Seperate Networks, Share Resources

Whats the best way to setup the network into two different ip ranges, then share resources from a third? Basically I want to create a network for the kids to get the internet and access a shared printer, then create another network that has just my stuff on it that they cannot get into. I was pondering VLANs, I was thinking multiple routers... I just dont know the best and easiest way to set it all up.

VLAN probably.

You left off "the third". I assume you mean a "kid network" an "adult network" and both also having access out to the internet? Yes, VLANs will do this nicely.

You can have network 1 (the kids) have access to a printer and the router/internet without having access to network 2 (your stuff) and still have network 2 have access to the printer and router/internet via VLANs.

Just make the printer and router a member of VLAN 1 and VLAN 2 and have the kids stuff only on VLAN 1 and your stuff only on VLAN 2.

Yea, I was thinking a third for the resources, but that makes sense as well.. I think ive got the hardware to support the VLANS...

Zyxel USG 50 router.. Zyxel GS1910-24 , Zyxel GS1900-8HP and some Engenius ECB350...

So i'll give it a try and see what i can figure out, thank you

A question to ask is how secure do you want the network.

Vlans will give you physical separation. If the kids are smart all they have to do is plug there cable into adult network port and they are in.

If you want more security I would turn off all automatic DHCP and use reservations on DHCP. Then they have to spoof your MAC address to get in.

If you want more security then you need authenticate access to the adult network so the MAC address cannot be spoofed.

Multiple networks can be run on the same switch at the same time. Not secure but simple. The only thing is you cannot have 2 DHCP servers on the same broadcast network at the same time. The simple solution is to setup DHCP for the kid’s network and run the adult network with hard coded IP addresses.

Multiple networks with VLANs on the same switch is actually pretty secure. Even with physical access, use MAC based ACLs. For wireless this is wholely insecure. For wired, it is actually rather secure, unless someone is going to take the time and effort to log in to the device in question locally to yank the MAC from the NIC.

I'd leave DHCP in place and use MAC based ACLs on each port if you think your kids are going to get up to extra shennanigans.

Personally I plan on VLANs, but probably no ACLs down the road. In part to segment out their regular computers for security reasons (not so much to prevent their access to normal resources) along with a better router, so that I can push either their entire VLAN, or do it by IP to push their connections over VPN (because, I love them...but I know how I was at that age...reasonably cautious, but damned if I want their "shenanagans" spilling over. A hint of anonymity on the source is not a terrible thing. Ease enough to say "don't torrent things", harder to enforce without an iron fist).

He is going to have to address wireless unless he wants to run the entire adult network from a wired connection. He will need an authentication method which will drop the user into an appropriate VLAN. This is the more elegant solution. I believe there are still wireless devices which will do this. I have some old Cisco wireless devices which are not made any more that will do it.

I guess you could run 2 wireless APs, one for the adult and one for the kids network and have them plugged into the appropriate VLAN.

And of course you need to run a wireless security high enough not to be hacked. This changes over time.


All the kids have to do to get the MAC address to spoof a VLAN is to look on the adult computer for a tag with the MAC address or log on to the adult computer and look at the NIC settings. Then they can log on to adult network. Easy as pie

It isn't as easy as pie if the adult computer has appropriate access controls on it. When it comes down to it ANYTHING can be circumvented, however most of this sounds like an attempt to keep anything like a virus that a kid's computer might end up getting from spreading to other more sensitive machines on the network. Which VLAN "firewalling" can certainly help with.

On the APs, a lot of the routers/APs that have wireless isolation are setup such that you can only access the WAN. This is accomplished by only allowing the packets from anything on the isolation wireless network to traverse to the gateway. Granted, some are "stupid" and accomplish it by only allowing things to transit the WAN port itself, which means if it is a router in AP mode (and not functioning as the router) then wireless isolation can't work. It also means you can't access any local network resources.

There are a few routers that roll the ability to do VLAN tagging. On top of that most/all of the open source firmware out there allows VLAN tagging (DD-WRT, OpenWRT, Tomato, etc)

If you are getting the MAC address off the outside of the computer it’s pretty easy.

If you can logon to the computer it is simple to see the MAC address. If you just use a already logged on computer while the parent is on the phone or in the other room.


With all this said what I started my statement with was, “you need to decide on what is acceptable security”. There are lots of levels. How secure do you want your network? Then build your network.

Most computers don't have the MAC written on them or on the outside of a NIC.

I'll grant you, there are ways around it, certainly. I think you have more problems than keeping them away from your "secured" network if you have worries about them spoofing MACs.

I plan on firewalling off more of my network when my kids get older for three reasons
1) Keep anything they might "catch" away from "vital" things*
2) Keep any tinkering they attempt to do from breaking anything (why they'll have a folder on the server they can access, but they won't have write permissions to anything else on the server)
3) Well, there are things kids just never want to see involving their parents. I don't think they want to accidently run across anything like that. So lets just make sure they cannot accidently access anything like that.

*This is also the reason once they are a few years older I'll be running all of their connections through VPN so there is less chance for splash back on anything they do muck with on the internet. I was once young and dumb and grew up in the wildwest of the internet. I hope to teach them well enough, but you never do know if they'll learn.