2 networks 1 router?

[carlos28355]

2 networks 1 router? {Solved}

Hello,
I work at a computer repair shop. Networking is not my area. Boss knows more than me about that but I wanted to ask you guys what you suggest...

We do a lot of virus removals here at any given time we could have up to 16-20 computers doing various things. then we have about 6-10 of our computers. I of course have our computers on a different workgroup but with the types of viruses that come through here I think its time for us to change our network around.

I want to be able to essentially have 2 networks i guess. One for our work computers then the other for customers but the customer ones will need internet access as well. I can set up a separate wireless for them but i want hard wired as well...ideas? thanks!

*sorry if im in the wrong forum. I wasnt sure where to post this...

 

[L&LD]

Easiest way to do this is have two routers. Each set up with it's own IP.

Example: Router 1: 192.168.1.1 and Router 2: 192.168.2.1.

 

[carlos28355]

Easiest way to do this is have two routers. Each set up with it's own IP.

Example: Router 1: 192.168.1.1 and Router 2: 192.168.2.1.

im assuming because on different ip address there wont be a ip conflict?

so how would the actual set up go? Lets call routers work and customer

modem connects to work router then work router connects to customer router? we will also have switches in the mix...thanks for response

 

[L&LD]

I would try this:

Modem => Customer (LAN IP 192.168.1.1) => Switch

2.4GHz SSID: Customer - AP Isolated - Channel 1
5GHz SSID: Customer_5G - AP Isolated - Channel 148


Customer => Work (LAN IP 192.168.2.1) => Switch

2.4GHz SSID: Work - Channel 11
5GHz SSID: Work_5G - Channel 161


If needed - the Work clients can connect to the Customer clients - but the Customer clients cannot connect to the Work clients/computers.

 

[carlos28355]

I would try this:

Modem => Customer (LAN IP 192.168.1.1) => Switch

2.4GHz SSID: Customer - AP Isolated - Channel 1
5GHz SSID: Customer_5G - AP Isolated - Channel 148


Customer => Work (LAN IP 192.168.2.1) => Switch

2.4GHz SSID: Work - Channel 11
5GHz SSID: Work_5G - Channel 161


If needed - the Work clients can connect to the Customer clients - but the Customer clients cannot connect to the Work clients/computers.

Thank you kindly I will try this soon and post back if have issues? Thanks again!

 

[carlos28355]

I forgot to ask...Does this protect our network from viruses on customers computers? That is the reason I wanted 2 networks so I guess i should find that out first

 

[L&LD]

It 'should', if you don't setup static routes between the routers.

To be sure;



Modem => Customer (LAN IP 192.168.1.1) => Switch1

2.4GHz SSID: Customer - AP Isolated - Channel 1
5GHz SSID: Customer_5G - AP Isolated - Channel 148


Customer => Work (LAN IP 10.0.0.1) => Switch2

2.4GHz SSID: Work - Channel 11
5GHz SSID: Work_5G - Channel 161

 

[carlos28355]

thanks again!

 

[carlos28355]

ok so im just getting around to purchasing some switches and I didn't really dissect the responses here. so I want to double check some stuff...

as I closely look at the diagram suggested its 1 router per switch is this correct? and if I introduce another switch for either work or customers we need another router for this?


I want to verify that this setup would be the best for us or are we just looking at what my original question was? if this is not considered the best setup im willing to purchase different equipment to isolate work computers and customer computers using the single modem from our isp and they all need internet access...thanks again

 

[L&LD]

If this is our setup:

Modem => Customer (LAN IP 192.168.1.1) => Switch1

2.4GHz SSID: Customer - AP Isolated - Channel 1
5GHz SSID: Customer_5G - AP Isolated - Channel 148


Customer => Work (LAN IP 10.0.0.1) => Switch2

2.4GHz SSID: Work - Channel 11
5GHz SSID: Work_5G - Channel 161



If you need more physical ports: for the Customer computers, simply add a switch to Switch1 and connect away.


If you need more physical ports: for the Work computers, simply add a switch to Switch2 and connect away.



