Two networks seprate lans, one internet connection

[Sonic007]

Hi,

I'm new here so I thankyou in advance for any help. Much appreciated.

I've got one home Internet connection and need to seperate it into two seperate networks that cant see each other.
Both networks need to offer wired connections so I cant use a router with guest wifi for example.

I was looking at the Unifi Security Gateway Router and wondered if anyone knew if that is the best way or if there is anything similar?

If I got the Unfi Security Gateway I would plug that into my Sky Broadband Router (Yes I know it would be double NAT) but then I would need separate switches going into each of lan1 and lan2 on the Unifi for all my devices.
I wondered if there was another device that had more ports or another way of doing this?

Many thanks,

Tim.

 

[MichaelCG]

So many different ways this can be done. USG, pfSense, or just about any of the ASUS and possibly Netgear devices with some custom VLAN work setup. If you don't want multiple switches, you just need to get a managed one that you can assign VLAN tags to each port. All depends on how much tinkering you want to do along with how much money you want to spend.

 

[Sonic007]

Thankyou for your reply. I'l have a look into those options.

 

[EmeraldDeer]

I did this with a Cisco SG300-10 in layer 3 switch mode. It was not easy at all to figure out. It involves VLANs, access ports, trunk port(s) back to the Asus router with static routes in both directions and ACL/ACE rules. The guest network does not have double NAT to the Internet.

 

[coxhaus]

good job

 

[umarmung]

No one can help you directly because you have not listed your Internet connection speed, the number of devices involved and your budget. These are the prime criteria for a specific recommendation.

With only a single managed switch, you can achieve your needs. However, having a VLAN-aware router is (much) more flexible for communication between VLANs.

Note. a VLAN-aware router + L2 managed switch can be much cheaper and easier to manage than trying to do everything on an expensive L3 switch.

 

[HellDiver]

Easiest way is a PC with 3 NICs, and a VDSL modem. Run pfsense on the PC, hook up your two LANs to two of the NICs, and the modem to the other. Very simple.

 

[coxhaus]

Easiest way is a PC with 3 NICs, and a VDSL modem. Run pfsense on the PC, hook up your two LANs to two of the NICs, and the modem to the other. Very simple.

I think using a Cisco SG300 switch in layer 3 mode is the easiest for me. Just create 2 VLANs with separate networks. Add 1 ACL statement to not allow access between networks.

Trunking is not required. You just need the router linked to the layer 3 switch. I would use an access port for the router.

 

[CaptainSTX]

I use a couple of relatively inexpensive TP-Link SG108E smart switches and have setup three 802 1Q VLANS to segregate wired devices into three groups with one group being for my most trusted PCs and NAS. This switch also will do port based VLANs which would work if you have a dedicated cable to each device.

 

[coxhaus]

I like to share printers so it might take me 2 ACL statements to only share printers between the separate networks.

 

[CaptainSTX]

I like to share printers so it might take me 2 ACL statements to only share printers between the separate networks.

All the devices that print regularly and my printer are on my most secure VLAN. If for some reason any other device or guest needs to print I use Epson print. When a message is sent to an e-mail address I created with Epson it prints the message and any attachments as long as it is from a pre designated user. If it isn't from a recognized address it queues the print job and notifies me to either authorize or decline the print request.

 

[coxhaus]

For printers I sub network the printers with a 248 mask so I have access. The printers live where the Apple devices are so they can air print.