Trying to segment the network with 2 routers and a modem

F

Fremunaln

Limp Gawd
Joined
May 3, 2019
Messages
189
Limited networking experience so bare with me here.

I want to segment my network into 2 physical zones, coming off one cable modem so that Zone 1 and Zone 2 are isolated from each other.

Zone 1 would be Wired LAN only
Zone 2 would Wired and Wireless (majority)

Would this be possible with 2 consumer grade routers?
 
If you want two physical zones (e.g. two separate Layer 1 zones), you will need two sets of hardware and none of the wires can go between the two zones.

Now, if that's not what you meant, per se, you just wanted them isolated, then a lot depends upon the particular hardware you have (provide model #s in reply?). The easiest way to do this is via vlans (layer 2 separation).
 
Two routers isn't going to work. The cable modem will only support one. You could put one behind the other, but then you end up with things like double-NAT and it gets kinda messy, also one segment is never truly isolated from the other.

A true "router" (in the traditional sense), such as pfSense/OPNsense, OpenWRT (hardware-dependent), the EdgeRouter series, etc. could do it. Any of these would allow you to set up two LAN interfaces (either via dedicated NICs or VLANs) and define firewall rules to fully isolate the two segments.
 
An Edgerouter X would be able to do this fairly cheaply, so long as your demands for the routing part aren't too high. Essentially, you need a router to 'route' between the internet connection and two separate networks, hopefully on their own interfaces, so that you have full separation and control over what transits each way.
 
You just need 1 router with switch ports on it that allow the creation and management of VLANs.
 
Machupo said:
If you want two physical zones (e.g. two separate Layer 1 zones), you will need two sets of hardware and none of the wires can go between the two zones.

Now, if that's not what you meant, per se, you just wanted them isolated, then a lot depends upon the particular hardware you have (provide model #s in reply?). The easiest way to do this is via vlans (layer 2 separation).
Click to expand...

Layer 2 is what I`m going for, looking at reusing a asus rtac1300UHP

BlueLineSwinger said:
Two routers isn't going to work. The cable modem will only support one. You could put one behind the other, but then you end up with things like double-NAT and it gets kinda messy, also one segment is never truly isolated from the other.

A true "router" (in the traditional sense), such as pfSense/OPNsense, OpenWRT (hardware-dependent), the EdgeRouter series, etc. could do it. Any of these would allow you to set up two LAN interfaces (either via dedicated NICs or VLANs) and define firewall rules to fully isolate the two segments.
Click to expand...
IdiotInCharge said:
An Edgerouter X would be able to do this fairly cheaply, so long as your demands for the routing part aren't too high. Essentially, you need a router to 'route' between the internet connection and two separate networks, hopefully on their own interfaces, so that you have full separation and control over what transits each way.
Click to expand...

With ER-X, I assume the lineup would be Cable Modem-> ERX

From the ER-X I could setup Zone 1/VLAN1 directly wired , while VLAN2 would end up wired to the the Asus router, with its routing function disable but wireless and wired capabilities intact?



Cmustang87 said:
You just need 1 router with switch ports on it that allow the creation and management of VLANs.
Click to expand...

I dont know if the stock ASUS WRT firmware allows for the creation of V-LANs. Asus Merlin is out of the question with hardware I am reusing. Open WRT seems to be unstable according to users as well.
 
Fremunaln said:
With ER-X, I assume the lineup would be Cable Modem-> ERX

From the ER-X I could setup Zone 1/VLAN1 directly wired , while VLAN2 would end up wired to the the Asus router, with its routing function disable but wireless and wired capabilities intact?
Click to expand...

Pretty much. Both LANs would be set up pretty much identically. On the second VLAN, the old router would just be another device at the same level as any other wired device. It would have all of its services disabled (e.g., DNS resolution, DHCP) as they're now handled by the ER-X (or whatever you select). It's only purpose would be to act as the WiFi AP for that segment (check to see if the unit has a specific "AP" mode available).
 
Fremunaln said:
I dont know if the stock ASUS WRT firmware allows for the creation of V-LANs. Asus Merlin is out of the question with hardware I am reusing. Open WRT seems to be unstable according to users as well.
Click to expand...

You'd of course want to get a capable router.
 
While ER-X may not be in the cards currently, anyone if the ASUSWRT official firmware has V-LAN support?
 
BlueLineSwinger said:
Two routers isn't going to work. The cable modem will only support one.
Click to expand...

That's not exactly accurate provided his ISP supports the configuration and most do. He would likely have to pay a recurring fee to allow the second learned MAC. He then could attach the bridge to a switch along with the WAN ports of the fw/routers. Client devices would attach downstream. From that point forward clients behind each would be isolated and only accessible from the external internet side. Please note I would not consider it ideal but it certainly would work.
 
Look for a modem that has more than one vlan.
I bought one many moons back for a client and we set up his local LAN on one vlan and wireless connections on another.
Neither could see each other, it was a great way to prevent wireless hacks getting at his local lan.
 
With two vlans on a modem the isp will need to be able to support two addresses.
 
Mac2 said:
With two vlans on a modem the isp will need to be able to support two addresses.
Click to expand...
local vlans.

tbh they are entirely separate local network connections.
On the one I set up, of the 4 network ports, any number of them could be assigned to each vlan and traffic on the other had no way of getting across.
 
Last edited:
So revisiting this to ask more questions of course. Thanks in advance


So I`m starting to gather a parts list, getting the ER-X for the VLANs and here is how Im repurposing some old hardware.

-->[VLAN1] Wireless Router 1-> Connects Devices A-M
Modem--> ER-X
--> [VLAN2] Wireless Router 2--->to Bridge another router/ap Connecting to Devices N-Z

I assume this would work to keep the two networks physically separated. I dont want devices A-M to have any access to N-Z and vice versa.
 
You must log in or register to reply here.
Back
Top