• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Isolating a computer on home network

yottabit

yottabit

Golden Member
Noobie question-

Let's assume cable modem, router, hub connecting some PCs together (ethernet)

Goal is to somehow provide ethernet to a new computer, that will only have access to the internet, and will not be aware of the rest of my network (ie, can't ping other PCs on LAN IP address)

This would be easy to do with the "Guest network" features a lot of routers have for WiFi... but I wasn't aware of an equivalent for wired ethernet. The only thing I can think of is hook up a separate router from the cable modem. Is there a way to then stop that router from acting like a hub and providing a link back to the other LAN?

Edit: Was reading some other posts here about VLANs and that sounds like that would fit the bill. Is there a way to do this with consumer grade hardware or maybe industrial surplus <$200?
 
Last edited:
yottabit said:
This would be easy to do with the "Guest network" features a lot of routers have for WiFi... but I wasn't aware of an equivalent for wired ethernet.
Click to expand...
Whether interface is wired or wireless should be insignificant.

In a real router each (wired) interface is physically separate and can be configured to be in different subnet. (The consumer all-in-one devices usually have a 4-port switch.) If your device has "DMZ" option, it might be used to create a "guest network".

The logical arrangement is to have
1. 3-port router and firewall (WAN, LAN1, LAN2) that allows only specified traffic (from LAN1 to WAN and from LAN2 to WAN) and acts as DHCP + DNS + gateway for the LAN1 and LAN2.
2. Switch(es) on LAN(s) in order to connect local devices to router
3. AP(s) on LAN(s) to connect wireless devices to LAN(s)

A configurable router can do all that in one device.
 
Vlans are pretty standard when you want to provide isolated broadcast domains on a single switch. You have to either use a single L3 switch and configure individual ports for the specific VLANS you want, or use a managed L2 switch that allows VLAN tagging and have your router do the actual routing to your specific VLANS.

Honestly, VLANS add quite a bit of complexity to a network. I prefer to setup and manage a flat network and use traditional subnetting to break up broadcast domains. I've seen broadcast domains in the thousands of hosts that didn't cause any issues to the overall health of the network. I'm not saying that is how it should be done but how I've seen it done. In the old days of IPX/SPX large broadcast domains were a bigger problem.

But VLANS make it pretty simple to do a single cable drop for, say, a VOIP phone and a desktop computer. Phone is on one VLAN and the computer on the other but we can use one single cable to carry both of them.
 
Last edited:
Vlans would work, but why not just use 2 seperate local IP address ranges ?
For example: 192.168.x.x for say computer on internet
and maybe like: 173.150.x.x for other devices ... that way one IP range should not
be able to see the other IP range, unless you build an exception in a NAT table in
the router
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top