twixt
join:2004-06-27
North Vancouver, BC
| Wireless Router with multiple VLAN support
I have a client who has a home-based business where his office computers need to be securely isolated from his wife and kids' computers. He is currently connected to the internet using a Motorola SB5100 Cablemodem with a 100BT ethernet port, supporting 6Mb/s cable service from Shaw Cable in Western Canada.
Because it is possible for the kids to end up sharing the wireless password with their friends (without telling their parents) - I want to bulletproof that particular security hole by ensuring that even if the domestic side of the connection is compromised, the office side stays secure.
Currently, my client is running a wired router (D-Link DI-604), which he wishes to replace with a wireless router so his wife and kids can roam the house with their laptops. I have recommended that whatever router replaces the DI-604 be something where we can program the router's LAN ports so the DHCP server in the router assigns a completely separate IP address range for the office ports compared to the domestic systems. I also want to ensure that that there is no permitted traffic between the domestic and office LAN segments.
There are several different ways of handling this. Support for configurable VLAN ports - where I can configure the router so some of its wired ports are for the office and some of its wired ports and the wireless connection are for the domestic side - seems to be the most practical solution. The nicest thing about this solution is it would only require a single hardware change.
Another possible solution is to buy a switch and a second domestic wireless router (Eg: D-Link DI-655). This adds the complexity of managing three devices (switch, DI-604 and DI-655) to the situation, along with the lesser reliability of having three potential device failures rather than just one. If there is an affordable and practical way to avoid this situation, I'd like to find it.
Any suggestions? Thanks in advance for any info that will aid in making an informed decision as to how to proceed.
|
|
keeska
Premium
join:2007-04-06
Sedona, AZ
| A few middle priced routers aimed at the SoHo market support VLANs. Another feature to look for is multiple SSIDs with various ways to restrict users on one SSID from accessing any other SSID (isolation). You then setup different passphrases for each SSID so only those allowed to use a given SSID have the passphrase for that SSID. VLANs can be added to multiple SSIDs for the ability to further isolate traffic.
An alternative feature on more expensive routers is the ability to assign a VLAN to a wireless user based on EAP login credentials so no need for multiple SSIDs. Of course the two (multiple SSIDs and VLAN assignment on user credentials) may be combined.
Separate DHCP pools may be setup for each VLAN and filters between IP subnets can also be implemented.
There are many possibilities. Unfortunately home routers usually do not support these features. Routers supporting these advanced features are more expensive. |
|
docrice
join:2008-03-31
Fremont, CA
| reply to twixt
You could always go the "cheap" route by buying a used Cisco 1200 series and an old Cisco 2900XL (or newer 2950) series switch. Of course, you'll need a router that has enough routable interfaces (as opposed to assigned on a common collision domain) to handle two internal networks, or have at least L3 switching capability, but it's one way of doing it.
BTW, this is what I use at home. Slightly dated "commercial-grade" equipment at reasonable prices. You would also have to set the proper filtering / routing policies on the router as well to ensure that traffic from one inside network doesn't route to the other. You can always set up an OpenBSD or Linux box as a router and use pf / iptables to make this happen.
Once you use real equipment, you'll never look at consumer-grade equipment the same again. The downside is configuration granularity = much more complex. |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
1 edit | reply to twixt
A reasonable cheap solution is the zyxel NBG334W wifi router. It has a guest wiifi that only has access to the internet and not the internal LAN. Be advised this is wifi only for guests there is no wired optioin.
If you need wired option I would go with the zyxel Zywall 2plus for example which has two other LAN type zones which are firewalled apart from each other. You could attach your DI 604 to one of these zones and none of that traffic would reach your LAN or vice versa etc............
Feel free to ask as many questions as you like.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
|  
My current home network |
said by Anav  :A reasonable cheap solution is the zyxel NBG334W wifi router. It has a guest wiifi that only has access to the internet and not the internal LAN. Be advised this is wifi only for guests there is no wired optioin. I use a NBG334W at home. IMHO its a very nice router for the money. See the screen shot for my usage.
--
"When all else fails, read the instructions..."
MS-MVP Windows – Desktop User Experience |
|
