|
|
|
|
| Author |
|
|
Registered
|
A Network Moron Sheepishly Requests Advice
Okay, I am totally ignorant about even the basics of networking, outside of messing around with WiFi access points and extenders. The following question will be very basic indeed.
I am remodeling an office suite. There will be two private offices and one shared conference room. The offices will be occupied by persons A and B, who are good friends but running separate businesses with separate computers, printers, etc. Internet to the suite will be via fiber modem, a single service. WiFi question: I want to set up three WiFi networks, for A's internet and devices, one for B's internet and devices, and a Guest network that only provides internet. Ethernet question: I want to have wires and jacks (Ethernet) in A's office that can connect A's devices to the internet and to each other but not to anything plugged into the conference room or the other office, similar in B's office, and jacks in the conference room that deliver internet only. Security: I . . . uh . . . want to be secure? Whatever that entails? How do I do this? A broad, high-level conceptual answer will be greatly appreciated. Any detail beyond that will be appreciated too, like "buy this model of X". If the answer is "hire someone, this is clearly beyond you" then that would be good to know too.
__________________
1989 3.2 Carrera coupe; 1988 Westy Vanagon, Zetec; 1986 E28 M30; 1994 W124; 2004 S211 What? Uh . . . “he” and “him”? Last edited by jyl; 03-16-2026 at 08:42 AM.. |
||
03-16-2026, 08:39 AM
|
|
|
Information Overloader
Join Date: Mar 2003
Location: NW Lower Michigan
Posts: 30,209
|
If you want security ‘whatever that entails’ you need to bleach-bit, destroy and throw out all your electronical devices. Including your TV and any car less than 10 years old or so.*
Seriously. You have a choice, security or ANYTHING on the internets. * Oh, your pacemaker too, if you have one. |
||
|
03-16-2026, 08:47 AM
|
|
|
Registered
|
I don't want to be that secure.
__________________
1989 3.2 Carrera coupe; 1988 Westy Vanagon, Zetec; 1986 E28 M30; 1994 W124; 2004 S211 What? Uh . . . “he” and “him”? |
||
|
03-16-2026, 08:48 AM
|
|
|
Back in the saddle again
Join Date: Oct 2001
Location: Central TX west of Houston
Posts: 57,513
|
It'll depend upon the capabilities of the router that you get.
If I understand you correctly, you'll need something capable of creating 3 networks and having those 3 networks firewalled off from each other, but able to access the Internet. At the very least, you'd want the ability to create an "access list" between the networks. To confirm, what you want is something like this where you've got a network for person A, another for person B, and a third for guests. And you don't want anyone on any of the three networks to be able to access the other 2 networks. Is that correct? 
__________________
Steve '08 Boxster RS60 Spyder #0099/1960 - never named a car before, but this is Charlotte. '88 targa  SOLD 2004 - gone but not forgotten
|
||
|
03-16-2026, 09:08 AM
|
|
|
Registered
|
Quote:
https://en.wikipedia.org/wiki/VLAN A Virtual Local Area Network (VLAN) allows you to create multiple networks that cannot see each other but operate on the same physical network wires and equipment. Dave has a great video on VLANs that you should watch: https://www.youtube.com/watch?v=9fLwFKGvmAY It seems like you want 3 VLANs, 1 for user A, 1 for user B and one for the guest network. You must have a router that supports VLANs, and then set the VLANs up so that, for example, all the hardware plugged into Port 1 of the router will be on VLAN 1. All the hardware plugged into Port 2 will be on VLAN 2, etc. From there you can, for example, run Port 1 on the router to a hub or switch where you can plug in the Ethernet Jacks and a WiFi access point for User A, etc. Most consumer level routers do not support VLANs. You have a many options to set this up. Here are a few: Cheap / Hard Install DD-WRT or similar on a cheap consumer level router and give it the ability to run VLANs (and a bunch of other cool stuff). You really need to know what you are doing to make this work. https://dd-wrt.com https://www.youtube.com/watch?v=hi974zYoHkk More expensive and a bit easier Buy a high end router like a Ubiquiti UniFi that has UI that makes it easier (if you know what do to) to setup a VLAN. https://www.youtube.com/watch?v=cgLr9VZu_Zg If you understand network basics and can work with WiFi access points and extenders, you can probably make this work after some studying and maybe some help on the Ubiquiti forums. Easy Button Pay a local IT company to help you select the hardware and set it up for you. Last edited by ErrorMargin; 03-16-2026 at 02:11 PM.. |
||
|
03-16-2026, 02:01 PM
|
|
|
Back in the saddle again
Join Date: Oct 2001
Location: Central TX west of Houston
Posts: 57,513
|
VLANs only work if you can put an access-list on the VLANs or you can firewall the VLANs off from each other, otherwise all 3 VLANs will be able to talk to the devices on the other two VLANs.
