Isolate two networks sharing one modem?

[kaliree]

Hello everyone, thanks so much for your help!

I am a networking neophyte and I am new to the forums as well, but I am in urgent need of assistance with my home network. I have spent days searching forums and reading posts, but the information has been conflicting and difficult to follow for a newbie. I am an experienced computer technician, but more than a very basic network is beyond my experience and knowledge base.

Objective: Share a single internet connection to two networks while keeping each network completely private and isolated from the other.

• There is a Motorola modem/router combo as the internet gateway, functioning only as a modem and wired router.
• There is a Netgear router attached to the Motorola over CAT5. The Netgear router provides WiFi access for the building.
• I have a Linksys WRT54g (version 4) router.

My plan thus far is:

1. Connect my Linksys router to the Motorola modem by CAT5 to the WAN port on the Linksys router.
2. Connect the Netgear router to my Linksys router by CAT5 from one of the LAN ports on the Linksys to the WAN port on the Netgear router. (This should allow the Netgear and Linksys routers to act as separate APs with separate wireless networks, right?).
3. Configure my Linksys firmware to create two VLANs so the Netgear and Linksys can both access the internet without any possibility of the wired or wireless traffic being intercepted by the other network.

Is this possible? Is there a simpler solution? If this is the best solution, then how should I go about creating the VLAN's on my Linksys router? I am currently running Tomato 1.28 firmware.

Thank you for your help!

 

[Fardringle]

Does the Motorola modem/router have more than one LAN port? If so, connect both of the wireless routers to the Motorola using their own WAN ports. Set the wireless routers to use different channels (1 and 11 would be best). Give them different wireless passwords and you're done.

If the Motorola does not have more than one LAN port, then the steps you listed will work.

 

[SecurityTheatre]

Does the Motorola modem/router have more than one LAN port? If so, connect both of the wireless routers to the Motorola using their own WAN ports. Set the wireless routers to use different channels (1 and 11 would be best). Give them different wireless passwords and you're done.

If the Motorola does not have more than one LAN port, then the steps you listed will work.

Agreed, provided the routers are each configured with their standard NAT and DHCP services, which effectively creates a firewall.

 

[kaliree]

So I was over complicating it. *facepalm*

The Motorola has four LAN ports. Both routers have their own DHCP and NAT in place. So I don't need to change them to separate subnets or anything to secure them from one another? They won't be able to access each other through the wired connection to the Motorola? Just set each one up as a regular AP with different SSID's, channels and passwords and they're good to go?

If so, you guys are just worlds of win. And I'm just amazed at how much time I've lost trying to figure this out.

Thanks again for your help!

 

[BarkingGhostar]

I'm guessing that on the two routers you are going to configure different IP networks, right? I can only imagine if both routers assigned the same DHCP IP address to two different pieces of equipment.

 

[kaliree]

Do you mean that I need to configure different subnets? Or just a different range of IP addresses available to the DHCP server on each router? Or is that the same thing and I'm mixing up terms?

 

[JackMDS]

If you do want real privacy separation you do have to put each of the secondary Routers LAN side on a different Subnet.

 

[kaliree]

So I need to create a unique subnet on each secondary router individually (i.e. change settings in the Linksys firmware and again in the Netgear firmware) or do I need to create a subnet for each secondary router in the firmware of the primary Motorola router?

 

[JackMDS]

The Motorola has to be on the Default for both.

Lets say 192.168.1.1

Then one Netgear LAN side has to 192.168.10 and the Linksys 192.168.20

The WAN Side of the secondary Routers that connects to the Motorola should be DHCP Auto.

Look at this page it explains one Segregated Network in your case there is an Additional second Segregated Network that connect to the same source (Motorola) Router.

http://www.ezlan.net/shield.html

 

[drebo]

VRFs. It's the only way to be sure!

 

[kaliree]

@JackMDS: Thanks for the advice! I have set the Linksys to 192.168.2.1 and the Netgear to 192.168.11.11. Does that provide the separation you described? The Motorola is still at it's default of 192.168.10.1

@drebo: I did a bit of reading on VRFs. So I need to use a VRF to secure? My understanding of a VRF is that it would create two logical routers within a single physical router, each with it's own routing table and network. If I am using two physical routers to generate two physical networks, all branching from one gateway, is a VRF necessary? If so, would I need to implement the VRF on the Motorola (gateway) router? These are all consumer grade routers, so I don't know if VRF is an option on any of them. I did flash the Linksys to Tomato firmware so I do have some additional options on that router, but the Motorola and Netgear are stock firmware.

 

[BarkingGhostar]

The Motorola has to be on the Default for both.

Lets say 192.168.1.1

Then one Netgear LAN side has to 192.168.10 and the Linksys 192.168.20

The WAN Side of the secondary Routers that connects to the Motorola should be DHCP Auto.

Look at this page it explains one Segregated Network in your case there is an Additional second Segregated Network that connect to the same source (Motorola) Router.

http://www.ezlan.net/shield.html

Unless things have changed, I was under the impression consumer grade routers with built in switches do not allow for DHCP to be run on both the access side and the network side. If this is maintained, then running DHCP on the WAN ports of the secondary routers denies running DHCP on their LAN ports. This would entail the static IP address of all things hanging off the wireless/LAN ports.

 

[drebo]

@drebo: I did a bit of reading on VRFs. So I need to use a VRF to secure? My understanding of a VRF is that it would create two logical routers within a single physical router, each with it's own routing table and network. If I am using two physical routers to generate two physical networks, all branching from one gateway, is a VRF necessary? If so, would I need to implement the VRF on the Motorola (gateway) router? These are all consumer grade routers, so I don't know if VRF is an option on any of them. I did flash the Linksys to Tomato firmware so I do have some additional options on that router, but the Motorola and Netgear are stock firmware.

No, I was kidding. A VRF is not necessary in this instance. VLANs with an ACL would work just as well.

 

[JackMDS]

It is a matter of wording.

Many consumers' Router would label the Dynamic obtain an IP from the ISP as DHCP too.

Example -

The DHCP server is on the ISP side, or as in the case of this thread the Motorola main Router/Modem.

 

[kaliree]

@Jack MDS: So, I think I set up separate subnets correctly, as described in my post above. Is this what you meant?

@JackMDS: Thanks for the advice! I have set the Linksys to 192.168.2.1 and the Netgear to 192.168.11.11. Does that provide the separation you described? The Motorola is still at it's default of 192.168.10.1

@drebo: So I need to set up a VLAN in addition to the separate subnets? I'm not familiar with ACL's in the context of networking. Is that similar to using MAC addresses? Also, I don't know how to set up a VLAN. I am using standard Tomato firmware. I know that DD WRT is supposed to allow for VLAN configuration, but it seems that DD WRT is not being actively developed. I'm also not certain that my Linksys WRT54g (version 4) supports VLANs, even with third party firmware. I have spent several days reading up and it looks like I may just need a better router. Any thoughts? I can bite the bullet on a better router if it means the difference in privacy, but I only need this router for a 25Mbps internet connection. I don't have any other local network needs like file sharing or peripheral sharing. So, I'd rather not spend much money on it. Found this one for $15 on Craigslist.