Seperating office subleaser's network

[mxnerd]

One of my client is leasing thier downstairs office space to one person and wants to give her access to the internet.

Since my client has a Netgear GS108T smart switch (8 ports) which supports port based VLAN (I never configured it before), and I want to isolate her network from my client's network so they won't see each other.

There is no wiring between floors. So I guess if I ask her to purchase a wireless router and put it in bridge mode, attach the WAN port to say port #8 of G108T which also configured as VLAN #8 (the rest ports are #1), then her computer with wireless adapter connected to the wireless router and my client's computers won't see each other, am I right?

 

[JackMDS]

If she has only one computer keeping the sharing Off, and using a software Firewall that blocks local traffic, can do too.

 

[mxnerd]

Thanks. Yes, she has only one computer, but my client has 7, including 1 server. I think I have no control over how she configures the computer and guarantee that she will keep the settings. I think I'll try the VLAN thing.

 

[jlazzaro]

VLANs are a layer 2 segmentation, so they still need to be routed. what type of router are you using? it will need to support dot1q...

another option is http://www.ezlan.net/shield.html

 

[mxnerd]

Originally posted by: jlazzaro
VLANs are a layer 2 segmentation, so they still need to be routed. what type of router are you using? it will need to support dot1q...
[/L]

I don't really understand the VLAN thing. All I know is if computers are on different VLAN then they won't see each other (is it the term that not in same broadcast domain?)

My client's router is a Trendnet wireless-N without VLAN support. 3 computers are uplinked, all others are connected on the same Netgear GS108T smart switch with port based VLAN or 802.1Q VLAN support (you can choose only one mode). Since I have no idea what 802.1Q is and how to configure it, I'll go with port based VLAN - G108T's default).

So VLAN routing really matter in this configuration? Won't my simple configuration described in 1st post work?

I know segregation will work, but I have no intention to put sub leaser's router in the front.

 

[kevnich2]

VLAN on the switch should work, then just put a static route on the trendnet switch that tells it to forward anything from that VLAN subnet out to the internet. Or the sub-leaser could also just obtain their own DSL/cable ISP and go that route as well? If your client has a block of public IP's, they could also just hook up another router to the client's ISP modem and then take an unused public IP address and assign it to the sub-leaser's router. A few different options you could do.

 

[JackMDS]

Originally posted by: mxnerd But I have no intention to put sub leaser's router in the front.

Why?

 

[jlazzaro]

Originally posted by: kevnich2
VLAN on the switch should work, then just put a static route on the trendnet switch that tells it to forward anything from that VLAN subnet out to the internet.

without a trunk link between the switch and router, how will the router ever see both VLANs?

 

[mxnerd]

Originally posted by: JackMDS

Originally posted by: mxnerd But I have no intention to put sub leaser's router in the front.

Why?

Since that will be her router and not my client's, and for the purpose trying out VLAN. My client's business is shrinking and losing money, that's why the company is sub-leasing the office, my client not likely to pay for the router or the wiring from downstairs to upstairs.

I don't want to mess with her router's settings if I can avoid it.

She is the first sub leaser (monthly) and can come and go, and probably there will be more sub-leasers. I don't want to cascade all the routers.

Found this article on the net, and I think I have better idea now.
http://www.enterprisenetworkin...sm/article.php/3724316

 

[mxnerd]

Originally posted by: jlazzaro

Originally posted by: kevnich2
VLAN on the switch should work, then just put a static route on the trendnet switch that tells it to forward anything from that VLAN subnet out to the internet.

without a trunk link between the switch and router, how will the router ever see both VLANs?

Just saw this article.

http://www.enterprisenetworkin...sm/article.php/3724316

So since the switch default VLAN ID is 01 and include port 1-8 according to the article, I should create a VLAN ID 02 (downstairs), and put port 1 and port 8 in it, leave port 1 -7 in VLAN 01, and connect the Trendnet on port 01 and new router on port 8 and it should work, won't it?

so VLAN 01 port 1 2 3 4 5 6 7
VLAN 02 port 1 8

port 1 trendnet
port 8 new router

port 2-7 other computers

 

[JackMDS]

If VLAN does not work.

Plug two Routers WAN port's to two regular ports on the main Router.

Switch the DHCP on the main Router Off, and assign static IP to each of the secondary Routers.

One secondary Router goes to you client and one to the subleaser.

When the subleaser decide to go unplug their Router and let them go with good health.

 

[VirtualLarry]

I've got a better idea. For the main router, get a wireless router that supports "AP isolation" - this is a feature that allows multiple wireless clients access to the internet, and prevents access to each other.

Then get a wireless router for the sub-leaser that supports "client mode" or "client bridge mode" (One of those, I forget the difference). That would allow her to plug into the LAN ports on that router, and get wireless access to the internet, and due to the AP isolation, shouldn't get LAN access to the other machines connected to the main router.

I think that should work, and a pair of DD-WRT compatible routers would probably do it. Look into the Buffalo "HP" (high-power) 54G routers that just came back on the market.

 

[mxnerd]

Originally posted by: JackMDS
If VLAN does not work.

Plug two Routers WAN port's to two regular ports on the main Router.

Switch the DHCP on the main Router Off, and assign static IP to each of the secondary Routers.

One secondary Router goes to you client and one to the subleaser.

When the subleaser decide to go unplug their Router and let them go with good health.

That will be a good option, too.

Originally posted by: VirtualLarry
I've got a better idea. For the main router, get a wireless router that supports "AP isolation" - this is a feature that allows multiple wireless clients access to the internet, and prevents access to each other.

That's good too. If my client is willing to buy a new router and let all sub-leasers to use the same new router, and all sub-leasers won't see each other.

The sub-leaser does not come everyday. I have to wait for my client's call and final decision.

Thanks.

 

[kevnich2]

Originally posted by: mxnerd

Originally posted by: JackMDS
If VLAN does not work.

Plug two Routers WAN port's to two regular ports on the main Router.

Switch the DHCP on the main Router Off, and assign static IP to each of the secondary Routers.

One secondary Router goes to you client and one to the subleaser.

When the subleaser decide to go unplug their Router and let them go with good health.

That will be a good option, too.

The sub-leaser does not come everyday. I have to wait for my client's call and final decision.


Thanks.

Yeah you have a few different options. Jack's option I think would be the easier of them if your not comfortable doing VLAN's on the switch. The VLAN should work just fine, just depends on your comfort level. Is the sub-leaser just renting a single office on your client's floor?

 

[mxnerd]

Originally posted by: kevnich2

Yeah you have a few different options. Jack's option I think would be the easier of them if your not comfortable doing VLAN's on the switch. The VLAN should work just fine, just depends on your comfort level. Is the sub-leaser just renting a single office on your client's floor?

I think I can handle the port based VLAN.

And yes, each sub-leaser is just leasing one or 2 rooms.