Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Networking

Wireless/Wired Router Solutions for 2 Networks? 73

Posted by Cliff from the home-network-complexities dept.
DaveTheBrave asks: "I'm currently running a home based business on an el cheapo Netgear wireless router off a broadband cable modem connection. I'm looking to upgrade to something better with more flexibility. My in-laws recently sold their home and will be moving into my home temporarily while they are building another. They have a home based business and my mother-in-law is also notorious for attracting viruses, adware and other nasty stuff on her PC (which I have to routinely clean - hence my need for a better network solution). What is the best/easiest solution to segment and keep separate my network from theirs (both wired and wireless) off of one incoming cable modem? I'm looking for something around or less than $500."
This discussion has been archived. No new comments can be posted.

Wireless/Wired Router Solutions for 2 Networks? More

Wireless/Wired Router Solutions for 2 Networks?

Comments Filter:
  • Depending on how long it takes for the in-laws new home to be built perhaps just getting a second cable modem would be the solution. Where I live a years worth of broadband would be about $450.
    • this is definitely the quickest easiest most secure solution.

      i did exactly this for a while on time warner cable. they only charged us another $22 a month for the extra cable modem rather than charging us for 2 full internet packages.

  • simple (Score:1)

    by grub ( 11606 )

    One cheap PC. Three NICs: one to cable modem, one to each of the two subnets you want. Install OpenBSD, config, voila...
    • I was thinking along the same lines, but using a dedicated distro like http://www.clarckconnect.com/ [clarckconnect.com]

      One cable modem, two subnets, no routing between them...

      Clarkconnect comes free, with a range of possible upgrades like auto snort updates, security checking, and auto updates for the registered version.

      Advantages : webpages configuration with quite a good help and easy set-up...

      You can implement Mailscanner+SpamAssassin on the cheap.

      The "intrusion prevention" updates part comes with a (small) price, and allt
      • http://www.clarkconnect.com/ [clarkconnect.com]
        This one works...

        When I see what I can do when sober, I'm thinking I could start hitting the bottle and at least enjoy my errors 8p

        "Use the Preview Button! Check those URLs!"
        Sorry again
      • yea, ok, but which HOWTO are you going to suggest to get the wired network going? how about setting up iptables? what if that distro doesn't support the wireless card? which HOWTO to install that driver?

        i don't buy this "OpenBSD is hard" thing people claim. it is incredibly easy to install, and, unless you can't read or are incredibly dense, even easier to configure. anything man pages (yes, it has man pages, and they are far superior to any man page any linux distro has) miss are summed up in an excelle
        • Well, I gave this distro as example for a few reasons, such as :

          1/ I'm using it right now

          2/ It support wireless cards, SMP, e1000 Intel Gigabit Ethernet, etc with no or little fuss, just browse the website for a list of compatible, tested and supported hardware

          3/ I know it is a well made interface, with good autodiscovery, and clear help (not always inline, but always well made)

          4/ IPTABLES ? everything is closed by default, and you have a nice, clear and easy interface to open just the ports you want and do
      • Smoothwall is a great router/firewall/DHCP server distro. The ISO is 32MB, and it is very simple to setup and run. I used it for 1.5 years or so until I moved back in July. I'm not using it now, because I don't really have room for the PC. I'll start running it again when I move to my next house.

        smoothwall.org

        Later,
        -Slashdot Junky
    • you may want to look into a soekris net4501 [soekris.com] for the pc. it comes with everything but the "hard drive" (in quotes because it's a cf card)

  • The "simple" solution (Score:3, Informative)

    by Jhon ( 241832 ) * on Tuesday November 22, 2005 @07:36PM (#14096269) Homepage Journal
    would be to hook up two more routers to the current router -- pointing the two NEW routers to the OLD router as their WAN "gateway". Then on the LAN side of the two NEW routers, make each a separate network segment (i.e., 10.0.0.0/24 and 10.0.1.0/24 or something).

