2

Preface: I'm not a network or systems administrator. I have a little bit of networking experience, but it's limited to basic router configuration like port forwarding, setting alternate DNS servers, range extending, etc. I kind of understand the more complex things like VLANs and subnet masks, but not very well.

Our current setup:

We have about 8 computers and 1 printer connected via Ethernet to a fairly old switch, which is then connected to a Cisco WRVS4400n wireless router. We also have about 5 computers connected wirelessly to the router.

The problem is that we have two types of people in the office, employees and guests. Both of them need access to the Internet and the printer, but the two should not be able to communicate with each other, and we have services running on my dev computer that we definitely don't want guests to be able to access.

I started by creating two SSIDs, private and public, and enabled wireless isolation between them. So employees on the private network cannot communicate with guests on the public network. Which is perfect, except that they can both see and communicate with all the wired computers connected via Ethernet.

I did a bit of research, and it looks like VLANs are the way to go. So I created 3 VLANs:

  • VLAN 1 = private
  • VLAN 2 = public
  • VLAN 3 = printer

I then assigned the private SSID to VLAN 1, and the public SSID to VLAN 2. Which appears to work so far.

What I can't figure out how to do is put the printer on VLAN 3, and make VLAN 3 communicate with VLAN 1 and VLAN 2? I'm sure it has something to do with subnet masks, but I'm not quite sure how to use them, and the several hours of fiddling I did got me nowhere. Any help would be much appreciated, thanks!

Brandon Weiss
  • 141
  • 1
  • 4

3 Answers3

11

Buy a second printer for the visitors - seriously.

If you want to do this 'in network' properly (i.e. safely) you'll need a router or layer-3 switch - either is too complex, and probably too expensive, compared to buying a second printer.

Chopper3
  • 100,240
  • 9
  • 106
  • 238
  • Hah, I hadn't even thought of that. As much as I'd rather not buy another printer, I love when the answer is so unobviously simple. Thanks for your help! – Brandon Weiss Jan 14 '10 at 00:44
  • 2
    Could it be done with a VLAN Aware L2 switch so that a physical port could be mapped to a single VLAN, and have a router-on-a-stick to trunk VLANS 1 and 2 onto 3? – Tom O'Connor Jan 14 '10 at 00:48
2

The printer would have to understand VLANs to be on a trunk port. Good luck with that.

Or you could put a router there that handled moving the bits around between the VLANs. I do this at home for instance, and at work.

Or you could spend a few bucks and buy another printer. I'd personally not feel comfortable letting private documents sit on a printer the public uses or has access to anyway, so move the private one into a private area and put a cheap laser printer for public use.

Michael Graff
  • 6,588
  • 1
  • 23
  • 36
0

The canonical solution for this is to assign 3 IP subnets, one to each VLAN, and use a router on a stick (a router which simply connects to a VLAN trunk port using only one physical NIC, has an IP on each VLAN subnet, and routes between them). The router should support enough firewall functionality to filter traffic between VLANs 1 and 2. All the traffic to the printer would then be routed through the router on a stick. The WAP+router might have enough functionality to emulate the router on a stick so a physical one isn't necessary (especially if it is running DD-WRT).

From a security standpoint, this can be compromised if someone can put a NAT router on VLAN 3 which routes between VLANs 1 and 2, by compromising the printer or something. If this is a concern or the VLAN solution proves too difficult, don't share the printer and use separate ones.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92