Solved

Want to create completely separate networks from a single broadband line

Posted on 2008-06-14
5
190 Views
Last Modified: 2010-04-21
I do volunteer work for a crisis intervention center and we currently have a single FIOS line that goes into the FIOS router and then is distributed through a switch to the staff workstations.  Management wants me to create a completely isolated wireless network for the shelter residents without having to bring in another high speed line, but it is important that there be no way the residents' can get into the other workstations or server that are currently installed not only because they contain confidential information but also because of the danger of virus infection.  The primary use of the residents' computers will be to create resumes, search the internet for housing and jobs, etc. Would it be workable to bring the FIOS line from the FIOS router to a switch and then bring two lines out of the switch--one to a wireless router for the residents and the other for the business of the center?  If so, would there be any way for the residents to breach the connection?

Chuck


0
Comment
Question by:caaron
  • 3
  • 2
5 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 21785619
The easiest way I can see of you achieving this is to connect 2 firewall routers from the FIOS router. The routers must be standard routers - not routers which have built-in modems. Each router would then be configured as either the router for the residents' connection (so you would run another switch specifically for that, or a wireless access point) and the other router would then have a direct uplink into the existing network switch to give the servers and workstations Internet connectivity.

Note that if you just want wireless connectivity, there would be no harm in connecting an access point to the FIOS router, then just another router behind the FIOS specifically for the main network. If you don't want the main network to communicate with the residents' network, you need two routers though.

By using separate routers, the residents' PCs cannot connect to the main network, and the main network cannot pass through the firewall to the residents' networks. Both networks are able to pass out through the main router to the Internet. This is obviously the best approach - and since all the cables are connected up differently, you can rest assured that the two networks are physically separated.

The other method to do this with would be to use a VLAN capable switch to split the network into two separate VLANs. Each VLAN would be configured so they cannot communicate to each other - you would then connect an access point to one of the VLAN ports for the residents to access, and leave all the other ports on the other VLAN for the main network. The problem here is that someone could potentially log in to the switch and change the VLAN configuration - which could cause problems since no devices are physically separated.

-tigermatt
0
 
LVL 1

Author Comment

by:caaron
ID: 21785711
So what you're suggesting is that the FIOS router be used as a hub for the two additional routers, if I understand correctly.  Then each router would have a different address  (the FIOS router is 192.168.1.1) such as 192.168.2.1 for one of them and 192.168.3.1 for the other.  And with that setup each series of workstations fed by one router would be isolated from the workstations fed by the other?

Chuck
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 21785952
Chuck,

That is exactly what I am recommending. Using that configuration, each network is physically separated and can only talk out to the Internet - not to each other.

You must ensure each router connecting to the FIOS - and the PCs behind it - is on a different subnet. I would set the private router for the servers & workstations to whatever IP subnet they currently work on. It could get a bit complicated if you try to change their IP subnet too. If they currently work on 192.168.1.0/24, set their router a s 192.168.1.1/24. The other routers can then be given one of the other IPs on one of the other subnets.

-tigermat
0
 
LVL 1

Author Closing Comment

by:caaron
ID: 31467195
Thanks for the quick and direct responses.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21786448
You're very welcome,
Have a good day!
--tigermatt
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now