The above configuration and expandability options will protect the Work computers from viruses from the Customer computers, whether they are wired (to the appropriate switch, of course) or connected properly to the Wireless Customer and Work ssids (whether they're on the 2.4GHz or 5GHz bands).

A point to note is that with the wireless connections; you can make the clients not be able to 'see' each other (use the Guest wireless mode if needed and select the Access Intranet 'OFF' option).

 

[Dennis Wood]

This is pretty much a pfsense application. You can either use assorted hardware kicking around, with three NICs installed or just build up a four port unit using a mini-itx setup. We have been using pfsense in several locations for the last few years (see my thread "confessions of a pfsense newby"). I will never purchase a router again as pfsense has too many benefits at its cost. At one location I have tenants and guest wifi (we charge for internet access), dual wan and our business network all attached to a pfsense box. You can have as much or zero access between networks (all rules based) Here's what one box does:

Dual WAN load balancing.
Guest internet access, also throttles guest data rates with traffic rules.
Antivirus.
Proxy server and internet access logging/reporting (Squid package) (light squid internet usage reporting)
Snort packet inspection/blocking (snort)
Bandwidth reporting per IP. (Darkstat)
Selective site blocking IP specific or general rules based. Certain workstations are blocked from any internet access where not required. (Squidguard).
IPSec VPN remote access for PC, MAC and smartphone.

Any client system with a virus issue will immediately be evident on the router as between Snort and darkstat network monitoring, the behavior will be immediately evident. We have had two virus incidents on our network since pfsense installation and both we're blocked by snort (outbound traffic was blocked). The workstations were immediately identified by snort alerts and dealt with very quickly. I'd highly recommend this setup for your situation. Pfsense is open source as are the packages I mentioned.

 

[Altheran]

Actually, not really. Those router needs no not to be routable between each other or have a firewall in-between.

The best setup i could thing of :

Take a router like ubiquity edgemax edgerouter lite : 99$ 3 seperate interface with built-in staful firewall. Extremely stable, great for businesses.

eth0 = Business LAN (192.168.1.0/24)
eth1 = WAN (Internet)
eth2 = Workstations LAN (192.168.2.0/24)

You setup the interfaces as described up there.

Once you have connectivity (Make sure the device is on Firmware 1.4.0, WAAAAY more easy)

on 1.4.0, executing the start up wizard will configure the ports, the NATing and the basic firewall rules :

on eth1, Drop ALL incoming traffic to be routed (default) But allow Established and related connections.
On eth1, Drop ALL incoming traffic destined to the router itself (Deny connection to the router from the internet)

After doing the setup wizard.

you go in security / Firewall

You add the following rules

On interface eth0 You Deny (Drop) incoming traffic to the destination interface address eth2
- Create ruleset that Accept by default incoming traffic on interface eth0
- Create rule that Drop packets going to the destination interface address eth2

On interface eth2 You Deny (Drop) incoming traffic to the destination interface address eth0
- Create ruleset that Accept by default incoming traffic on interface eth2
- Create rule that Drop packets going to the destination interface address eth0

* It is always better practice to block incoming traffic BEFORE it is routed since it save routing resources.

Cloud200 did a nice wrap up of resources to learn how to play with Ubiquiti's routers. But since 1.4.0, they got pretty easy to configure for basic operation.

But these device ARE very powerful. And they are a great learning opportunity.

 

[L&LD]

Dennis, Wood,

Okay, I'm interested in pfsense, although it sounds like it may be above the OP's comfort level.

Any links to learn more about pfsense that you can recommend starting with the very basics?

Thank you.

 

[Cloud200]

Dennis, Wood,

Okay, I'm interested in pfsense, although it sounds like it may be above the OP's comfort level.

Any links to learn more about pfsense that you can recommend starting with the very basics?

Thank you.

http://www.smallnetbuilder.com/lanwan/lanwan-howto/30565-taming-your-networks-bandwidth-hogs-part-1

http://www.smallnetbuilder.com/secu...1406-build-your-own-ids-firewall-with-pfsense

http://www.smallnetbuilder.com/security/security-howto/31433-build-your-own-utm-with-pfsense-part-1

And of course Dennis Wood's lovely thread;
http://forums.smallnetbuilder.com/showthread.php?t=5379


If you want to just get a preconfigured box;
https://store.pfsense.org/hardware/
http://store.netgate.com/Firewalls-C2.aspx
straight from the source is always nice.

