Network Segregation for Privacy

3

Basically I currently have a very simple network setup. Internet from my ISP connects to a modem, the modem connects to a wireless router. All devices throughout the house connect to this router whether thru a wireless or wired connection. My question is, since I have an office within my house, how can I segregate my office devices from the rest of the network? This is to prevent other devices outside the office from being able to print to the office printer and also to make sure the files stay private and inaccessible to other non-office devices. But, I also have a laptop which I'd like to wirelessly print to and access my files, but only if I'm connected to the "office" network.

Ideally, I'd like to have two routers, one for the office and the other for the rest. But, how can I ensure that both routers are unaware of each other while utilizing only one modem. Do I need something like a switch or a hub? If so, what kind of setup would I need to do thru the firmware?

codemann8

Posted 2013-01-31T05:19:59.130

Reputation: 65

Answers

2

Depending on your hardware there are multiple ways of solving the problem. The easiest one works along the lines you hinted at in your email - 2 routers. I'd look at a solution as follows:

    ISP / Internet Cloud
    |
    |
   ROUTER 1
       |
       |-------- Home PC 1
       | 
       |-------- Home PC 2
       | 
       |-------- Home PC X
       |
       |-------(  Home WIFI connection for laptop(s) )
       |
     ROUTER 2
       |
       |--------  Office PC 1
       |
       |--------  Office PC 2
       |
       --(  Office WIFI connection for Laptop)

To implement this you would plug the WAN port from ROUTER 2 into a LAN port in ROUTER 1. (ROUTER 1 is your current router).

There are a few things you need to make sure of -

  1. The Network used for ROUTER 2 must be different to Network 1. (You will probably find Network 1 uses 192.168.1.x for IP's - you need to change
    ROUTER 2 to issue IP's in another range, for example 172.16.1.x)

  2. The ACCESS Point names for ROUTER 1 and ROUTER 2 must be different - and you probably want to use different frequencies as well. You would also want different WPA keys.

  3. ROUTER 2 is an ETHERNET and WIRELESS ROUTER (you may find ROUTER 1 is an ADSL router or Cable router, meaning the "WAN" port is not an ETHERNET PORT. That is OK)

Other bits -

  1. You won't need a switch (or a hub, which is like a switch, but obsolete technology) if you have enough "LAN" ports on each of your routers. If you have a shortage of ports on ROUTER 1 you could plug one of the LAN ports into a switch, and then feed ROUTER 2 and some of the home PC's of ROUTER 1.

  2. In this solution, the routers are both aware of each other and will play well together.

  3. This solution uses "DOUBLE NAT", which works fine (most cellphone carriers use it), but is not technically ideal. It will limit your ability to run externally accessible servers on your office network.

  4. While it in some cases it is possible to have both ROUTER 1 and ROUTER 2 connecting to a common router. This is a technically better way of doing things but is a more complex setup, and requires either multiple addresses from your ISP or intelligence not accessible in most "off-the-shelf" routers.

davidgo

Posted 2013-01-31T05:19:59.130

Reputation: 49 152

Great info! I do have a couple of concerns/additions:

#3 of the other bits is definitely a show stopper. I do have the need to access a server from the outside. Currently I have my router port-forwarding a few web services I host along with the Windows RDP port so I can remote into the server. I use to have my server as a DMZ but I realize how bad that is to expose everything.

#4, I cannot (or rather want to avoid) get multiple IPs from the ISP. Would dd-wrt firmware allow for the configuration you are referring to? If so, how would you set that up? FYI, I've never used dd-wrt myself. – codemann8 – 2013-02-01T01:04:59.483

And also, The solution you are proposing, would I be able to be connected to a 192.* LAN (home network) be be able to, say, type in a 172.* IP (office network) and be able to access web services cross network like that? This is probably my biggest area of concern. – codemann8 – 2013-02-01T01:13:50.557

You can (theoretically) port forward through both routers - I'd imagine this will work OK with simple protocols like HTTP, HTTPS, but would be a nightmare for VOIP protocols and FTP. RDP should be OK to double nat, but I've never tried it. – davidgo – 2013-02-01T02:17:31.390

Using the solution I proposed you would NOT be able to go from the 192.168.* network to the 172.* network directly. (You could access the 192.168 address which you portforwarded to). If this relates to your ability to use your laptop, you would have 2 WIFI access point names, one would connect you to your office network, one to your home. <br /><br /> It may be practical to remove the "double nat" and do routing between the 192.168.* and 172.16.* networks if you program the appropriate routes in your routers, but this does require an understanding of routing. – davidgo – 2013-02-01T02:22:53.673

I would imagine that dd-wrt would allow you to do everything you want - and conceivably even do it with just a single router, but it is not something I have done and is technically challenging. (I've only used DD-WRT once, I generally use openwrt - which can definately do what you want - I have done it - but it is very hard if you are not good with linux - and took me many hours even with the knowledge I needed to get working) – davidgo – 2013-02-01T02:28:01.900

I'm looking at my routers config right now, and it looks like I can only port forward to the current IP range which is 192.168., it won't let me type in a 172. address. Yeah, I'm a bit rusty on Linux myself, but I'm a software developer so I know a little, but networking has always been a big knowledge gap me. I was doing more reading up on this, do you anything know about VLANs? From the sound of it, this might be what I'm looking for. – codemann8 – 2013-02-01T04:19:46.103

let us continue this discussion in chat

– davidgo – 2013-02-01T04:25:46.583

Asked: 2013-01-31T05:19:59.130

Viewed: 1 314 times

Active: 2014-10-29T12:41:10.657