Two Networks One IP

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
641
Hello, I am trying to figure out the best way to create two separate networks using one external IP address. I don't want the networks to be able to communicate with each other.

I read about cascading and also read where you get a 3rd router and connect two routers to it. Taking off DHCP and assigning static IPs.

Not sure the best way to go about this and any input from you guys on the most secure way to do this would be most appreciated. You'all never steer me wrong. :D
 
I'm not sure if there are any consumer routers that would allow you to setup two inside subnets, but you could always do this with Cisco (and I'm sure other) hardware. I'll use what I know about this with Cisco terminology, just for the record.

Should be able to take a router and setup PAT (NAT overload) with one outside interface and two inside interfaces, or with a single physical interface with multiple sub-interfaces configured (one for each inside subnet). If you setup two physical interfaces then you could have DHCP running on each and then just connect a switch to each interface. With the sub-interfaces on a single physical port you would need a managed switch with the uplink to the router set as a trunk, then setup VLANs for each separate network.

Not sure if you are asking for home or business, or how much knowledge you have in this area, but it is certainly possible and you don't necessarily need to assign IPs statically.
 
You're looking for VLAN or ALAN. I accomplish this on my pfsense box by having an extra Network Interface configured.
 
Some consumer routers have DMZ support, but almost always just for a single IP address. You could in theory put another router behind this, and basically give that routers "internet" or WAN address a static IP, and set that Static IP as the DMZ address on the internet facing router. Otherwise as the others above have stated, you need some sort of VLAN type setup.
 
You could do this with an EdgeRouter. No VLANs needed, really, just a few routing and firewall rules.
 
pfSense can certainly do it. An Edgerouter Lite or X is a good low-cost option, as I suspect the likes of Microtik or Routerboard would be. And then there's the more "enterprise" options such as Cisco, Fortinet, etc. Any of these could do it either by using separate physical LAN interfaces to each subnet, or by trunking VLANs to a capable switch.

I believe OpenWRT could possibly even to it, but this is not something I've attempted myself and wouldn't be sure where to start (I currently only use it as WAP). It'd also be dependent on the hardware chosen.
 
Yes, I should have elaborated a bit. An EdgeRouter Lite has 3 interfaces. Just make one the WAN, and the other two separate LAN subnets with no routing between them. They can both NAT through the WAN port.
 
Thanks for the info guys. So, it sounds like the cheapest but not the easiest option would be to setup a PfSense box and I would need 3 network cards correct? One for internet and two for the subnets? I setup PFsense before but it has been a long time. I cant remember how difficult or easy it was to setup. Would this be very difficult for someone who doesn't know linux very well? I can use it, just not real proficient with it.
 
There's a couple ways you could set up pfSense. The simplest for one not accustomed to networking beyond the basics is as you describe.

pfSense is all GUI. Linux knowledge is irrelevant.

The Edgerouter GUI is less complete, but setting one up as needed should not require any command line use.
 
A pfsense box would be the cheapest up-front if you have the parts laying around, but not in the long run. 150 watts 24/7 is about $14 a month or $170 a year just in electricity. ERL by comparison is going to be less than a quarter of that, so you'd be spending an extra $120 a year for a dedicated pfsense box.

Just something to keep in mind. Different variables can change the equation, of course.
 
If this is a home setup

You could get a cheap Belkin Switch have the cable modem plug in there. then get two cheap routers and plug them into the switch then have each router hand out dhcp, but different subnets. Then plug one set devices into each.
 
Proper way but more expensive:

pfsense(or other platform that supports vlans) with managed switch and use vlans.

Cheap but dirty super easy way:

3 consumer grade routers, router 1 is connected to ISP as normal, then router 2 and router 3 are uplinked to router 1. Make sure each 3 router has a different IP range. (technically router 2 and 3 can be the same but I would still make it different).

Basically you'll have a double NAT and each segment wont be able to talk to the other. This is ugly though. I'd go the vlan route unless you are super strapped for cash.

Going the vlan way, basically the way it would work is you can have 2 or more vlans and you assign ports on the switch to them, then within pfsense you create the virtual interfaces, one per vlan. The switch is then connected as a trunk port to pfsense. Then you can setup firewall rules for the inter-vlan routing. This is super configurable as you can allow/deny traffic between all the vlans as desired. So if there's one server you do want to be able to access you can set that up.
 
If this is a home setup

You could get a cheap Belkin Switch have the cable modem plug in there. then get two cheap routers and plug them into the switch then have each router hand out dhcp, but different subnets. Then plug one set devices into each.

Probably won't work. Typically only a single device is able to get a public IP address.


* * *

Proper way but more expensive:

pfsense(or other platform that supports vlans) with managed switch and use vlans.

<snip>

Going the vlan way, basically the way it would work is you can have 2 or more vlans and you assign ports on the switch to them, then within pfsense you create the virtual interfaces, one per vlan. The switch is then connected as a trunk port to pfsense. Then you can setup firewall rules for the inter-vlan routing. This is super configurable as you can allow/deny traffic between all the vlans as desired. So if there's one server you do want to be able to access you can set that up.

Yes, but for someone like the OP (apparently) who is not so familiar with networking this can be a bit much to wrap one's head around. Using a router with two LAN interfaces is logically the same but simpler for a novice to understand and work with.

Cheap but dirty super easy way:

3 consumer grade routers, router 1 is connected to ISP as normal, then router 2 and router 3 are uplinked to router 1. Make sure each 3 router has a different IP range. (technically router 2 and 3 can be the same but I would still make it different).

Basically you'll have a double NAT and each segment wont be able to talk to the other. This is ugly though. I'd go the vlan route unless you are super strapped for cash.

Ugh, this topology is too ugly to even consider, and double-NAT almost always ends up causing problems. And how is it cheaper than something like an Edgerouter Lite?
 
You can run two subnets in the same broadcast domain (i.e. without VLAN). I wouldn't recommend it but it can be done. If both subnets need WAN access it will require a router that allows you assigning an arbitrary number of addresses to a single interface. Probably would need an aftermarket firmware load or a prosumer device at minimum. If only one subnet needs WAN access the hosts can be manually configured for the second subnet without router involvement.

VLANs or physically separated LANs (i.e different router interfaces) are certainly the best way to do this.
 
A Juniper SSG5 will do what you want assuming you aren't faster to the WAN then 100Mb. Available used for around $100 last time I checked. It has 7 definable ports. Set port 1 to WAN, Port 2 to Lan1 and Port 3 to Lan2. Give Lan1 a different IP range then Lan2, say Lan1 gets 192.168.0.0/32 and Lan2 gets 10.2.2.0/32. Make them enough different so you don't get confused while checking logs. Set your routing tables so Lan1 can talk to WAN and Lan2 can talk to WAN but Lan1 can't talk to Lan2.

The SSG5 can serve as a DHCP server for both Lans and also can function as a NTP server for each as well.

The 3 port Ubiquti Edgelite should be able to do much the same. Assume it will do DHCP, don't know about being an NTP server.
 
Back
Top