Creating 2 networks with one internet connection

[MassiveJim]

Equipment I have
1 - ADSL modem/router
2 - cable router
3 - Vlan capable switch

currently the adsl modem is connected to the internet, cable routers WLAN port is connect to one of the modems network ports, however I want to introduce the VLAN capable smart switch here and totally seperate the networks whilst still allowing them both access to the internet.

Network 1 uses a server for DNS and DCHP, network 2 currently using the cable router for those services.

 

[K.C. Leblanc]

Righto, what sort of router are you using?

 

[joeyjojo]

As above. You might even be able to stick a firmware on existing hardware to get this. E.g. dd-wrt.

 

[m01]

I don't fully understand your current setup. Do you have 1 network or 2? If you have 2, do you basically NAT traffic from PC's connected to the cable router into the other network, and then again before it goes out into the internet?

Here are some ways how you might tackle this problem.. (it'd be simpler if you were happy with the two VLANs talking to each other)

Option 1. Here's roughly what you need to do:

1. A VLAN-capable switch (maybe your ADSL or cable router can already do that with aftermarket firmware, or use a smart switch)
2. A separate or integrated router
3. The router needs to be able to apply separate firewall rules on each of the two vlan interfaces.

On the router, you configure two home-network-facing interfaces, one with say 192.168.1.1/24, the other with say 192.168.2.1/24 (/24 means subnet mask of 255.255.255.0). These interfaces need firewall rules to block traffic destined to the other network, i.e. 192.168.2.x and 192.168.1.x, respectively. Then, on the switch, you distribute your ports into 2 vlans, and patch one of the router interfaces into each VLAN. You will also need to setup NAT between each of these interfaces and the WAN (internet-facing) interface, as appropriate.

If your router and switch support 802.1q trunk ports, you can use one physical cable, and virtual/subinterfaces on the router, rather than 2 cables between the router and the switch.

If you were OK with the two networks talking to each other, it'd be a bit simpler.

It's possible to do this all in one sophisticated device.

Option 2: setup something like this:

This might be a bit more round-about, but it might be easier to do with your existing hardware.

Firewall configuration:
- it needs 2 interfaces, one in each network, so that it has IP addresses in each network. (say 192.168.1.2 and 192.168.2.1)
- it needs firewall rules to enforce the separation of the two networks. Be careful how you handle the exception for the upstream router.
- The default gateway is set to the router's IP address

The ADSL router would need a static route, saying that 192.168.2.0/24 is reachable via 192.168.1.2, otherwise return traffic won't make it back to PC's in (blue) VLAN 3. You may also wish to install firewall rules here.

Depending on how much you care about security, you need to be really careful and consider all the possible traffic paths, including PC in vlan 2 -> ADSL router -> (NAT) -> firewall -> PC in vlan 3.. This should apply to all options you might consider.

PS: I find that diagrams like the above really help with understanding these sorts of setups. I drew mine with draw.io, and just searched for router etc to get the icons. Quite handy.

 

[MassiveJim]

Current setup is.

Internet comes in via the ADSL router (Asus DSL-N55something or other) which has all my PCs and the DHCP/DNS windows Server attached to it. This is network 1.

ALso plugged into the ADSL router is the WAN port of a cable router (TP Link not 100% sure of model not in the premises at present), this router handles the DHCP for network 2.

I haven't setup any NAT rules but anything connecting to network 2 has internet access without any issues.
I absolutely want to seperate these networks, that is the entire point of changing the current setup.
AFAIK neither router supports VLANs.

I'll be honest I haven't bought the switch yet and reading a few guides suggests doing this with 3 routers, using the WAN ports of 2 Cable routers to create the 2 seperated networks.

I honestly don't know the best way to handle this as I am not proficient at setting up Vlans etc.

 

[bremen1874]

At the moment network 1 is presumably only able to see itself, while network 2 can see both networks?

Adding a second (third) router would give you more separation. Unless you deliberately change something they'll effectively be isolated.

You are creating a double-NAT situation, but for straight forward internet access it probably won't cause much of an issue. If you're opening ports to allow external access it could be a pain.

If you wanted to get down to a single device DrayTek (amongst others) routers will do port based VLANs. You can configure a different subnet for each switch port and have them sharing the same connection.

 

[MassiveJim]

At the moment network 1 is presumably only able to see itself, while network 2 can see both networks?

Adding a second (third) router would give you more separation. Unless you deliberately change something they'll effectively be isolated.

You are creating a double-NAT situation, but for straight forward internet access it probably won't cause much of an issue. If you're opening ports to allow external access it could be a pain.

If you wanted to get down to a single device DrayTek (amongst others) routers will do port based VLANs. You can configure a different subnet for each switch port and have them sharing the same connection.

Yes that is correct.
does the option of using a 3rd router completely seperate the 2 networks ?
What issues might one face with double-NAT ?

Can what I want to do not be done with a standalone Vlan capable switch and no further equipment ?

 

[Caged]

You could do what you want to do with a layer 3 switch but unless there's a way to put a static route into whatever is being your NAT device then any clients on subnets that the router doesn't 'know' about won't be able to do anything.

 

[bremen1874]

Adding the third router will effectively separate the two networks. It isn't the most elegant solution, but it is simple to implement and understand (it's also really cheap to implement).

It really depends on why you're separating the two networks in the first place. Some additional context would probably help.

Given your scenario I'd replace what you have with a DrayTek 2860 and configure it to support two separate subnets. I'm sure that are better alternatives, but they are reliable and I'm familiar with the configuration.

 

[m01]

Assuming you're happy to keep the double NAT, you could just install a firewall on network 2's router that prevents traffic *to* destination IPs on network 1, other than the router's IP. You could also add one that prevents packets *from* IPs on network 1, other than the router's IP.

That should make it hard for any packets to go from network 1 devices to network 2 devices or vice-verca. The router's obviously need to be able to talk to each other for internet access to work, so that's allowed.

It's a bit simple and ugly, but effectively you're turning network 2's router into a firewall, separating the two networks.

Can what I want to do not be done with a standalone Vlan capable switch and no further equipment ?

So with a standalone VLAN-capable switch you can definitely create 2 separate VLANs that represent 2 completely separate networks. The difficulty comes from you now also wanting them to share 1 internet connection, which creates a point where packets might be able to hop from network 1 to network 2. In fact, if you have a router with 3 ports (internet, network 1, network 2), by default it would see it as its' duty to route packets between all 3 networks, so you need to actively prevent it from doing that (look into inter-VLAN routing and how to disable it). You'll find suggestions of varying complexity based on:

• IP (L3) firewalls
• L2 firewalls
• VRFs
• (Maybe) NAT

Hopefully this illustrates why there's no completely trivial plug & play answer.