Wireless/Wired Router Solutions for 2 Networks?

DaveTheBrave asks: "I'm currently running a home based business on an el cheapo Netgear wireless router off a broadband cable modem connection. I'm looking to upgrade to something better with more flexibility. My in-laws recently sold their home and will be moving into my home temporarily while they are building another. They have a home based business and my mother-in-law is also notorious for attracting viruses, adware and other nasty stuff on her PC (which I have to routinely clean - hence my need for a better network solution). What is the best/easiest solution to segment and keep separate my network from theirs (both wired and wireless) off of one incoming cable modem? I'm looking for something around or less than $500."

The "simple" solution

[Jhon]

would be to hook up two more routers to the current router -- pointing the two NEW routers to the OLD router as their WAN "gateway". Then on the LAN side of the two NEW routers, make each a separate network segment (i.e., 10.0.0.0/24 and 10.0.1.0/24 or something).

Wireless-wired routers are pretty cheap. You should be able to do it for under $200. Not "elegent", but do-able.

Re:The "simple" solution

[Geoffreyerffoeg]

On the segment between the "new" router and the "old" router, traffic would mingle -- and if there's some funky broadcast virus on the INSIDE of the "new" segment, it may cause problems on the "old" segment.

Then do it the other way around. Hook up the safe computers to the inner router, and the unsafe computers to the outer router. The outer router is the WAN of the inner one, and if it launches attacks it's the same as if the open Internet launched attacks against your single router now.

Linksys WRT54G

[codehead]

You can get two Linksys WRT54Gs for about US$120. Configure one as a router and keep your inlaws in the wireless segment. Configure the other one as a bridge to be your firewalled network zone. If absolutely necessary, you can give them access to the wired segment in the outmost router and still keep them out of the innermost, trusted network.
If you have some spare time reflash the WRTs with OpenWRT for extra flexibility. While you're at it, you might want to score a few extra points with your inlaws by migrating their PCs to Linux, or at least installing Ad-Aware and Spyware S&D ;-)

maybe something "easier" than OpenBSD

[da5idnetlimit.com]

I was thinking along the same lines, but using a dedicated distro like http://www.clarckconnect.com/

One cable modem, two subnets, no routing between them...

Clarkconnect comes free, with a range of possible upgrades like auto snort updates, security checking, and auto updates for the registered version.

Advantages : webpages configuration with quite a good help and easy set-up...

You can implement Mailscanner+SpamAssassin on the cheap.

The "intrusion prevention" updates part comes with a (small) price, and alltogether, the licence for a home office is around 200$...

Also, setting up is "secure by default" (you want a port opened, you do it...) and you are up and running after maybe 10-15 minutes config...

enjoy 8)

Re:maybe something "easier" than OpenBSD

[da5idnetlimit.com]

Well, I gave this distro as example for a few reasons, such as :

1/ I'm using it right now

2/ It support wireless cards, SMP, e1000 Intel Gigabit Ethernet, etc with no or little fuss, just browse the website for a list of compatible, tested and supported hardware

3/ I know it is a well made interface, with good autodiscovery, and clear help (not always inline, but always well made)

4/ IPTABLES ? everything is closed by default, and you have a nice, clear and easy interface to open just the ports you want and do the routing as you prefer

5/ you also have the man pages, in addition to the included help and descriptions, and a newbies website, and community support, and each and every module also connects you to the full website and doc for each and every part of the OS you are configuring

6/ Even if you are both dense and not fully fluent in english you can install it and still be secure, and even get excellent paid for support if the official - free - help forum isn't up to par with your expectation

7/ Also, OpenBSD was already mentioned, and this excellent distro wasn't

8/ I never said OpenBSD was difficult, or too hard, I just told him to go and have a look at this distro, because you don't have to fiddle endlessy to find an HOWTO on this, and a WHYNOT on that. Efficient, Secure, under 500$. You get all three. Which is what he asked for.

9/ /flame This distro doesn't seem to attract the sort of Holy Warmongers conflictual dorks that you seem to have taken unto you to represent/endflame

10/ Profit ! from the experience of others... Because it is provided for free and in good faith.

