First off: If you are under legal obligations to provide traffic separation, always get someone with the authority to do so to sign off on any plan as within the legal requirements before you begin implementing it. Depending on the specific legal requirements, it just might be that you will have to provide physically separate networks with no common trust point.
That said, I think you basically have three options: 802.1Q VLANs (better) and multiple layers of NAT (worse) and physically separate networks (most secure, but also complicated and likely most expensive due to physical rewiring).
I'm assuming here that everything that is already wired up is Ethernet. One part of the overall Ethernet standard is what is known as IEEE 802.1Q, which describes how to establish distinct link-layer LANs on the same physical link. This is known as VLANs or virtual LANs (note: WLAN is completely unrelated and in this context normally stands for Wireless LAN and very often refers to one of the IEEE 802.11 variants). You can then use a higher-end switch (the cheap stuff that you can buy for home use generally doesn't have this feature; you want to look for a managed switch, ideally one that specifically advertises 802.1Q support, though be prepared to pay a premium for the feature) configured to segregate each VLAN to a set of (possibly just one) port(s). On each VLAN, then, common consumer switches (or NAT gateways with an Ethernet uplink port, if desired) can be used to further distribute traffic within the office unit.
The upside of VLANs, compared to multiple layers of NAT, is that it's completely independent of the type of traffic on the wires. With NAT, you are stuck with IPv4 and maybe IPv6 if you are lucky, and also have to contend with all the traditional headaches of NAT because NAT breaks end-to-end connectivity (the simple fact that you can get a directory listing from a FTP server through NAT is a testimony to the ingenuity of some of the people who work with that stuff, but even those workarounds usually assume that there is only one NAT along the connection route); with VLANs, because it uses an addition to the Ethernet frame, literally anything that can be transferred over Ethernet can be transferred over VLAN Ethernet and end-to-end connectivity is preserved, so as far as IP is concerned, nothing has changed except the set of nodes that are reachable on the local network segment. The standard allows for up to 4,094 (2^12 - 2) VLANs on a single physical link, but specific equipment may have lower limits.
Hence my suggestion:
- Check to see if the master equipment (what's in that big rack of switches in the network room) supports 802.1Q. If it does, then find out how to configure it, and set it up correctly. I would recommend starting out by doing a factory reset, but make sure you don't lose any important configuration by doing so. Be certain to properly advice anyone who relies on that connectivity that there are going to be service disruptions while you do this.
- If the master equipment doesn't support 802.1Q, find some that does and meets your needs in terms of number of VLANs, number of ports, and so on, and buy it. Then find out how to configure it, and set it up correctly. This does have the bonus that you could keep it separate while setting things up, reducing downtime for any existing users (you would set it up first, then remove the old equipment and hook up the new, so the downtime would be limited to basically how long you need to unplug and re-plug everything).
- Have each office unit use a switch, or a home or small business "router" (NAT gateway) with an Ethernet uplink port, to further distribute network connectivity among their own systems.
When you configure the switches, absolutely do make sure to limit each VLAN to its own set of ports, and make sure all of those ports go only to a single office unit. Otherwise, the VLANs will be little more than courtesy "do not disturb" signs.
Because the only traffic that reaches each unit's Ethernet outlets would be their own (thanks to your configuring separate, segregated VLANs), this should provide adequate separation without requiring you to rewire everything as truly physically separate networks.
Also, especially if you implement VLANs or end up rewiring everything, do take the opportunity to correctly tag all cables with unit and port numbers! It will take some extra time, but will be more than worth it going forward especially if there is any kind of network problem in the future. Check out I've inherited a rat's nest of cabling. What now? on Server Fault for some helpful hints.
3First questions to ask yourself: How badly do we need Internet access? Will the firm die it BT's home router dies. If it is essential then rent your own non-home-consumer line. Preferably from a different ISP then then one already in the office so you can use that as emergency backup.
Second consideration: Who has access to the cabinet full of switches? What model/capabilities are they (nice to know befoire you start to work on a solution). Are they managed switched? Firmware up to date?
Third is probably time to figure out which cables are wired to your rooms. – Hennes – 2016-07-17T12:16:19.947
When you got those answers, read up on VLANs (for wired). Also consider not allowing internet access to anything but a mail server and proxy all other devices behind it. (That is a server as firewall, logically behind that a mail server and logically behind that a proxy) and fileserver). And think about backups. One of the worst starts would be if poeple stored information on their laptops instead of on a network drive. – Hennes – 2016-07-17T12:17:28.820
What access do you have to the equipment? Do you have permission to log into the "home router/modem combo"? What is the source of the site's Internet access? (I'm guessing DSL from BT. Just a guess. The answer is not Wi-Fi.) If you want to "protect" your network from other networks on site, the typical device to "protect" a network is a firewall. That said, many routers provide internal "firewall"-type capabilities (presumably less specialized/designed for the task than a dedicated firewall device). Some of Cisco's pro equipment can have a high learning curve. – TOOGAM – 2016-07-17T12:20:16.167
Officially I have no access, though I'm certain that could be negotiated so I'll see to that tomorrow. Just looking for some ideas as to what might be possible with the equipment that is in place already. The source appears to be a regular business DSL line, which I'm aware is not 'WiFi' (I'm no networks veteran but I'm not that inept, don't worry). VLANs look interesting, I'll look into them further certainly. I'm just struggling to put together some of the networking concepts with the real world setup. – Hexodus – 2016-07-17T12:47:00.897
@TOOGAM I wouldn't expect the average computer user to understand some of the things in my Cisco small business "router" without guidance. Let alone be able to configure Cisco's IOS-based network equipment. Agree with you thus far. But I really don't think that's unique to Cisco; specialist equipment often does have a steep learning curve. Heck, you could set the average computer user in front of the average oscilloscope and proceed to watch the fireworks. I'm not sure how many above average computer users would know how to use an oscilloscope, even. – a CVn – 2016-07-17T18:26:34.507