Solved

Two Seperate networks on one internet connection without a VLAN

Posted on 2014-12-28
12
201 Views
Last Modified: 2015-01-15
I have a network that has a Point of Sale system all hard wired and we would like to install a WIFI access point for testing products that come into the store. The ISP is Comcast (irrelevant) but would like to keep them separate without having to go through a VLAN setup. So that in the case that an infected device comes in and is tested on the WIFI it will not infect the Hard wired network. Comcast has issues with VLAN's have set a few up for a few clients and their router is always an issue. We are going to use an ARUBA access point which has security in it. I was looking for a cost effective way to split the network. Thanks
0
Comment
Question by:georgopanos
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40520686
Why are you so adverse to having separate VLANs? That would do exactly what you're looking for. Have the ISP signal come in to their box, then go to your own wireless router that also has wired ports. Configure that to have two networks, ex: 10.10.x.x and 10.20.x.x.  Use 10.10.x.x for either wireless or wired, and 10.20.x.x for the other.  You can achieve what you're looking for for pretty cheap.

I would also recommend additional security in the form of a firewall between the ISP and the router, and maybe another one or two on the other side of the router (between it and the other connection points). I would use a server running some VMs and an instance of PFSense or something else that won't drive your budget up.  I say this because it sounds like you're a small shop and likely don't have tens of thousands to throw at it.
0
 

Author Comment

by:georgopanos
ID: 40520688
I am not opposed to the VLAN setup. The reason is that I have setup 2 vlans via using Comcast as the ISP and their hardware with a netgear switch and has been nothing but problems since the original setup. If something funny happens with the Comcast router and its rebooted the netgear switch cannot get out to the internet and the switch needs rebooting. it has been a pain. that is why I was hoping for an alternate solution.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40520691
Here's a diagram that you might use for this purpose.
Wired or wireless makes no difference really......
Multiple-Subnets.pdf
0
 
LVL 10

Accepted Solution

by:
schaps earned 500 total points
ID: 40520722
If you haven't checked your Aruba documentation yet, most Aruba stuff supports creation of a "guest" wireless network in addition to the main wireless network(s), and the access point can block LAN access for the guest network.
Since this test network is just needed wirelessly, not wired, there is no need for VLANs anyway. The simple guest network functionality provided by many SOHO wireless equipment these days is all you need.
0
 

Author Comment

by:georgopanos
ID: 40520746
Well will the aruba guest network be able to block traffic to the wired network that is what my worry is.
0
 
LVL 10

Expert Comment

by:schaps
ID: 40520756
Without more details on what exact equipment you have, I can't say. However, I can say that the implied meaning of a "guest wireless network" is a wireless network which allows guests access to the Internet only, no access to anything on the main network, whether wired or wireless. You can often additionally restrict whether two devices on the Guest wireless network can even interact with each other.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40520930
What concerns me just a little is that you say "Aruba Access Point" and we don't know what that is more specifically.
Here's the situation:
- Some "access points" are just routers with a WAN and LAN set of connections.
- Other "Access Points" are not routers entirely and only connect to a single LAN.  There's no NAT and no WAN connection.

The diagram I sent you suggests using a router-type device to separate the individual LANs.
So, if the Aruba you have in mind has a WAN connection then you will be on the right path.
Did the diagram help?
0
 
LVL 10

Expert Comment

by:schaps
ID: 40520968
Aruba makes mostly access points. I am assuming the OP has Comcast Business Class with a gateway/cable modem, since this appears to be a place of business.
0
 

Author Comment

by:georgopanos
ID: 40528697
The Aruba access point is using the Comcast Router as its DHCP server. I agree that the Aruba should be able to handle control of preventing crossover to the wired network. I also spoke to the tech support from Aruba and they said that they think the same thing, but the tech guy said he would prefer to the setup of  a VLAN also. I have done training with Aruba and the security is really good in the access point, but I am trying to be as preventative as possible without setting up a VLAN and having problems with Comcast router.
0
 
LVL 10

Expert Comment

by:schaps
ID: 40529825
...the tech guy said he would prefer to the setup of  a VLAN...
I would agree, but that adds a lot of complexity if the access point could segment the traffic without needing VLANs. The Comcast Business Class cable gateways I've seen have basic routing and firewall capability, but don't do VLANs. If you're not sure whether the Aruba AP can do what you need, please share the model #, and we can look it up for you.
If it cannot, additional equipment will be needed, as has been mentioned. If you end up doing that, I'd go with a small business Sonicwall, Watchguard or similar to create the separate network.
0
 

Author Comment

by:georgopanos
ID: 40530646
Aruba AP 205
0
 

Author Closing Comment

by:georgopanos
ID: 40551225
Spoke to Aruba TAC department and they said the same thing that their guest network was made for security such as a VLAN!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now