• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Question about VLAN

G

Genx87

Lifer
One of the projects I am working on at my small office is to setup the ability for clients(customers) to get onto the internet but keep them off our network and away from the AD controller and other servers. I can dedicate a few wall sockets for this.

I was thinking maybe this could work, let me know if you think it will or wont or any other feedback.

Client route
Conference room --->VLAN'd switch --->Firewall-->Internet
On this switch the other VLAN will be for the servers and desktops.

It has been awhile since I did anything like this and any suggestions are appreciated.
The goal is to get them out onto the internet while reducing exposure to our hardware.
 
sure that would work. you'll need either a layer3 switch (to do the routing) or a firewall with multiple interfaces.

you can go a step further and setup private vlans where you specify the "guest" network can only communicate with the firewall switch port.

Or you could take it a step further and use 802.1x to authenticate your trusted computers dynamically and assign them to a vlan. Then users that are not authenticated are placed in the guest VLAN. that way if your network is 10 or 10,000 ports you keep unwanted machines off.
 
Heh that last scenario may be a little over my head and out of my budget as well 🙁

I was looking at one of those cheapie Dell GBit web managed switches(2716). But I dont believe they have layer 3 capability. Do you have a suggestion for a switch that is within say, 500-1000 bucks that can do this? I prefer to have 16 but realistically since all I am doing is a VLAN, an 8 port should be fine.



 
don't know. it really would be best if you did your routing in the switch beause you could probably put an access control list in there to totally prevent that network from communiating with you "private" one.
 
quick and dirty, low budget?
two routers. place the untrusted traffic in a router connected to the WAN.
Place your network on a router behind that one.
Pros? quick and cheap.
Cons?
Double natted main network.
Complicated port forwarding for services accessible from the WAN.
 
cheaper and dirtier... a old system anything 3nics in it and a copy of either m0n0wall or pfsence and a switch assign one port as the wan port(on the router) then assign the other as lan ports and set them on different subnets, then set a firewall rule to disallow one subnet from talking to the other, that should do the trick
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top