Setting Up Two Private Lans With One Internet Connection

Hello. So I want to set up 2 private LANs in my home so that if I need to have a potentially infected computer connected, it won't have access to my primary network. I currently use a cable modem, which does not have a router integrated as my internet source. As it stands now, I go from the modem, to a switch in order to split the feed, then from the switch to the WAN ports on two separate routers. The way I see it, each of the routers should provide a firewall to their respective networks, although granted they would have the same WAN IP. Everything I've read online however says that I should be using a third router instead of a switch between the two gateways and the cable modem. Can anybody give me some advice on this and maybe some of the pros and cons to each setup? Thanks.

 

Have you entertained the idea of a subnet (a logical IP network) for testing infected machines across...….. as opposed to running 2 separate physical networks (LAN), which is what seems to be your current network landscape.

Naturally, you can configure both networks to talk if you so desire, or keep them isolated!

You may have some spare hardware leftover too!

 

I originally has it set up that way, but by putting everything on the same subnet (whether it be using DHCP or manual assignment), how would I isolate the various machines? With the multi-router setup described above, each gateway effectively acts as a firewall? Also for actual connection, with the two routers I can have a separate router/switch along with corresponding SSID for questionable machines.

 

If your cable modem does not have a 'router', where do you get the IPs for the 2 routers behind it? Routers define networks so having the setup the way you do is correct for creating two networks. They would not have the same WAN IP, could not happen and actually function. Do you have the cable modem bridging and have multiple static IPs from your provider that you have/can assign to each router? If not then the cable modem is doing dhcp and routing for those two routers (NAT). But that would keep the infected from your LAN. Or you could use VLANs, if your router or switch can do that. If you have ddwrt router look at this
There are also several wireless router that have guest networks that keep users separate.

 

The key is to isolate the subnet.........run a LAN as normal and section the subnet from a preferred router that sits after the gateway therefore still providing FW.

https://imagizer.imageshack.com/img924/5617/fdGue0.jpg

 

When I had my shop downstairs, I didn't want potentially infected client computer connecting to my personal home network. So the solution was simple. I just connected an inexpensive 2nd router to my primary router to create another network in the shop.

That's what routers do, they connect (or isolate) two networks.

 

Thanks for the replies all. So what Replicator described is almost what I have (my network is the image directly above), with the exception of the fact that I have a switch in place of the first router. I'm pretty sure the cable modem doesn't do DHCP/NAT.... Any issues with what I have set up here?

 

curious if you go to whats my ip what is the first digits (octet) of the IP there?

 

Nah I just made up random IPs to illustrate the point...

 

Nah, looks sweet , thats if you wish to talk between nets as the gateway(modem) and switch outgoing IP's, match the ingoing to each router.......namely 216.188.165/24.
This is essential for communication between subnets.

To effectively isolate nets so you dont have to worry about infiltration across LAN simply static the router of that net so its IP is not within octet range of the other.
DHCP can then effectively serve to all devices connected from there.

 

So what's gained by replacing the switch in my diagram with a router? If my modem is already executing DHCP, what purpose does the third router serve?

 

I'd love to know the answer to that question also.

 

Well for your situation, nothing really.

A third router (to replace the switch) would only be useful for a larger network topology whereas you wish to, lets say, expand your subnet reach to cater for future expansion (ie a growing company gaining more dept area's as it grows).

Lets call your existing routers 1 and 2.........replacing the switch with router 3 would allow devices to be connected between router 3 and either 1 or 2, (or both) thus creating more dept subnets so to speak.
Not much use for your goals however!

 

Ok perfect. Thanks Replicator. So on a side note, how does my IP logic look in my network diagram above? At first I'd assumed that the router couldn't run DHCP, and the switch would just split the feed giving each of the routers the same outward (WAN) IP (my public IP), but foogoo mentioned that wasn't possible. When I enter my public IP into a browser address bar however, which I got by using a third party website, it brings up the router's setup page, not the modem. This makes me think that the WAN IP of the router is the same as the cable modem, and it's not actually running DHCP (which supports my IP theory in the diagram above).

 

On thinking about this, foogoo has a point.....running your switch between the modem and routers is not actually achieving anything .
If you put your switch behind your modem, all devices connected to it will receive a public IP from your ISP.
Depending on what your ISP allows with public IP??
Some only allow you to have a single public IP per connection, in such a case only a single device will be able to access the Internet, all other devices will just fail to authenticate with the ISP’s server.

Im not sure what your ISP allows, but rather than your current setup, you should run any switches (gigabyte) behind the routers themselves so a better configuration would be:
Modem > Router > Switch/AP > Client Computers.
This way all devices connected to either the switch or the router, can access the internet simultaneously!

https://imagizer.imageshack.com/img924/4989/6qBwb9.png

Everything ofcourse depends on your ISP's allocations.

 

The issue there is that there’s no isolation between client computers. The way I see it you need the routers to firewall each network. If I have the switch after the router, they’re all on the same subnet.

 

Ok, maybe your ISP has bridged the modem, then both routers behind your switch get IPs from the ISP - can not have the same IPs. If you plug in to one router and get your public IP and then the other and it is the same public IP? The other disturbing thing is the the web interface is accessible to the outside world.
Again all this doesn't matter the layout you have does create separate networks, the rest of this is just talk.
Think of IPs as addresses to your house, if you and your neighbor have the same address, who would get the mail??

 

The web interface isn't accessible to the outside world though, I accessed it from a computer on it's own network (behind the router), but I wondered about it because it can be accessed by the default gateway address (192.168.1.1) and also the modem public IP. Back to the overall address issue, a switch doesn't assign an IP, it would just split the connection coming from the modem, so unless the modem is running DHCP how would I end up with 2 different IPs?