__________________
Steve '08 Boxster RS60 Spyder #0099/1960 - never named a car before, but this is Charlotte. '88 targa SOLD 2004 - gone but not forgotten
|
||
|
03-16-2026, 03:33 PM
|
|
|
|
Back in the saddle again
Join Date: Oct 2001
Location: Central TX west of Houston
Posts: 57,513
|
I haven't read this article, but a quick scan says that it's one way (without buying a device with the capabilities to do it in one device) to do it. And if the main device has a "guest network" then you'd have your 3 networks.
https://www.smallnetbuilder.com/lanwan/lanwan-howto/howtotwoprivlan/
__________________
Steve '08 Boxster RS60 Spyder #0099/1960 - never named a car before, but this is Charlotte. '88 targa SOLD 2004 - gone but not forgotten
|
||
|
03-16-2026, 03:48 PM
|
|
|
Registered
|
Quote:
However, if you configure port (aka access port) level VLAN as I suggest above, then the router will only send the designated traffic for a given port's VLAN to that port, and it will not route that traffic to any other port. Per my example above, when configured for access port VLANs, port 1 will only see traffic to and from VLAN 1, port 2 will only see traffic to and from VLAN 2, etc. No firewalls or client configuration required. A port level VLAN is probably the best and certainly the easiest way to conclusively achieve the goals of the OP. Here is some documentation to back this up: This page from Cisco Meraki explains in the Best Practices section that an untagged or "access" port accepts traffic for only a single VLAN. No VLAN tagging or firewall required: https://documentation.meraki.com/Platform_Management/Dashboard_Administration/Design_and_Configure/Configuration_Guides/Routing_and_Firewall/Fundamentals_of_802.1Q_VLAN_Tagging This page from Ubiquity says that "Trunk ports allow traffic for multiple VLANs, while access ports handle traffic for a single VLAN, ensuring a robust and well-organized network." https://help.ui.com/hc/en-us/articles/26136855808919-Switch-Port-VLAN-Assignment-Trunk-Access-Ports This page on VLANs from Cisco says 'An access port can have only one VLAN configured on the interface; it can carry traffic for only one VLAN.' https://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_1/Cisco_Nexus_5000_Series_Switch_CLI_Software_Config uration_Guide_chapter8.html |
||
|
03-16-2026, 05:51 PM
|
|
|
Registered
|
Quote:
This article from SmallNetBuilder describes the exact scenario I propose in my example above, but it does it at the switch level instead of the router level which is probably cheaper than my proposal to buy a router to do it. In this example all your equipment can be whatever you have today, you just need the VLAN managed switch to handle the VLAN routing. https://www.smallnetbuilder.com/lanwan/lanwan-howto/how-to-segment-a-small-lan-using-tagged-vlans/ The article references an older Netgear switch to do manage the VLANs. A modern switch that can do what is described in the article is the Netgear GS108Tv3. There are plenty of other options out there too. This article from Netgear shows how to configure that switch for untagged VLAN (access) ports in step 3.4: https://kb.netgear.com/000066734/How-to-configure-a-VLAN-on-a-NETGEAR-Smart-Switch-with-a-Smart-UI |
||
|
03-16-2026, 06:12 PM
|
|
|
Registered
|
Quote:
__________________
1989 3.2 Carrera coupe; 1988 Westy Vanagon, Zetec; 1986 E28 M30; 1994 W124; 2004 S211 What? Uh . . . “he” and “him”? |
||
|
03-16-2026, 06:29 PM
|
|
|
It'll be legen-waitforit
Join Date: Jan 2002
Location: Calgary, Canada
Posts: 7,071
|
I would bring in a firm to provide options and quotes.