Rolling your own though means you have to be careful about compatibility. Not difficult but use the guide; http://www.pfsense.org/hardware/index.html

 

[carlos28355]

If this is our setup:

Modem => Customer (LAN IP 192.168.1.1) => Switch1

2.4GHz SSID: Customer - AP Isolated - Channel 1
5GHz SSID: Customer_5G - AP Isolated - Channel 148


Customer => Work (LAN IP 10.0.0.1) => Switch2

2.4GHz SSID: Work - Channel 11
5GHz SSID: Work_5G - Channel 161



If you need more physical ports: for the Customer computers, simply add a switch to Switch1 and connect away.


If you need more physical ports: for the Work computers, simply add a switch to Switch2 and connect away.



The above configuration and expandability options will protect the Work computers from viruses from the Customer computers, whether they are wired (to the appropriate switch, of course) or connected properly to the Wireless Customer and Work ssids (whether they're on the 2.4GHz or 5GHz bands).

A point to note is that with the wireless connections; you can make the clients not be able to 'see' each other (use the Guest wireless mode if needed and select the Access Intranet 'OFF' option).

Ok im an idiot i read through your responses more carefully i do see you mentioned early on 2 routers. thats fine my last question (hopefully) is that about half way through this thread you switched router 2 (work) to "LAN IP 10.0.0.1" is this still what you want me to do instead of your original "LAN IP 192.168.2.1" ?thanks!

 

[carlos28355]

Thanks Dennis, Cloud200 & Altheran

I will look into these for sure. I need something quick and easy right now so ill probably go with L&LD recommendation although I will give the pfsense some research for sure. I wouldn't want to jump into that for the business unless I knew more about it and I just don't have time now. Thanks though looks very intriguing...

 

[sinshiva]

hey, another recommendation for firewall distros; ZeroShell - last one i used, it was quite nice. i remember enjoying the iptables gui and such. i never see anybody mention ZS.

 

[L&LD]

Ok im an idiot i read through your responses more carefully i do see you mentioned early on 2 routers. thats fine my last question (hopefully) is that about half way through this thread you switched router 2 (work) to "LAN IP 10.0.0.1" is this still what you want me to do instead of your original "LAN IP 192.168.2.1" ?thanks!

If you want to have both the Customer and Work networks isolated from each other, yes.

 

[clintb]

Pickup something like one of the Zyxel Zywall 110. You can have two WAN connections and create multiple zones, thus segregating traffic within one router/firewall.

Note: I have not worked with the Zyxel product, but reviews seem to indicate they offer quite a bit for the money. I use Sonicwall stuff on a daily basis...

 

[Dennis Wood]

In terms of isolation, pfsense is a stateful packet inspection appliance/firewall with as many WAN or LAN ports (and VLAN ports) as you care to define. Therefore your networks will be as separate as you want them.

There are examples where you do want access. For example, I administer the WAP behind the firewall (for the guest wifi) by allowing traffic over the subnet for one IP admin, and only to that one guest AP.

Pfsense is not just a router distro...it's also a diagnostic tool, particularly as your customer machines will no doubt arrive in your shop with a myriad of virus/malware challenges. There is a learning curve there, but it's well worth the effort. If I was still doing SMB consulting/servicing, I can guarantee you I would be selling them pfsense solutions too. As a bit of a follow up, the hardware list in the first post: http://forums.smallnetbuilder.com/showthread.php?t=5379 is still available. I built several routers using the same hardware, and both boxes have been working hard for several years now with zero issues. One of the major features of the setup is logging and activity reporting in a simple but effective web based reporting format (Lightsquid) that by it's presence significantly reduces "unproductive" web behavior. A few hundred bucks for the hardware seems like a steal really once you have everything running.

If you have a VLAN capable switch already, you can simply designate 1 set of VLAN ports to your customer machines, another set to your office, and isolate them from each other completely. This may be a zero cost solution for you. The only cost may be some reading on vlan config

Cheers,
Dennis.