybe I messed up by sharing my cheap solutions.

You have your router and you have the access point that apparently has 2 ports as well. One for the connection to the router and the other for other use.

If you need more wire ports, a simple off the shelf router setup with the usual Google this "How to use a router as a WAP" would be all I need to finish the job.

- Collapse -
Answer
Since you already have the router
Jul 17, 2017 8:08AM PDT

A WAP (wireless access point) and more ports sounds great. By the way, any old router can do this as well. Google this: How to use a router as a WAP.

About the network isolation, this can be problematic since you have a LAN and installing a second router makes a DOUBLE NAT which is unsupportable (too many things break.)

Look at the devices and see if they have the GUEST NETWORK feature. That will give you a firewall from those WiFi devices to the LAN but not the internet. Can create trouble for those that want to print on a network printer.

- Collapse -
More info...
Jul 17, 2017 8:13AM PDT

Sorry, I haven't been out to his shop yet and it sounds like his friend does not have a router in the house, only the cable modem supplied by the ISP. So I'm wondering now if we can just set up the Mikrotik router/switch in his friends house and get a small switch for the shop for the 3 or 4 wired runs he has in there? I think the Mikrotik router/switch would be overkill now seeing that thing has 8 ports and we'd only be using 2. Sounds like his friend only has the one computer in the house that needs a connection and then the wire run out to the shop.

So we can do it so there is only one router but would we be able to isolate the shop....for the most part. My friends buddy is not a networking genius by any means so I'm not to worried about him hacking simple password setups or things like that.

- Collapse -
All wired means trouble for isolation.
Jul 17, 2017 8:26AM PDT

You are looking for a router that can firewall off the Ethernet ports (rare) or setting up a server like SQUID (not hard for those that install a lot of networks.)

Frankly I'm cheap and would install a router in the home then a router with the Guest network WiFi capability in the remote location rather than deal with a prolonged search and expense of a router with Ethernet firewall capability.

- Collapse -
You can find more discussions on this.
Jul 17, 2017 8:30AM PDT
- Collapse -
Current equipment useful?
Jul 17, 2017 8:58AM PDT

Considering neither of the parties have any clue about their setup other than they can get on the internet it sounds like going cheaper is the option. Not to mention its not like they are building widgets for a top secret government operation in the shop. He just didn't want his buddy to be able to access the computers in the shop to see financial or any other information on the computers.

So a router in the house and a router in the shop. Are either of the two pieces he's already purchased useful or should we resell those (can't return them) and simply pick up a couple linksys routers or something from Walmart and do it to it? I can set the second router in the shop to bridge mode that's easy enough and enable the guest network and probably setting up the computers in the shop with passwords (windows account passwords) is probably enough security for these guys?

- Collapse -
Sorry no. I wrote router in the home and WAP in the shop.
Jul 17, 2017 9:06AM PDT

I defer to others when folk setup a double NAT. Why should I go near that tar pit?

As to the access to the computers over the network, if you don't share files, it's not shared and no need to go down the VLAN money pit.

And finally, since the current equipment is not listed, I can't answer.

- Collapse -
See original post
Jul 17, 2017 9:14AM PDT

The 2 pieces of equipment are listed in the original post, the Mikrotik router and the Unifi Access point. It sounds like the Access point is useless at this point as long as we purchase a second wireless router for the shop. I'm guessing we could put the Mikrotik router in the home and then bridge the second wireless router (need to purchase this one still) in the shop. I can't simply turn off file sharing because I would need the computers in the shop to be able to share and or print over that part of the network.

I read another post about putting the "2nd network" in it's own subnet but can I still do this if i turn DHCP off on the second router?

- Collapse -
Given the discussion I
Jul 17, 2017 9:18AM PDT

I was under the impression this gear did not work to everyone's satisfaction or cost too much.

As to putting the 2nd network on its own subnet that would be a configuration I would not advise or support.

Go with configurations that are well known and are supported. Some folk get upset I won't support troublesome configurations.

- Collapse -
Don't need troublesome configuartions
Jul 17, 2017 9:24AM PDT

Hey you won't get any complaints here. I don't need troublesome or to be called out to his shop every time they jack something up. I want to simply keep the dudes internet going at his house while giving my buddy an internet connection for his shop and not having a big Welcome sign saying come look at all my files on the shop computers.

If I enable the guest account on the second (in shop router) will that work for the wired connections as well or will they just immediately connect through because they are wired?

- Collapse -
It's very simple about the files.
Jul 17, 2017 9:29AM PDT

Don't share the folder and files and that's it. You can't get to them from other PCs on the network.

To me that's case closed.

-> About the Guest network, that's too easy for WiFi. Just pick a router that has that feature and well, if they are an everyday users they never shared the files, this was not necessary.

For wired it gets complicated fast. You need a router with VLAN capability (did you check your models so far?) but again my bet is the folder/files are not shared so we are working too hard.

Post was last edited on July 17, 2017 9:30 AM PDT

- Collapse -
Maybe either wide open or just to complicated?
Jul 17, 2017 9:38AM PDT

So that's where the rub is. The computers in the shop I believe need to be able to share. If there is a sketch or wiring diagram on one computer, they would like to be able to open that diagram up on one of the other computers. But I can probably just share certain folders and then only give certain users access to that folder. Come to think of it, why not just set up all the Shop computers on it's own workgroup and the computer in the house won't be able to see them?

If he already has the Unifi Access Point Pro then could we just purchase a cheap switch and plug the access point into the switch along with the 3 or 4 other computers?

- Collapse -
Here's the thing that confuses some.
Jul 17, 2017 9:49AM PDT

Since sharing can be password protected or only some workgroup etc. some get upset that the share shows up. Showing does not mean there is access and I've seen new networkers plow into the wall trying VLANs and more.

It's your choice how deep to dig here. Why complicate this when we could be done with the native tools?

- Collapse -
Agreed but...
Jul 17, 2017 10:14AM PDT

what about the hardware set up. So I've landed on simply locking each other out via native tools within windows but what is the best way to get the shop on the network? Router in the house --> Router in Shop and sell the access point or Router --> Switch in Shop --> Access point for wireless capability.

Either way we have to purchase something so do we simply purchase a wireless router and sell the access point on ebay or something or purchase a switch and use the access point? Or does it matter?

- Collapse -
There's a problem when we ask best
Jul 17, 2017 10:55AM PDT

Versus what works. I am now unsure what you have now. If you have the gear in the top post, why not deploy this today?

- Collapse -
Touche
Jul 17, 2017 10:59AM PDT

All we have now is the Mikrotik (non-wireless) router with 8 port switch, and the Unifi Access Point. We can put the Mikrotik in the guys house but then what do we use in the shop where the line is coming in from the house? Another store bought router with wireless and dump the access point or a simple say 5 port switch to plug the wired computers into and the access point?