Isolate/separate wireless users from hard wired users

I have a switch that supports vlan and a wireless router/dsl modem all in one.  I am hoping with the existing equipment I have to setup so the wireless users can be isolated and separated from the wired users
Who is Participating?
What make and model / type of VLAN supporting switch are you using?
If it is a Layer 3 switch with ACL capabilities, you may have some options.

If your switch supports Layer 2 ACLs with MAC addresses,  there is a possibility you
could plug the router into a wired port on the switch, And use a Layer 2 ACL to block
all trafic coming in on that port, except from the router's MAC address.

Unless the switch is Layer 3, or you have another Layer 3 device,  your  isolation options are extremely
limited.  You could only do it in your current scenario,  if your Router/DSL Modem in one is capable of it.
Some are, most are not.

The right way to do this is with a full blown Firewall that supports a DMZ and/or multiple networks,
OR with a full Layer 3 switches.

Or an enterprise router with support for more than 2 Ethernet ports  on different networks.

An additional low-end  (LAN/WAN) router could do something for isolation -- with some caveats.

If you don't have a router that supports more than two networks,  that would mean  one of the networks will need to be routed THROUGH the other network.

(Which means,  they'll be isolated to an extent,  but a node on one network might be able to sniff traffic from the other, by using ARP poisoning)

I'm afraid you need extra equipment. But first:

- may the wired users connect to the wireless users
- may the wireless users connect to the wireless users
- or is either communication forbidden?

To answer this question, I'm assuming the following:

- Your DSL-Modem-Router has one public IP address, contains NAT functionality to one (and only one) private IP range. This is the network that is connected to both the wired connections and the wireless antenna.

In a simple scenario, you aquire another LAN-LAN NAT-router (i.e. a router with a ethernet connection as WAN port, not DSL), and connect the WAN port of this second router to the DSL-router, LAN to the switch. VLAN configuration not nessesary.

This way, wireless users cannot access the wires users. The other way round, connection is possible, but broadcast traffic is of cause blocked.

If you need protection both way's, you should disable the WLAN antenna on the router, and in addition to solution 1), get another LAN-LAN NAT-router (nr 3), preferably with WLAN, otherwise you need a separate Wireless Access Point, to connect to the LAN side of router 3.

This way communication is blocked in both way's.

Thomas Roes
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.