Can I create two separate private networks with only one IP address using only two routers and a switch?

A new renter moved in and wants his own private network with no communication between his and my private network. In addition, he doesn't want a centralized logging of network traffic like most home modem and routers do.

The landlord only has one Ethernet cable coming from the ISP. If I connect the ISP cable, the homeowner's router and the new renter's router to an unmanaged switch, then program the landlord's router to use the private network 192.168.1.0 and have the new renter program his router to use 192.168.2.0. Would that work and would it satisfy the new renter's demand of privacy?

Home network diagram:

Diagram


As presented in the drawing, no.

Firstly a standard ISP residential contract provides a single public IP address; more than that usually requires a substantially more expensive commercial contract. I am assuming this is also a standard residential contract, not a commercial one.

If there's only one IP, it belongs to your router. Any device connected after the WAN port has a direct connection to the internet through the ISP:s routing, so it needs a separate public IP address. Which means you can't just stick a switch between the ISP and your router's WAN port and expect it to work.

If your renter is accessing the internet only via Wi-Fi, you could provide him a separate SSID. However there's the question about logging - the router might or might not log traffic, and you might or might not have the possibility to affect the behavior. You can of course check this in your router's management interface.

If your router supports VLANs, you could create a separate VLAN for your renter with the IP subnet 192.168.2.0/24, but the question of logging still remains.

I see only three ways around this:

  1. Your renter contacts an ISP of his choice to arrange his own internet access
  2. You contact your ISP and discuss about the possibility of adding another router device into your connection - I doubt this'd be allowed, and if yes a separate public IP is likely to cost money
  3. You provide your renter either his own VLAN or a separate SSID, and your renter gets himself a VPN. This is the only surefire way you, your router or the ISP has no way to know what they are doing. The routers could still log the traffic, but would only see packets between the VPN end points. The traffic inside the tunnel is encrypted, so there's no way for anyone to tell what they're accessing.

As @ilkkachu and @user1686 have already pointed out, the resources in the routers provided with residential contracts are so tight that they are unlikely to be capable of any meaningful logging. However a knowledgeable person can certainly find a way to trace the traffic between the router and ISP to collect his own logs.

Please note - this is only added for completeness. I'm in no shape or form suggesting that the OP would be even considering to imagine starting to plan something like this :-)


In addition, he doesn't want a centralized logging of network traffic like most home modem and routers do.

But they generally don't... (Many home routers literally don't even have the resources for that. (CPU requirements aside, where would they store those logs if the OS alone barely fits in the flash chip?)

Yes, your layout would create two separate networks which do not interact. (In fact the routers don't even need to have different LAN addresses – only the Wi-Fi SSIDs must be different.)

But this would work only if the ISP allows multiple devices on the same line (leasing two different WAN IP addresses). Some ISPs will allow this, but many won't.

Also, if the renter is worried about routers, I'm wondering whether he'll be just as worried about switches, as most managed switches happen to have "port mirroring" features.