Using AirPort Express to create isolated Subnet for IoT devices

Question

Using AirPort Express to create isolated Subnet for IoT devices

FBI recommends that you keep your IoT devices on a separate network.

How would this look on an Apple network using an AirPort Extreme and two AirPort Expresses?

I want to use one of the AirPort Expresses (AP1) to extend the AirPort Extreme into a distant room using ethernet cable. I have this set up and working (albeit at the 100 Mbps limit for ethernet on AirPort Express). Done.

I want to use the other AirPort Express (AP2) to create the IoT network that is isolated from my existing network which uses (192.168).

I can't seem to use a different IPv4 Range on the Express (10.0) relative to the Extreme without creating a Double NAT. In this case if there is a Double NAT can I safely "Ignore" it? I am doing this because I do want the networks to not be reachable from one another.

When creating a "Guest Network" (172.16) there is no "Double NAT" issue reported, and the Guest Network is using a different IPv4 than what is set on the Extreme. Is this discrepancy just Apple thinking for us and not providing enough information?

The Extreme

Set to use IPv4 Range of 192.168.80.2 - 192.168.80.250. DHCP and NAT are set. I have DHCP reservations for all of my local devices by MAC addresses.

Wireless

Network Mode: Create a wireless network

Wireless Securitv: WPA2 Personal

The Express

Internet

Connect Using: DHCP

IPv4 Address: 192.168.80.3

Subnet Mask: 255.255.255.0

Router Address: 192.168.80.1

DNS Servers: 192.168.80.1

Wireless

Network Mode: Create a wireless network

Wireless Network Name: IoT

Wireless Securitv: WPA2 Personal

Network

Router Mode: DHCP and NAT

DHCP Range: 10.0.100.2 to 10.0.100.200

Network Options

IPv4 DHCP Range:

10.0.100.2 to 200

Checked: Enable NAT Port Mapping Protocol

iMac (2017 – 2020)

Posted on Jun 18, 2023 3:10 PM

Reply

Answer 1

Top-ranking reply

Bob Timmons

Level 10

190,560 points

Jun 18, 2023 7:20 PM in response to johnnyjackhammer

I can't seem to use a different IPv4 Range on the Express (10.0) relative to the Extreme without creating a Double NAT

Correct. Your "main" router is providing NAT service for your main network. When you set up the AirPort Express as a separate router......as you must do to accomplish your network separation goal.....it is also providing NAT service.

So, the Express sees NAT from your main router and also the NAT that is creating......Double NAT.

can I safely "Ignore" it?

Yes.

When creating a "Guest Network" (172.16) there is no "Double NAT" issue reported, and the Guest Network is using a different IPv4 than what is set on the Extreme.

The Guest Network option on the AirPort routers is using what is known as VLAN (Virtual Local Area Network) Technology....and it uses the same NAT service as the main network.......so there is no Double NAT created when the Guest Network is enabled. Sneaky Apple doesn't mention things like this in their documentation.

Reply

Answer 2

Jun 18, 2023 7:16 PM in response to Bob Timmons

Thanks for your feedback!

I see there is spot in Network settings that allows us to create a VLAN under Manage Virtual Interfaces.

Would this accomplish the same security goals set out in the article I lined to?

Reply

Answer 3

Bob Timmons

Level 10

190,560 points

Jun 18, 2023 7:27 PM in response to johnnyjackhammer

Possibly, but I don't remember which VLAN Apple is using.

The different VLAN types are numbered and you would need to know the VLAN number that Apple uses if you want to mess around with this.

It's been 5 years since Apple discontinued the AirPorts and my memory has faded during that time.

Reply

Using AirPort Express to create isolated Subnet for IoT devices

Similar questions