From a business perspective there are a lot of unanswered questions: who is going to pay for the gear? What about liability between companies? What if one company uses/requires the majority of the bandwidth? Who will monitor and manage the network? A simple setup would be a good firewall with multi-lan capability, a switch or switches for separation of traffic (a vlan is not really security solution) and access points. My two cents
__________________
Bob James 06 Cayman S - Money Penny 18 Macan GTS, 2024 Grenadier Trialmaster Gone: 79 911SC, 83 944, 05 Cayenne Turbo, 10 Panamera Turbo |
||
|
03-16-2026, 10:16 PM
|
|
|
Registered
|
You guys are speaking Greek to me!
I will re-read and try to understand . . .
__________________
1989 3.2 Carrera coupe; 1988 Westy Vanagon, Zetec; 1986 E28 M30; 1994 W124; 2004 S211 What? Uh . . . “he” and “him”? |
||
|
03-16-2026, 10:21 PM
|
|
|
|
Registered
Join Date: Jun 2000
Location: bottom left corner of the world
Posts: 22,985
|
I did a simpler version of this but my explanation may give you a few ideas as to how you could set yours up.
The fibre optic cable comes into my house and to my router. Then I ran a cat6 cable to the apartment at the back of my house. Then I set up her router as a secondary router which has a different IP address (must have a different IP address) then plugged the cable into my router. The lady in the apartment plugs her computer, printer and TV into the router and she has her own network name and password for her phone to wifi into. In your situation you could have a third router with another IP address connected in the same way. Security again is by having their own network name and password. |
||
|
03-16-2026, 10:55 PM
|
|
|
Registered
Join Date: Mar 2003
Posts: 10,499
|
This should work. A B and C networks can only go out to world and have related/established connections come back in. No access from A to B or C, etc.
Note that your device names will be different from the eth0, eth1, etc. and you will need physical devices not aliases/secondary addresses on a single NIC Should work on any Linux distro from the past 15 years.... Code:
#!/bin/bash # a very simple set of iptables commands # to allow forwarding between ethernet # devices # enable ipv4 forwarding in /etc/sysctl.conf before using! # these almost certainly need # to be changed WAN_DEVICE=eth0 LAN_A_DEVICE=eth1 LAN_B_DEVICE=eth2 LAN_C_DEVICE=eth3 # where is iptables located? iptables=`which iptables` # flush all existing rules $iptables -F # this is for NAT # enable masquerading # not needed if you have routable addresses on both sides $iptables -t nat -A POSTROUTING -o $WAN_DEVICE -j MASQUERADE # don't forward packets from off-lan to lan if # they are a brand new connection being formed $iptables -A FORWARD -i $WAN_DEVICE -o $LAN_A_DEVICE -m state --state NEW -j REJECT $iptables -A FORWARD -i $WAN_DEVICE -o $LAN_B_DEVICE -m state --state NEW -j REJECT $iptables -A FORWARD -i $WAN_DEVICE -o $LAN_C_DEVICE -m state --state NEW -j REJECT #Block A to B and C, and variations thereof $iptables -A FORWARD -i $LAN_A_DEVICE -o $LAN_B_DEVICE -m state --state NEW -j REJECT $iptables -A FORWARD -i $LAN_A_DEVICE -o $LAN_C_DEVICE -m state --state NEW -j REJECT $iptables -A FORWARD -i $LAN_B_DEVICE -o $LAN_A_DEVICE -m state --state NEW -j REJECT $iptables -A FORWARD -i $LAN_B_DEVICE -o $LAN_C_DEVICE -m state --state NEW -j REJECT $iptables -A FORWARD -i $LAN_C_DEVICE -o $LAN_A_DEVICE -m state --state NEW -j REJECT $iptables -A FORWARD -i $LAN_C_DEVICE -o $LAN_B_DEVICE -m state --state NEW -j REJECT # if the packets come from off-lan but they are # related to a connection that was established from # within the lan, go ahead and forward them $iptables -A FORWARD -i $WAN_DEVICE -o $LAN_A_DEVICE -m state --state RELATED,ESTABLISHED -j ACCEPT $iptables -A FORWARD -i $WAN_DEVICE -o $LAN_B_DEVICE -m state --state RELATED,ESTABLISHED -j ACCEPT $iptables -A FORWARD -i $WAN_DEVICE -o $LAN_C_DEVICE -m state --state RELATED,ESTABLISHED -j ACCEPT # whatever traffic comes from the lan to go to # the world allow thru $iptables -A FORWARD -i $LAN_A_DEVICE -o $WAN_DEVICE -j ACCEPT $iptables -A FORWARD -i $LAN_B_DEVICE -o $WAN_DEVICE -j ACCEPT $iptables -A FORWARD -i $LAN_C_DEVICE -o $WAN_DEVICE -j ACCEPT
