What's new

double nat vs vlan

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


New Around Here
Traditionally to separate my wireless low-security network from my high security wired one of a few linux boxen I've used two el cheapo routers in a double nat config (cable modem -> wireless router -> wired router -> desktops).

This allows me to have services like samba open on the wired network, and to allow access to them from the wireless network by poking a hole for the ssh port and making wireless users authenticate over ssh. Having read the article recently about vlans it seems that there should be a cleaner way using them to implement this security model. How would I set up a router and vlan-capable switch to (1) completely separate the wireless and wired traffic, while (2) allowing the wireless network access to the wired one through ssh?

Thanks in advance for any clues for the vlan noob.
I use a pfSense box w/ two LAN interfaces as my router: one for my equipment and the other attached to an AP to share Internet access with my neighbors. I'm currently configured to block all traffic between those interfaces, but it should be trivial to open the necessary ports.

I'd imagine the cost to set up a pfSense box is roughly the same as a managed switch, if neither materials were on hand.
pfsense on a ALIX system would certainly be inexpensive. I'm impressed with this new generation of ALIX hardware. It's much more capable than the old WRAP or Soekris boards, but just over half the price I paid for my Net4801s.


I have an Alix 2C3, and am somewhat satisfied with it. Unupgradeable memory (256 MB) is a bit of a downer, but its low price makes up for it. It is more than adequate for my needs, but using an embedded load means sacrificing package support.
Thanks for the pointers. I was thinking about that path too since a firewall distro would let me do some neat stuff with squid and ad/content filtering without having to install adblock on every machine. Just out of intellectual curiosity, if I wanted to do it with vlans how would it work?
FYI, if you pursue the embedded route you sacrifice Squid, as packages aren't officially supported (or recommended) in embedded builds. As bandwidth usage is a concern for me as well, I use traffic shaping to throttle the connection in its place.

To answer your question with the specified stipulation, you'd have two VLANs on the same switch, one with the wireless equipment, and the other your protected equipment. In order to communicate with each other as well as the Internet, a single router could provide an interface/subinterface for each VLAN. Without a firewall in place, ACLs would be necessary to restrict cross-network traffic to whatever you specify (authentication). This is a relatively expensive setup for the average SOHO user.

If both cost and security were immutable factors, you could achieve equivalent results with three broadband routers. Wireless router is connected to Internet router's LAN, just like the secure router. Authentication is handled by port forwarding on secure router. Broadcast traffic would be safe as non-directed traffic is dropped thanks to NAT. This setup may be safer than a VLAN switch as if a switch is overwhelmed by an attacker, the default behavior may be to forward traffic to all ports, regardless of VLAN.
+1 for pfsense. You can do pretty much everything you need right out of the box with a good router/firewall like pfsense. With home user routers, you're basically forced to do funky double-nat setups. For the cost of PC hardware these days, it's hard not to recommend something like pfsense. You can get a basic, brand new celeron-based system now for about $280. And that's NEW hardware; you can buy 1 or 2 year old h/w for like $100. Add a couple NIC's and that's a hell of a router/firewall.

Dedicate an interface and subnet for your wireless AP, and from there you can control trafic to your heart's content. Pfsense FTW.
Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!