How can I isolate my home network from the building network?

In my building there is a central router that provides internet to a number of apartments. Every apartment has its own wireless access point and any device connected to the “private” WiFi in each apartment obtains an IP address from the central router.

The issue I am having is that the networks in each apartment are connected to each other. This means that, even though we are not connected to the same WiFi, we can still see each other. I am able to broadcast my YouTube screen to their TV with my smartphone and vice versa.

Or for example by doing nmap -sP 192.168.0.0/24, I can see computers located in other apartments on the network.

Current network setup: (Note: Given wifi hotspot in yellow box)

Is it possible to change the given wireless switch and put my own switch which that I could configure to create a real private network? (Some sort of NAT?)

Hypothetical setup: (Note: MY OWN ROUTER in yellow box)

I am basically worried that they can start printing random stuff and control some domotic things I am buying.

• networking
• wireless-networking
• router

edited Oct 28, 2019 at 19:11

Mr Ethernet

4,37122 gold badges1717 silver badges3030 bronze badges

asked Oct 28, 2019 at 18:41

Ricard Molins

15566 bronze badges

• 1The fact that you can see other computers in the 192.168.xxx.yyy means that you are already on a private network, probably a NAT (network address translation) internet address sharing scheme. 192.168 is a prefix reserved for private address networks. If you add your own router (with NAT set up) you can make a double-NAT giving you your own private network. For IPv4 TCP connections it acts sort of like a firewall, But there are limitations inherent to double NAT that I don’t have time to . expand on now. Which is why this is not an answer. – infixed CommentedOct 28, 2019 at 20:18
• You should probably put your personal local net on its own sub-net. Don’t share the zero in the third byte subnet. For instance use 192.168.111.xxx/24. And there is no guarantee that the building subnet is limit to 8 bits of subnet. the 192.168 prefix could be used up to /16. If you can examine the netmask that DHCP sets for your device when the building is the DHCP server, you could tell its netmask size. – infixed CommentedOct 29, 2019 at 18:04 

Add a comment

1 Answer

There should be no technical obstacle to doing what you suggest, unless the building network is configured to only allow connections via their own wifi devices. If you use your own router, however, you should change the IP subnet on your side to be other than the building subnet. I would speak to the building network administrator, explain your concerns, and ask whether you can in fact do this.

@Infixed comments to your question that there are some issues with respect to “double-NAT”; this is essentially the setup that I have at home (for irrelevant-to-you legacy-equipment and network-change reasons). The main problem that I’ve noticed is that one program in particular that I use has trouble establishing FTP connections through the double-NAT; if I (temporarily) bypass the second level with that computer only (by plugging it in to the cable company router directly, instead of my second-level router), I have no trouble with the specific program. Other “ordinary” use – web, email, listening to streaming media, online games, IRC including DCC, etc. – doesn’t seem to be affected by the double-NAT in any way that I can discern.

edited Oct 29, 2019 at 12:25

answered Oct 28, 2019 at 18:50

Jeff Zeitlin

4,72633 gold badges1818 silver badges3232 bronze badges

• I am not required to connect via their devices. I can connect my PC directly to the Ethernet port. I made the question to avoid unnecessary buying or to or to came up with possible obstacles. Thanks you for the feedback. Will give it a try and comment – Ricard Molins CommentedOct 28, 2019 at 19:42 
• As an example of other issues with double NAT, sometime UDP protocol based programs can have problems. Sometimes UPNP is involved in allowing UDP packets to be routed past a NAT. In a double NAT, dealing with two UPNP servers can be a challenge. Not to mention many consider UPNP to be risky regardless, as it allows inward access from the internet to the local net. (my kid had a game that required UPNP, I enabled it only for his internal IP address. Still a risk. ) – infixed CommentedOct 29, 2019 at 17:54
• As you said, there was no problem. Double NAT was not an issue at the moment. I have tried, netflix, some general internet, some wireles power plugs, my local Synology NAS, and another remote NAS and everything works like a charm. – Ricard Molins CommentedOct 29, 2019 at 19:05

This article was first published here