__________________
“IN MY EXPERIENCE, SUSAN, WITHIN THEIR HEADS TOO MANY HUMANS SPEND A LOT OF TIME IN THE MIDDLE OF WARS THAT HAPPENED CENTURIES AGO.” |
||
|
Yesterday, 02:22 AM
|
|
|
Registered
|
Quote:
1. Masraum's and Bill's idea to use multiple routers. This idea uses three routers to meet your requirements. The link the the SmallNet Builder article in Masraum's post here explains it pretty well: https://forums.pelicanparts.com/off-topic-discussions/1190276-network-moron-sheepishly-requests-advice.html#post12622035 2. My proposal to use port level VLANs. This idea uses a router or switch with VLAN capability to separate your traffic. This article explains it well: https://www.smallnetbuilder.com/lanwan/lanwan-howto/how-to-segment-a-small-lan-using-tagged-vlans/ 3. id10t's idea to use iprouting configuration. This idea use iprouting configuration on the router to separate your traffic (this should work on all but the most basic consumer level routers): https://forums.pelicanparts.com/off-topic-discussions/1190276-network-moron-sheepishly-requests-advice.html#post12622154 All of these will meet your requirements. If it all seems too much, but you want to try and you already have a few routers on hand, you should try to experiment with two or three routers to see if you can get the multiple router idea working. |
||
|
Yesterday, 07:37 AM
|
|
|
Back in the saddle again
Join Date: Oct 2001
Location: Central TX west of Houston
Posts: 57,513
|
Quote:
All VLANs do (at least in the normal networking world) is keep devices from talking directly to each other (rather than through a middle man like a router). In a normal home device that has a WAN port and a bunch of LAN ports, even if you can put the LAN ports on different VLANs will allow the devices on the various VLANs to talk unless there's some sort of access management specifically to disallow that.
__________________
Steve '08 Boxster RS60 Spyder #0099/1960 - never named a car before, but this is Charlotte. '88 targa SOLD 2004 - gone but not forgotten
|
||
|
Yesterday, 11:35 AM
|
|
|
Registered
|
Quote:
However, as described in the article below, some switches allow you to explicitly control which VLAN traffic goes on which port. The article sums it up by saying: The end result of this example is devices in VLAN 2 can access the Internet and each other and devices in VLAN 3 can access the Internet and each other. But devices in VLAN 2 cannot access devices in VLAN 3 and vice versa.https://www.smallnetbuilder.com/lanwan/lanwan-howto/how-to-segment-a-small-lan-using-tagged-vlans/ Quote:
I like this approach because a switch that can do this can be had for under $100 (eg Netgear GS108Tv1 from the above smallnetbuilder article) it is very simple to configure, no additional routers are required, the router does not need VLAN support and no other special hardware or configuration would be required to achieve the OP's objective. That said if I already had two extra routers in hand I would use the multi router approach, and if I already had a router that allowed me to set iptables I would use that approach. Last edited by ErrorMargin; Yesterday at 05:23 PM.. |
||
|
Yesterday, 05:21 PM
|
|
1989 Porsche 911 Carrera 3.2
84 Targa
Lemons Race Car