    Wireless-wired routers are pretty cheap. You should be able to do it for under $200. Not "elegent", but do-able.
    • You only need to add one router, hook the "dangerous" machines to the existing router, then use the new router to isolate your personal network from both the in-laws and the internet. Install the new router WAN port to one of the LAN ports from the existing router, use DHCP on the new router WAN port and make sure the two routers use different subnets.
      • Very true. I was trying to meek ANY traffic mingling, though... On the segment between the "new" router and the "old" router, traffic would mingle -- and if there's some funky broadcast virus on the INSIDE of the "new" segment, it may cause problems on the "old" segment.

        Two routers would keep the traffic from either LAN from EVER mingling. Well, unless someone is spoofing packets... and if that's happening, you've got far worse problems.
        • Uh- why not just pay for a 2nd IP address from the company, put a switch between the routers and your modem, and hook the routers up in parallel instead of dasiy chaining them?
          • The question appeared to be asked in such a way as to keep the overall costs down. I'm not sure about how much his cable company would charge for a 2nd IP -- if it's a one time fee or an increased monthly cost. If it's the latter, then a monthly expense would quickly eat away at his "$500" limit.

            Also the "solution" requested appeared to be a "temporary" solution:

            in-laws recently sold their home and will be moving into my home temporarily while they are building another.

            Why pay for the expense of anothe

        • On the segment between the "new" router and the "old" router, traffic would mingle -- and if there's some funky broadcast virus on the INSIDE of the "new" segment, it may cause problems on the "old" segment.

          Then do it the other way around. Hook up the safe computers to the inner router, and the unsafe computers to the outer router. The outer router is the WAN of the inner one, and if it launches attacks it's the same as if the open Internet launched attacks against your single router now.
          • I'm of the opinion that ANY PC with internet access isn't a "safe" computer. If these are two "businesses", home or otherwise, I'd feel safer if both were on their own seperate segments. But that's me and it probably *IS* over kill. But Linksys wireless routers are pretty cheap now... Why take any chances?
            • Linksys wireless routers are pretty cheap now...

              Maybe it's just me, but I wouldn't run any business data over wireless links unless I really really had to.
              Of course there's always encryption, but if you're setting up home office, just wire it with ethernet,
              one day job, more secure solution with better performance.
      • My problem with this is the danger still lies in between a protected network and the internet, you can do all types of malicious tricks (ettercap) and redirect any traffic if you manage to take control over a machine on the middle network.
    • Assuming that you want two separate networks with no routing between them, pick up a Cisco 2900 series switch (under $200 on Ebay). Use VLANs to keep the networks separate, with a trunk port connected to the router. If you need to talk between the VLAN, you can route between them with access lists limiting what is and what isn't allowed.

      • Yes, this is a good solution... But the configuration involved isn't any where near as simple as dropping in another router or two. Or the potential trouble of dealing with a flakey Ebay seller or some crazy whacked out 'bidding war'.

        We're talking a temporary solution. Why make it complicated?

  • Linksys WRT54G (Score:2, Insightful)

    by codehead ( 14804 )
    You can get two Linksys WRT54Gs for about US$120. Configure one as a router and keep your inlaws in the wireless segment. Configure the other one as a bridge to be your firewalled network zone. If absolutely necessary, you can give them access to the wired segment in the outmost router and still keep them out of the innermost, trusted network.
    If you have some spare time reflash the WRTs with OpenWRT for extra flexibility. While you're at it, you might want to score a few extra points with your inlaws by mi
    • This is pretty much what I've done with my network, except I used http://www.sveasoft.com/ [sveasoft.com]">Sveasoft.

      I currently have 2 Linksys WRTs attached at the hip (wirelessly) as well as a Linksys B (the newest firmware for B's supports lazy WDS). The G's perform flawlessly, but the B has its days. I can seperate everything on their own Subnets, choose NAT paths, etc...

      I think between something like this and adding a firewall package like ZoneAlarm, that should keep the in-law out.

