2 separate networks, share lan

[T. Whatley]

So I'm sure this is a very simple question, but seeing that I am networking impaired I was hoping to get some guidance from the esteemed gentlemen of this forum.

I currently have 1 incoming fios connection. I want to go to 2 incoming fios connections and have my prod server served by 1 and my home network served by the other. I also want to be able to access both lan's the other lan--but only the lan traffic. I want to keep the outgoing/incoming www traffic separate.

Does that make sense? Any clues/tips?

 

[Liger88]

Well first off. Are you really sure you want to pay 2x as much for Internet by having two connections coming in to the house instead of just one and that being split using QoS, ACL's, and VLAN's to segregate the traffic? Seems a little overboard to pay for two connections and twice the equipment to do what can be done by a moderately priced router, firewall, or even layer 3 switch.

Again that depends on what your needs are specifically to make that call.

 

[T. Whatley]

Yes. The prod traffic requires a "business" account and is not suitable for a home/consumer account, and I don't want my home traffic touching the business account--so, 2 connections for 2 distinct and separate purposes.

 

[awesomo]

Yes. The prod traffic requires a "business" account and is not suitable for a home/consumer account, and I don't want my home traffic touching the business account--so, 2 connections for 2 distinct and separate purposes.

Simple. You need a vlan capable switch and a vlan capable pfSense setup. With a few rules on pfSense you can tell it what vlan takes what internet connection while allowing the vlan's to talk to each other BUT NOT have internet traffic cross them.

 

[/usr/home]

Or use something like a Mikrotik and have the two incoming lines on it as well as the two networks. Routing and firewall rules can take care of the test.


Or you can use Metarouter on a Mikrotik and run a second virtual router.

 

[Mackintire]

A Zyxel USG 100 or higher model can also do this.

 

[/usr/home]

A Zyxel USG 100 or higher model can also do this.

Seems you and I sing the same song in every thread... Lol.

 

[Mackintire]

Seems you and I sing the same song in every thread... Lol.

Cisco ISA570 and ISA570W are decent alternatives that are similar to the Zyxel USG 100-200 and also can do what you are asking.

 

[T. Whatley]

I appreciate the responses but even this seems overly complex... although it could just very well be the nature of the setup and my complete ignorance of the networking world.

What it boils down to I'm looking to have 2 separate incoming connections. My group of home computers on one side and my production server(s) on the other. I'd prefer to make the lan's of each be able to talk to each other, but was hoping it wouldn't involve a few hundred in more equipment. It sounds like it will just be easier, and free, to just open up a ftp port on one end to be able to push files from the home computers to the prod computers (which is, ultimately, all that I want to be able to do).

 

[Mackintire]

Honestly you could purchase a Zyxel USG 100 and have everything you are asking for done with their tech support's assistance in less than 2 hours.

And you don't need any of the subscription services offered for the Zyxel to do any of it.


Let me explain it.

Here's how simple it is:

Connect up the USG 100
Configure the WAN ports.

Bind DHCP scopes to each interface 192.168.1.0 to one, and 192.168.2.0 to the other.

Make a static route between the two.

Allow DHCP to populate.

Reserve all addresses as needed.

Loose Bind the machines or interface ports to the WAN interface you prefer..... or use groups if you want.

Define/configure your QOS as you prefer.

Setup and Add VPN accounts as you want/need. Use groups if you want.

http://www.nextwarehouse.com/item/?654169_g10e

 

[squishy]

Why not just have 2 different default gateways. 1 for the work LAN and 1 for the personal LAN.

The LAN traffic is the same network, but when they go out (and in) they go out the 2 separate lines.

You don't need extra hardware for that.

 

[Mackintire]

Why not just have 2 different default gateways. 1 for the work LAN and 1 for the personal LAN.

The LAN traffic is the same network, but when they go out (and in) they go out the 2 separate lines.

You don't need extra hardware for that.

Because the OP requested (2) networks that can route between. That's why.

One LAN is not two LANs. For all we know one LAN could have chatty broadcast traffic.

 

[squishy]

He actually doesn't say anything about routing, just that he wants to access the all the machines via a LAN connection.

You guys are making it harder than it needs to be.

 

[Mackintire]

He actually doesn't say anything about routing, just that he wants to access the all the machines via a LAN connection.

You guys are making it harder than it needs to be.

I was gleaning wisdom from OP's diagram...

 

[T. Whatley]

This could even work over one connection for all that I care... I just want the lan traffic on one side to not interact, at all, with lan traffic on the other, except when specifically requested (i.e. pushing a file from a lanA computer to a lanB computer).

Use case: Sometimes I do experimental things on my home lan... as I've experienced, it can bring down the entire lan, including the prod machine which is currently on that same lan. I don't want this. If I do experiments on one side and I don't want it to effect the other.

Mackintire, feel free to leave this topic.

 

[schnell]

All you need to keep the networks separate is a layer 3 switch and a couple of vlans. Then you can choose what ip's or protocols can talk between the two vlans. And you could also share one internet connection instead of 2.

 

[Mackintire]

This could even work over one connection for all that I care... I just want the lan traffic on one side to not interact, at all, with lan traffic on the other, except when specifically requested (i.e. pushing a file from a lanA computer to a lanB computer).

Use case: Sometimes I do experimental things on my home lan... as I've experienced, it can bring down the entire lan, including the prod machine which is currently on that same lan. I don't want this. If I do experiments on one side and I don't want it to effect the other.

Mackintire, feel free to leave this topic.

I have no clue what I have done to you to earned the response above. But you're receiving some erroneous advice in this thread along with some workable suggestions.

As others have said already.. to do what you are asking you will need either a layer 3 switch/router or a switch/router that supports both Vlans and routing between Vlans. The USG100 is a bit pricey for that. A used L3 10/100 managed switch off of ebay should be able to do this for around $100. But to do what you ask at gigabit speeds you'll either need to find a great deal (ebay,refurbished, or build a PFsense box with parts you already have) or just spend $250+ on new hardware.

I have seen no other suggestions in this thread that will give you what you are asking for. Unless you add or take away some other requirements, those are the most effective solutions.

I understand that this is the Internet and I certainly have no interest in wining the special Olympics award today.... so on that note, good luck.

 

[Nicklebon]

Making this much too hard. You need one router/firewall/layer 3 device. Plug the work network into one port. Plug the play network into another port. Plug wan for play into another port. Plug wan for work into another. Since the LAN networks are directly attached no static routing needed. Setup policy routing so that each LAN is routed to appropriate WAN interface. Profit. If you decide to go with a single outbound WAN then it is even more simple and would result in more profit.

Please note I have assumed you have switching in place for each network or at least know how to do so.