Three Extreme routers - two separate networks?

What are the models of the AEs that you have? Are you trying to create a separate 'guest' network with client isolation? You can separate NetA and NetB, but where are clients going to get their IP addresses from?

What you describe can be done, but NetA and NetB will result in a potential issue that is known as Double NAT.

We would need to understand the exact type of modem that you have, so if you could provide the make and model number, that would allow us to provide a much more accurate answer.

Normally, Double NAT does not cause significant problems on a simple network, but it may create some issues with certain types of devices that may not be able to connect to the Internet or be fully operable.

If you could tell us what types of devices that will be connecting to NetA and NetB, we could give a better answer.....but the bottom line with Double NAT is always you will not know how well it will work......or in some cases, if....it will work, until you try things out.

We can tell you how to set things up, but cannot tell you how well things will work. Devices that just need to connect to the Internet should be OK. Any kind of interactive device that might need ports opened will not function correctly though.

For example.....you are away from your home and you want to check or adjust the thermostat from a remote location over the Internet. Anything like this is probably not going to work because of the Double NAT issues.

I would suggest dedicating a specific SSID for IoT and maintaining a flat network. The SmartHub can be connected via Ethernet. Most IoT devices will likely use IPv6.

AstraPoint wrote:

One of my other goals is to keep IoT devices segregated from my private network (Macs, iPhones and iPads, etc) for security reasons. A flat network would not give me the extra security I want.

I understand your thought process. The challenge you face is that Layer3 isolation is not very effective and efficient, without firewalls and VLANs. Your network will still be vulnerable at Layer2.

This may not be something easy in a home network, but Enterprise and SP networks separate Layer2 switching and run Layer3 through firewalls.

IoT in it's infancy is inherently insecure, especially when such devices have default passwords. Recent camera hacks, and DoS attacks highlight the issue. It is a lot of work to implement this in a home network, but you may want to consider using tunneling of IoT and non-IoT traffic to your home gateway.

It is also recommended that an IoT device be selected based on security on equal footing with parameters such as feature and functionality. In a race to get to the market and generate revenue, security is left far behind.

You may be able to leverage the 'guest' network feature on more modern/recent Apple Airports and obtain client isolation.

Please see

AirPort base stations: About the Guest network feature - Apple Support

AirPort Utility 6.x: Set up a guest network

Guest mode isn't available with some IPv6 configurations on AirPort devices - Apple Support .

I will defer to Bob Timmons on further advice.

Let's start from the simplest concept......which always seems to be the best concept in terms of reliability.

Assuming that you will be using a current or recent AirPort, you might be able to get by with only 1 AirPort router. There would be no Double NAT at all here to wonder about, so likely a more reliable network.

The "main" network would handle wireless and wired connections. The built in "guest" network could only be used for wireless connections.

So, the "main" network would likely have to be used for anything that requires remote access. The "guest" network would only be used for wireless devices that needed to connect to the Internet, or to another device on the same guest network, like a printer.

Devices on the "main" network would not be able to "see" devices on the "guest" network and vice versa. I assume that this is one of your main goals.

Summary.....Upsides.....simplicity, traditional network operation, no Double NAT at all. Downside.....no wired devices on the guest network.

You mentioned that you wanted to have separate wireless and wired connections on each network before, so not sure if that is a hard requirement or not.

Next setup concept would use two AirPorts.....One to handle your "main" network wired and wireless devices and another AirPort which would be in Double NAT to work with both wired and wireless devices.

Next would be your original idea to use 3 AirPorts and set up a wired only router to do nothing except feed a signal to the other two routers. Both of the other two AirPorts would be set up in Double NAT.

The Ethernet ports on the Express are old and slow 100 Mbps....much slower, compared to 1,000 Mbps ports on the AirPort Extreme. I did not suggest this option for that reason, since it appeared that you were looking for performance on your network asking about AirPort Extremes....but may have been wrong about that.

The Guest Network feature may not work correctly at all if your ISP is providing IPv6 on your connection and you have IPv6 set up on the network. Should be easy to check if your guest network is working OK though.

If you are OK with the much slower Ethernet ports on the Express, and don't need the higher speeds for the Ethernet devices, the proposed setup might be OK.

Your next question might be whether you could use an AirPort Extreme to "join" the guest network, but unfortunately, the AirPort Extreme does not have an option to "join a wireless network". Actually, it does on older versions of the Extreme, but the Ethernet ports are not enabled when the Extreme joins the network.

Follow up.....as I think about the idea to setup the AirPort Express to "join" the guest network......

I'm not sure if this can be done, since the Guest Network uses what is known as VLAN (Virtual Local Area Network) technology....and the Guest Network is tied to the main AirPort as a virtual network.

In order for the Express to be setup, AirPort Utility would have to find the main base station....and it probably cannot do this since you will be logged onto the guest network to try to set up the Express.

I seem to remember trying this a few years and not being able to find a way for any base station to join the guest network at all. But, may not be remembering all the details.

Please ask your neighbor if he has set up an Airport Express to join the guest network, and if so, how he might have done that. I don't have a spare Express handy at the moment, but will later, so I'll try to check as well when I can.

Bob Timmons wrote:

Please ask your neighbor if he has set up an Airport Express to join the guest network, and if so, how he might have done that. I don't have a spare Express handy at the moment, but will later, so I'll try to check as well when I can.

Is it possible to use a Mac and connect to Guest WiFi and have the Express WAN ethernet connected to the Mac and use Airport Utility to configure the Express?

Is it possible to use a Mac and connect to Guest WiFi and have the Express WAN ethernet connected to the Mac and use Airport Utility to configure the Express?

No luck that way. Keep getting the same error that AirPort Utility cannot locate the "other" base station on the network with both wired Ethernet and wireless setup.

The AirPort Express can be set up to wirelessly extend both the "main" and "guest" network and things work fine that way. But, while the Ethernet ports are enabled on the Express this way....they are for the "main" network, not the "guest" network.

If you try to change the Wireless Mode setting from "Extend a wireless network" to "Join".....the Guest Network option disappears instantly from the utility, so no way to tell the Express to join the guest network.

It's looking like a Catch 22 as far as trying to set up an Express to "join" the guest network.

But, maybe the neighbor has found a way that I cannot so far. Hopefully, that might be the case.