Secure Travel Router Best Practices

I’m trying to set up an AXT1800 (4.2.3) to connect to untrusted wireless networks (i.e. hotels) and share the internet connection in the most secure way possible. In the past, I used openwrt and travelmate with good results, but I ran into issues after various package and firmware upgrades. When it came time to upgrade to my current travel router, I opted to try using the factory interface. I assumed “repeater” would isolate my devices from devices on the untrusted network, but I could reach the untrusted router and other devices on that network. (Interestingly, I tried plugging into the untrusted router into my WAN port and ran into the same issues.). I have no issues connecting to the internet.

How do I configure my device for this use case?

That depends on routes. Private IPs aren’t internet-routable, so a private IP won’t get routed through a VPN unless it’s the VPN own subnet.

So far, I haven’t added a VPN to the mix. I’m trying to make clients who join my new wifi network unreachable from the old, untrusted one that is providing internet connectivity.

They probably are. You’ve seen it happen the other way around, from you to outside.

If you want that network unreachable you probably have to sink it somewhere else. (But your router still needs to access it)

Thanks for the insights. Just playing with ping on both “sides,” it does seem like they are unreachable.

For my education, what would I do to sink it somewhere else?

This is exactly what a travel router does. Your AXT1800 is in the middle between the LAN network it hosts, and what it sees as the WAN side. A firewall is between the two sides, and the router routes traffic between the two sides according to its rules. Nothing on the WAN side can get through to the LAN side unless a rule allows it. On the LAN side, however, a rule does allow traffic to go out, and responding traffic can come in.

The WAN side of your travel router is either a network connected to the WAN port and hosted by some other router, or what is referred to as “repeater”, where it takes some other WIFI AP and treats it as its WAN side. On the WAN side there will be a subnet and a default gateway.

So, devices on the LAN side see each other: traffic is forwarded merrily among them by your travel router. When a device on the LAN side wants to go to some other place in the interwebs, it first looks up the IP address for that other place, and then sends traffic to that IP address. The travel router sees that that IP address isn’t on its subnet, so it sends the traffic to the default gateway on the WAN side. If that IP address is on the WAN"s subnet, it sends the traffic. (That’s why you can see devices on the WAN side, but not vice versa). If it isn’t on its subnet, that default gateway forwards the traffic onward to its default gateway, and so on until it gets to its destination. Return traffic is forwarded back and your travel router matches it up with the outgoing request and and allows it through.

So each default gateway along the way can see you are trying to reach some IP. Typically, though, traffic is https and encrypted, so they can’t see what is being sent back and forth, just that there is traffic going back and forth. Also, the process of looking up an IP is visible in most cases.

This may be enough security for you. Making the IP lookup encrypted by going to Cloudfare or across a VPN masks that process; default gateways don’t know what you are looking for, only that you are looking up something. But when you find it, they know what you looked for. A VPN can further mask that process by making it known only that you are going to the VPN address, and then it is the VPN and its default gateways that see the traffic.