      Either that or update her privili
  • This thing's a pretty versatile device for under $100. Load OpenWRT [openwrt.org] on it and you'll have a capable Linux machine/distro suitable for small-network routing and firewalling with iptables, vconfig and brcfg. The ,a href="http://wiki.openwrt.org/OpenWrtDocs/Configur ation#EthernetSwitch">built-in Ethernet switch is 802.1q VLAN capable and configurable at the per-port level, so you can split the network in two and still have the 'router' connected to both and handling Internet traffic with some modifications
    • And because I'm dumb and don't preview, here's the fixed link....

      This thing's a pretty versatile device for under $100. Load OpenWRT [openwrt.org] on it and you'll have a capable Linux machine/distro suitable for small-network routing and firewalling with iptables, vconfig and brcfg. The built-in Ethernet switch [openwrt.org] is 802.1q VLAN capable and configurable at the per-port level, so you can split the network in two and still have the 'router' connected to both and handling Internet traffic with some modifications to the startu
  • ...Cisco PIX501 :)

    Switch to firefox/thunderbird. Put ms anti-spyware beta on desktop and norton or some other av program, spybot and turn on teatimer.

    Should make her relatively safe.

  • One more router. (Score:3, Interesting)

    by CyberVenom ( 697959 ) on Tuesday November 22, 2005 @08:21PM (#14096597)
    You already have a cheapo Netgear router, which I imagine can do NAT. So buy one of the new Netgear Gaming routers that allow you to do bandwidth limiting, and set that up as your primary router, hanging off the modem. Plug your in-laws into this directly. Then take your old cheapo and plug it into the new router and hide all your machined behind it. That gives you access (through 2 layers of NAT) to the net, and protects you from your in-laws' virii, as well as allowing you to gaurentee a reasonable slice of bandwidth from the gaming router to your cheapo router so that even in the case of your in-laws' machines saturating the internet connection with virus traffic, you still have sufficient bandwidth to finish your CounterStrike game before going into the other room and forcing them to unplug from the network while you clean their boxen.
    • or maybe the gaming router was a Linksys? I don't remember. I use an OpenBSD box myself, but whichever brand it is, you can find it for a decent price at Best Buy or whatever.
  • Get another cable modem, and just keep them completely separate.

    If you're willing to spend $500, you can fund that set up for almost a year.

  • You can get the Linksys WRT54G/GS and then install other linux firmware (one example that i use is: http://www.sveasoft.com/ [sveasoft.com] ) and it will give you a tremendous amout of power and control in a $40-70 box. You can route/have VLANs/have firewalls/etc. with it.

    kiwi

    (note, make sure not to get the v4 hardware of the wrt54g, as it does not run the firmware.)
  • Replace the Netgear with a crummy PC or Soekris device using m0n0wall
  • Does anyone know of any (wifi or not) routers (4+ ports) that don't have to be reset every week or so. I'm _so_ beyond tired of all this cheap (as in quality) Linksys/Netgear/Belkin crap I could just about scream.
    • I don't know how f*cked up your network is, but I have yet to reset my routers since I updated the firmware over a year ago... This includes a Microsoft Wireless G router, a Linksys WRT54G, and a Linksys BEFW11S4 (I think).

      As for Linksys not being high quality, just look at what it says under Linksys... That's all the proof you need that they're good... Well, that's all the proof I need at least...

      Perhaps the problem is not the router, but the client NICs or WiFi cards, or bad cables. I've had more t

    • Does anyone know of any (wifi or not) routers (4+ ports) that don't have to be reset every week or so.

      Yea, any router which is connected to a cable modem which gets the proper amount of signal.

      Sound to me that you are having the same problem which I used to have. There are three things to keep in mind about connecting a cable modem to the cable line.

      number of splitters
      a cable modem should have no more than two splits, and if you are using a three way splitter, be sure to have the connection chained
    • I work with a school district. Most of the schools are part of a wired WAN, but there were a couple that were out of range of the SHDSL gear we were using. One had a cable internet connection, and we used a VPN to connect to it. (A linux box was doing NAT and running Squid/squidguard, in addition to the VPN.)

