Isolating a computer on home network

[yottabit]

Noobie question-

Let's assume cable modem, router, hub connecting some PCs together (ethernet)

Goal is to somehow provide ethernet to a new computer, that will only have access to the internet, and will not be aware of the rest of my network (ie, can't ping other PCs on LAN IP address)

This would be easy to do with the "Guest network" features a lot of routers have for WiFi... but I wasn't aware of an equivalent for wired ethernet. The only thing I can think of is hook up a separate router from the cable modem. Is there a way to then stop that router from acting like a hub and providing a link back to the other LAN?

Edit: Was reading some other posts here about VLANs and that sounds like that would fit the bill. Is there a way to do this with consumer grade hardware or maybe industrial surplus <$200?

 

[mv2devnull]

This would be easy to do with the "Guest network" features a lot of routers have for WiFi... but I wasn't aware of an equivalent for wired ethernet.

Whether interface is wired or wireless should be insignificant.

In a real router each (wired) interface is physically separate and can be configured to be in different subnet. (The consumer all-in-one devices usually have a 4-port switch.) If your device has "DMZ" option, it might be used to create a "guest network".

The logical arrangement is to have
1. 3-port router and firewall (WAN, LAN1, LAN2) that allows only specified traffic (from LAN1 to WAN and from LAN2 to WAN) and acts as DHCP + DNS + gateway for the LAN1 and LAN2.
2. Switch(es) on LAN(s) in order to connect local devices to router
3. AP(s) on LAN(s) to connect wireless devices to LAN(s)

A configurable router can do all that in one device.

 

[frowertr]

Vlans are pretty standard when you want to provide isolated broadcast domains on a single switch. You have to either use a single L3 switch and configure individual ports for the specific VLANS you want, or use a managed L2 switch that allows VLAN tagging and have your router do the actual routing to your specific VLANS.

Honestly, VLANS add quite a bit of complexity to a network. I prefer to setup and manage a flat network and use traditional subnetting to break up broadcast domains. I've seen broadcast domains in the thousands of hosts that didn't cause any issues to the overall health of the network. I'm not saying that is how it should be done but how I've seen it done. In the old days of IPX/SPX large broadcast domains were a bigger problem.

But VLANS make it pretty simple to do a single cable drop for, say, a VOIP phone and a desktop computer. Phone is on one VLAN and the computer on the other but we can use one single cable to carry both of them.

 

[bruceb]

Vlans would work, but why not just use 2 seperate local IP address ranges ?
For example: 192.168.x.x for say computer on internet
and maybe like: 173.150.x.x for other devices ... that way one IP range should not
be able to see the other IP range, unless you build an exception in a NAT table in
the router

 

[JackMDS]

http://www.ezlan.net/shield.html