home wireless router supporting multiple LAN subnets?

[t1e1]

I'm replacing my home network router and would like to find a one that provides routing between multiple subnets on the LAN side. I do technical support from my home office and need to set up lab equipment which, by design, has two Ethernet interfaces on two different subnets, and which requires routing between them.

Back at the corporate office I configure a Cisco router with multiple subnets like this:

interface GigabitEthernet0/1
 ip address 192.168.100.1 255.255.255.0 secondary
 ip address 192.168.101.1 255.255.255.0 secondary
 ip address 192.168.200.1 255.255.255.0

Are there any residential routers that can be configured similarly? It would be convenient to be able to use one router and not have to have a secondary router just for that purpose.

Btw, VLAN tagging is ok, but not required. The equipment I'm dealing with assumes port-based VLANs (if at all), and doesn't generate tags. Likewise, wireless guest networks are ok, but that's a wireless thing and all of the equipment I'm dealing with is wired. All I need is the ability to route packets between different subnets on the wired LAN.

Other (more common I think) features that I'm looking for in the same router include:

• 
  WiFi
  Configurable firewall
  MAC-based DHCP reservation
  MAC-based network access filtering
  Site-to-site VPN
  WAN-to-LAN port forwarding
  Failover/backup WAN via cellular USB dongle

Any recommendations?

 

[nigelivey]

I would look at building your own from an old PC, install multiple NICS and run Pfsense!

 

[bill001g]

Pretty much you have answered your own question. You want to do business class function in your house.

Your average consumer and most people coming to this forum are lucky if they can find the ON switch on the router. They get confused setting up the simplest wifi configurations so router manufactures put in the idiot button called WPS even though it is a massive security exposure.

Things like mac based filtering is going to force you to a commercial box. Even loading third party firmware onto consumer routers will likely not get you that feature because of the limitations on the hardware.

You either build your own as suggested above or you buy a one of the many firewalls on the market. There are a bunch of brands marketed at people who can not afford the commercial ones from checkpoint,juniper,cisco etc.

 

[t1e1]

I totally understand about the general public having 'limited' networking background. Over the years I've been impressed with Tom's site with respect to 'enthusiast' CPU and mobo hardware reviews, so posted here first hoping the forum would have people more familiar with the the advanced capabilities of the higher-end home routers. I hadn't seen pfsense before, and bill at least recognized what I was looking for, so that much has proven out.

The router I'm looking to replace is a Cradlepoint MBR1200. It's about 8 years old, and while it's still running, it's out of support and starting to show its age. It's not a full business-class router, but it was high-end for the time and does all of the functions I referred to in the original post other than the multiple subnet routing. I looked at Cradlepoint's website first for an upgraded model, but it seems they've went in a different direction since then and I can't find anything similar to it for sale today.

I like the MAC filtering capability because I can apply it only to wireless clients, and if the wireless hacker's MAC isn't on the list, the router doesn't even answer the doorbell for them. I'm not sure I'd look for anything that didn't at least have that as a feature. I was hoping that would be more universal.

I looked up pfsense. It looks impressive, and might work if you pair it with a WiFi AP solution (maybe Ubiquiti's UniFi or something like that). That said, it's definitely a project, and I was really hoping for more of an 'Easy Button' solution...

Other thoughts?

 

[jsmithepa]

CPU & Motherboard, hobbyists seem to be willing spend lots of time on them, dissecting the nitty-gritty. Firewalls not so much, like you most people just wanna plug that sucker in, turn it on and BAM! I too considered a turn-key box, but (1)They are not cheap, and (2)I don't want to buy it bring it home, spend whatever time figuring it out, finding something I don't like, and be sure to return it within period, not hassle-free.

So I too selected pfsense, because I just download that sucker, is free, I can audition it as long as I like, no pressure, runs on any ole PC, just stick additional NICs to it. I was pleasantly surprised the installation is a breeze, and taking everything default, my Internet came up right away, no need to do anything complicated just to make it work, but of course once the management console open, u will find all the things u can do with if, if you want. Another thing about pfsense is, since is so popular, there is a large community support. If u can deal with enterprise Cisco equipment, u can handle pfsense.

 

[bill001g]

When you said mac based filtering I assumed you wanted something more advanved. Filtering Wifi mac is actually mostly done in the wifi chips themselves and most chipset firmware can do that basic function.

I assumed you wanted to filter macs addresses on the lan to prevent traffic between devices. This tends to not be as simple as it sound because switches, the lan ports on a router is a small switch, are run with asic chips and generally have no filter ability.

Still mac filtering on wifi is not the way to go. If you are going to have a server anyway you use enterprise mode and a radius server. That way every user has their own userid and password to connect to the wifi.

Other than that you might get by with a consumer router running dd-wrt. I like merlin but it only runs asus and is somewhat more limited. If you have a high speed internet connection...ie more than about 250mbps you need to be concerned about the hardware nat acceleration. Merlin supports it but most other firmware does not.

 

[t1e1]

The only MAC filtering I do is just "Is your wireless MAC address allowed on my network? If yes, come on in, if no, go no further". I agree that in an enterprise situation a radius server with user/pass is the way to go, but that requires... well, a radius server (see above on wanting to limit hardware), and then you're back to limiting access solely based on password, which is what WPA2 uses. You've added a user name which is good, but at the password level it still depends on whether your password is better than their password list, etc etc... For a house with two people and at most a couple of dozen wireless devices (and that many only when the relatives come over), the MAC filtering is manageable, as long as I can get hardware that supports it.

I'll keep checking back here, but it's starting to look like PFSense is in my future - that or a small eBay Cisco router. We'll see.