      Someone in management decided that they wanted to switch from Cable to the local telco monopoly's brand of DSL. So we order the DSL, and I go switch it over - pretty simple, just move the ethernet c

  • Followup to those suggesting WRT54G or GS (Score:4, Insightful)

    by HunterZ ( 20035 ) on Tuesday November 22, 2005 @09:17PM (#14096974) Journal
    As a bit of follow-up info to posts suggesting that you invest in a Linksys WRT54G or GS in order to run custom firmware, be aware that the current version of the WRT54G, the v5.0, has half the RAM and flash capacity of previous models. This makes it impossible to flash most custom firmware such as OpenWRT or DD-WRT.

    The current version of the WRT54GS, v4.0, is reported to also have half the capacity of previous GS models, which leaves it with as much as older WRT54G models. This means you can get an off-the-shelf GS with the open-source firmware capabilities of old WRT54G models if you're willing to pay $20 more.

    Linksys is also supposed to be releasing the WRT54GL, which many have speculated is a relabeled WRT54G v4.0 for $10 more. However, last I checked it was only available in Europe (and by checking I mean both searching the 'net and talking to Linksys support, who ended up referring me to a wholesaler after being unable to find a North American retailer who had them in stock).
  • I have the setup you have described at home, and for similar reasons. I work at home quite a bit and have a home office specifically for my work. However, I keep my play machines and work machines absolutely segmented to protect my customers from me doing something stupid on one of my personal machines. (I have as yet gotten anything, but how do I know the next CD I buy wont have something worse than what sony was spewing . . . but I prefer to be paranoid when it comes to my customers' security). In any
  • Run the openwrt linux distribution on a linksys wrt54gs router (make sure you do not get a ver 5 box). This will allow you to partition the network however you want. Linux CLI skills are a definite must. That will give you all the capabilities of a $1000 or so name-brand wireless router.

  • Requisite BSD Touting Suggestion (Score:3, Interesting)

    by nuintari ( 47926 ) on Tuesday November 22, 2005 @10:30PM (#14097367) Homepage
    What I would do is, get a cheap pentium crap box, stick three nic's in it, and OpenBSD. One nic goes to the cable modem, the other two go to the wireless routers. Just ignore the WAN port, use them as switches that have wireless built in.

    Each router(being used as a fancy wireless ready switch, and nothing more), lives on its own subnet, and you can use firewall rules to dictate access rights between the two of them.

    This gives you two separate network segents, on different layer 2 broadcast domains, and a strong traffic cop to enforce your rules between them.

    Besides, OpenBSD kicks ass.
  • (I) Like a bridge over doubled routers
    it will carry me (bits) home.

    Seriously, here's what I would do:

    Cable feeds switch.
    Switch feeds two NAT/firewall routers, one for your network and one for the family.

    To mitigate viruses, configure the family router to block all incoming ports and all outgoing ports except the ones they absolutely need, e.g. http, https, and maybe passive-ftp. LEAVE OUTGOING MAIL-POP3 and -SMTP BLOCKED and teach them to use webmail.

    Configure your NAT router as you see fit.

    Some cable mode
  • Comment removed based on user account deletion
  • Connect your router WAN port to the regular port of the main router. Use different IP address range. If the parent router (with DHCP or non-DHCP) has IP of 192.168.1.1, use your router to assign IP in the range 10.10.1.xxx or 172.16.255.xxx

  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Wednesday November 23, 2005 @01:05AM (#14098121)
    Comment removed based on user account deletion
    • Mod parent up (I just used all my mod points modding down the MacMini nuts!)

      It seemed so obvious to me that VLANs were just what was needed, can't believe it took 50-odd posts to get to it.

      The alternatives are some serious static route configuration or wireless isolation as per the Netgear DG834G (bit better than just seperate SSIDs).

      Personally if I was running a business (from a cable modem?!) and the in-laws wanted to use the internet at my house, I'd get them to pay for their own ADSL connection and rout
    • Put ports 1 through 8 in VLAN 1
      Ports 9 through 16 plus port 1 in VLAN 2

      You can't put port 1 in both VLANs, unless the Internet connected router does trunking and subinterfaces, in which case you would need to configure access lists to prevent the router from routing VLAN 2 traffic to VLAN 1 (ie, viruses from the unsafe network infecting the "secure" VLAN 1)

      VLANs simply allow you to create two separated network segments with one switch. You could do just as well with two cheap switches. The problem is
      • Or two routers, with one behind the other. Be sure to change the config (internal network) on the second, or it might go... crazy :).