Hoping to read from you, or even better, from him after he implemented the solution he found best responding his needs 8p

Da5id

The way I do it: Linksys WRT54GS

[BRTB]

This thing's a pretty versatile device for under $100. Load OpenWRT on it and you'll have a capable Linux machine/distro suitable for small-network routing and firewalling with iptables, vconfig and brcfg. The ,a href="http://wiki.openwrt.org/OpenWrtDocs/Configur ation#EthernetSwitch">built-in Ethernet switch is 802.1q VLAN capable and configurable at the per-port level, so you can split the network in two and still have the 'router' connected to both and handling Internet traffic with some modifications to the startup scripts and dnsmasq config. Sounds like a fun project, in any case.

Re:The way I do it: Linksys WRT54GS

[tdemark]

Yes and no.

From what I understand, the most recent revision of the WRT54G (v5) is now based on vxworks. However, you can buy the WRT54GL, which is effectively the WRT54G v4.

- Tony

One more router.

[CyberVenom]

You already have a cheapo Netgear router, which I imagine can do NAT. So buy one of the new Netgear Gaming routers that allow you to do bandwidth limiting, and set that up as your primary router, hanging off the modem. Plug your in-laws into this directly. Then take your old cheapo and plug it into the new router and hide all your machined behind it. That gives you access (through 2 layers of NAT) to the net, and protects you from your in-laws' virii, as well as allowing you to gaurentee a reasonable slice of bandwidth from the gaming router to your cheapo router so that even in the case of your in-laws' machines saturating the internet connection with virus traffic, you still have sufficient bandwidth to finish your CounterStrike game before going into the other room and forcing them to unplug from the network while you clean their boxen.

Followup to those suggesting WRT54G or GS

[HunterZ]

As a bit of follow-up info to posts suggesting that you invest in a Linksys WRT54G or GS in order to run custom firmware, be aware that the current version of the WRT54G, the v5.0, has half the RAM and flash capacity of previous models. This makes it impossible to flash most custom firmware such as OpenWRT or DD-WRT.

The current version of the WRT54GS, v4.0, is reported to also have half the capacity of previous GS models, which leaves it with as much as older WRT54G models. This means you can get an off-the-shelf GS with the open-source firmware capabilities of old WRT54G models if you're willing to pay $20 more.

Linksys is also supposed to be releasing the WRT54GL, which many have speculated is a relabeled WRT54G v4.0 for $10 more. However, last I checked it was only available in Europe (and by checking I mean both searching the 'net and talking to Linksys support, who ended up referring me to a wholesaler after being unable to find a North American retailer who had them in stock).

Requisite BSD Touting Suggestion

[nuintari]

What I would do is, get a cheap pentium crap box, stick three nic's in it, and OpenBSD. One nic goes to the cable modem, the other two go to the wireless routers. Just ignore the WAN port, use them as switches that have wireless built in.

Each router(being used as a fancy wireless ready switch, and nothing more), lives on its own subnet, and you can use firewall rules to dictate access rights between the two of them.

This gives you two separate network segents, on different layer 2 broadcast domains, and a strong traffic cop to enforce your rules between them.

Besides, OpenBSD kicks ass.

(I) Like a bridge over doubled routers

[davidwr]

(I) Like a bridge over doubled routers
it will carry me (bits) home.

Seriously, here's what I would do:

Cable feeds switch.
Switch feeds two NAT/firewall routers, one for your network and one for the family.

To mitigate viruses, configure the family router to block all incoming ports and all outgoing ports except the ones they absolutely need, e.g. http, https, and maybe passive-ftp. LEAVE OUTGOING MAIL-POP3 and -SMTP BLOCKED and teach them to use webmail.

Configure your NAT router as you see fit.

Some cable modems come with more than one LAN-side port and can act as a switch or hub if they sense they have more than one IP address assigned.

Most cable operators will sell you a 5-pack of IP addresses for so-many-dollars-a-month.

If the IP addresses are too expensive, do as another person suggested and put a 2nd-tier NAT router above the two "LAN" routers in place of the switch. The real benefits to the switch are:
1) both LANs can host inbound traffic on the same port
2) if the other LAN gets 0wned and people block its IP, your LAN are less likely to be blacklisted.

Managed switch with VLAN

[dfinster]

For example, CNet makes a really inexpensive managed switch with VLAN support.

• Put ports 1 through 8 in VLAN 1
• Ports 9 through 16 plus port 1 in VLAN 2
• Use port 1 to uplink to your router

You have both VLANs with access to the net, but no access to each other.

I think that's what you were asking for.