2 Routers needed if not using a VLAN?

[phaeyn]

Hi all, I'm brand new to the website SMB. Ran across it this week doing a google search and so far am really liking what I'm seeing!

Anyway, here is what I'm wanting to do.

Our church is building a brand new building and I will be setting up the network. What I'm looking to do is setup the pastors, admin, network printer, and NAS to their own private LAN and have the rest of the building on its own public LAN. Both LANs will require access to the internet.

From what I've been researching it sounds like if I don't get a router with VLAN support, I will have to go with two routers that have NAT.

DSL Modem
|
Router1 -> Public LAN (172.16.1.x)
|
Router2 -> Private LAN(172.16.2.x)

What I'm wanting to know is will the Private LAN be invisible to the people using the public LAN? On that same note, since the Router2 has a Router1 DCHP address, will computers on the private LAN be able to "see" computers on the public LAN?

Also, can you use different Subnets on the two routers to help segregate them?

I am well aware that two routers will be just about as much money as one VLAN router, but the church already has some existing equipment and money, not surprisingly, is very limited.

Thanks!

 

[scotty]

There's a great article on the site here about exactly this topic. If you haven't already, give it a read.

In your case, I think this 'double-NAT' approach would work fine. Otherwise, you would need to turn to VLANing or subnetting. You dont necessarily have to have a router that supports VLANs - you can get fairly simple switches that supports port-based VLANing. But if you already have a couple routers kicking around anyway...

A decent option for a [cheap] router that supports most features of much higher-end routers is pfsense. pfSense is a BSD based router that'll run on virtually any computer. You dont need much horsepower, so any old tower will do. Add a couple NICs and you're good to go (all web-based configuration). From there, you can do more advanced VLANing and subnetting. Pretty easy to do in pfsense, you just assign 2 internal interfaces for your 2 different networks). Pfsense is nice when you need more features but the budget doesn't support it.

 

[phaeyn]

Thank you very much for the link. I did look through the "How To" sections, but I didn't see the 2nd page to it /bonk. I'm about half way through the article and it seems like this is what I'm looking for.

 

[phaeyn]

According to the article, it uses 3 routers. Is it possible to just use the Internet Router with a switch and 1 other router for the private network and get the same result?

 

[jdabbs]

The reason for a router on each segment is to keep each network from being able to access the other. The two-router solution (gateway and private LAN) can work too, but users in the private LAN will be able to access public LAN resources, and under certain circumstances (intentional), the public LAN can intercept the private LAN's Internet traffic.

 

[YeOldeStonecat]

What make/model routers do they have? I ask..because many of the popular models, such as the Linksys wrt54g models, are able to be flashed with 3rd party firmware, such as DD-WRT and Tomato. These 3rd party firmwares, which are free, bring a host of new features to the basic routers, as well as stability, the ability to boost the wireless output for greater range, and in some cases..slightly snappier performance.

Another feature...is port based VLANs..it turns the built in 4 port switch into a managed switch.

This way you can avoid the clunky and performance robbing double NAT'ing.

 

[phaeyn]

I may definitely look into a 3rd party firmware with the Linksys g router. I think currently they are only running 1 router and it's a Linksys B wireless BEFW11S4

http://www.linksys.com/servlet/Sate...826220&pagename=Linksys/Common/VisitorWrapper

Seeing as it's in the "Archive" section, I think I'll insist on springing for a new router/s

One a side note, I got home tonight from work and remembered that I have an old Cisco Router 1600 series (model 1605r) in my basement. I saved it from being thrown out at my last job because "corporate" forced our branch to upgrade to a new model due to it being End of Life with Cisco.

The 1605r has 2 ethernet LAN ports a WAN port and a T1 card in it. It is only a 10baseT router which is pretty sad, but could possibly work for the church as they only work with powerpoint and word files and their internet DSL is only a 784kb/s down connection.

Would it even be worth it to learn how to configure the 1605r router or should I just throw a fund raise and buy the proper equipment?

 

[YeOldeStonecat]

Would it even be worth it to learn how to configure the 1605r router or should I just throw a fund raise and buy the proper equipment?

Only you can answer that question.....as it's you who will be "volunteering" that time to learn. Value on time spent trying to learn...versus spending 65 bucks or so per new wrt54gl Linksys to install dd-wrt on.

 

[phaeyn]

Well, I think I could get through it okay learning how to code it since i've found some examples online. I guess the part I'm worried about is connecting it to a DSL modem and have it work.

If my thinking is correct, it's only a 10mb router, but if I connect the whole building up to a 100mb switch, everything internal will transfer at 100mb just fine and anything external/internet shouldn't be affected too much since it's only a 784kb down DSL line? Does that sound about right?

 

[scotty]

Correct, everything internally will still be 100mb. The 10Mb WAN port will only affect the speeds of whatever if going through that port, which even then isn't really an issue since you're getting less than a Mbit down anyway.