        Put the hosts you care about behind the second crappy router, the ones you don't care about behind the first. Configure the first ('exterior') to have the second ('interior') as its DMZ host, and you should be able to ignore the in-laws network rather effectively.

        Merry Thanksgiving, Geoff :).

        --
        Phil
  • This doesn't come under the heading of cheap, and probably won't help you because you seem to have all your hardware already, but in case somebody has not committed his resources like you have while being in the same situation: Install Macs to get rid of the viruses, and use Apple's Bonjour [apple.com] to have the computers configure themselves on the fly. I had the chance to build a Mac-only system recently, and have come away a rabid fan of zero configuration [wikipedia.org] technology. Windows support of this stuff is sketchy (they
  • Safe@Office - a wired and wireless security appliance, with DMZ/VLAN capabilities, secure wireless (seperated from the LAN which can be good for you!) as well as additional services like anti-virus and such. Also has remote access capabilites and runs on Check Point firewall - if security is important to you. Check it out on http://www.safeatoffice.com/ [safeatoffice.com] If you get mixed up, try speaking to one of the representitives in a chat - they are quite helpful. They're a tad expensive, but it may save you having to
  • My router (Linksys WRT54G) has a function where it can put each client into a virtual network.
    Coupled with bandwidth throttling, each client is completely unable to affect any other client.

    I'm not sure if netgear has this functionality or not, but the WRT54G is a pretty cheap router.
  • They have a home based business and my mother-in-law is also notorious for attracting viruses, adware and other nasty stuff on her PC

    Is there a WiFi equipped coffee shop nearby? "Hi mom, let me show you to your office..."
  • If you've got an extra computer with a couple nic's, heck even a sub-$500 computer would do, check out Astaro Security Linux [astaro.com]. You can get a home use license for free and for around $60 you can upgrade it to include web filtering from Cobion, Spam Assassin based anti spam, and Kaspersky AV for Web/Email - all in a nice neat package. I use the full blow version with intrusion protection to protect our company's network and short of Checkpoint it's probably the best out there. You name it, it's got it - Statef
  • You've got your in-laws about to move in with you, and you think your computer network is the biggest problem???

    Seriously, I'd grab a junker PC from somewhere and turn it into a dedicated firewall/router. Have one LAN card connect to your broadband, one to your gear and a third to your in-laws' gear. If you want to play games as well, have a 4th LAN card connecting to your gaming stuff - you want to keep that separate if possible.

    Once you've got that working, with all LAN cards on distinct subnets, you ca
  • Your network

    IP Address 192.168.2.x
    Subnet Mask 255.255.255.0
    Default Gateway (router) 192.168.1.1

    Second Network

    IP Address 192.168.3.x
    Subnet Mask 255.255.255.0
    Default Gateway (router) 192.168.1.1

    Router Settings
    IP Address 192.168.1.1
    Subnet Mask 255.255.0.0

    I think this would divide your network into two subnets with both subnets allowed to talk to the router, or am I nuts?

    Ed Almos
    • You're not nuts, but no, it doesn't work because the router isn't in the hosts' subnets, so they can't address it. I've actually used this technique for a different reason, but I needed a router that would allow itself to have two IP addresses to get round this problem

      Another problem, which also probably affects the VLAN solution others have proposed, is that you can't assume that a virus will only use IP. NETBEUI, I believe, is not by default transported over IP, and hence will have access to anything on

  • Short of getting them their own modem, use ipcop and setup 2 subnets.

    It wont be perfect since a lot of viruses dont care about subnets, but the next best thing if you cant swing a 2nd connection.

Slashdot Top Deals

"No matter where you go, there you are..." -- Buckaroo Banzai

Close