Question Multiple Independent sub-networks behind a single modem

[alpha1172]

Hello,

May I ask what kind of network setup to use and network gear to buy to accomplish the following:

https://imgur.com/a/6ULx6tC

(figure I made to help showcase what I am trying to accomplish)

In my dad's office, I need
(1) his PC to have access to the internet and to his secretary's PC,
(2) his secretary's PC to have access to my dad's PC, but not the internet,
(3) employees to have WiFi outside work hours (8am-5pm), but no access to any other sub-network,
(4) employees to have a dedicated internet googling machine, without access to any other sub-network, and finally
(5) for the chief mechanic's PC have access to the internet, without access to any other sub-network.

I heard about putting switches/routers behind one another but how exactly do I go about doing this?

 

[kanewolf]

Dad's PC -- Second NIC card for the private network to the Secretary's PC.
Managed Switch with VLAN support for the wired connections.
VLAN enabled WIFI access point
Router that supports VLANs and multiple DHCP servers.

 

[alpha1172]

Dad's PC -- Second NIC card for the private network to the Secretary's PC.
Managed Switch with VLAN support for the wired connections.
VLAN enabled WIFI access point
Router that supports VLANs and multiple DHCP servers.

Hello! Thanks for this.

I forgot to mention that my dad would like WiFi for his smartphone, different from the employee WiFi. How would that work?

And for the other stuff you already mentioned, do you have any specific make and model in mind for each?

 

[kanewolf]

The simplest option is the UniFI line of hardware from Ubiquiti. There is a single GUI that lets you define all the different VLANS and WIFI.
The Ubiquiti WIFI access points can have multiple SSIDs which can be isolated from each other. You could set it up, such that "dad's pc" and his WIFI are on the same network (but isolated from everything else). He could then use a laptop with WIFI and get to files on his computer.

Probably $500 worth of hardware.

 

[alpha1172]

The simplest option is the UniFI line of hardware from Ubiquiti. There is a single GUI that lets you define all the different VLANS and WIFI.
The Ubiquiti WIFI access points can have multiple SSIDs which can be isolated from each other. You could set it up, such that "dad's pc" and his WIFI are on the same network (but isolated from everything else). He could then use a laptop with WIFI and get to files on his computer.

As much as I'd like that, is there a cheaper option? Perhaps piecing together consumer grade routers and switches?

Maybe I could spend on the one router subdividing to everything, but for instance:

(1) my dad having his own router/AP connected to main router, giving off a wifi only he knows, and a wired connection to his computer
(2) NIC to my dad's
(3) employee wifi could just have it's own IP range on some random AP I find
(4)& (5) a wired connection to main router which has subdividing capability?

Given the above, that would take 1 main router with subdividing capability, 1 nic card, and 2 routers/APs.

How would that work? I'm open to using third party firmware.

 

[kanewolf]

This is a description of a commercial installation. It is a business expense. Don't be cheap. Buy hardware that is intended to do what you want instead of "piecing together" something. The UniFI system will allow you to manage this in a consistent way. It is worth the cost just because of the simplified management.

 

[Math Geek]

you could look and see if there are used options if you are willing to take on used equipment. for instance i see Cisco 2901 & 2911 routers on ebay for $100 or less. and a Cisco 2960 switch for less than $50.

of course these do not have the pretty GUI's to use and you will have to learn how to configure it with the command line. but if you learn how, they will handle the vlans and such you want./need.

 

[alpha1172]

This is a description of a commercial installation. It is a business expense. Don't be cheap. Buy hardware that is intended to do what you want instead of "piecing together" something. The UniFI system will allow you to manage this in a consistent way. It is worth the cost just because of the simplified management.

Yes, I agree, but I have to make do with the very small scale operations of my dad. I only suggested all this to isolate his computer from viruses, which come from employee devices. I do not yet know how to provide two computers with isolated internet connections via LAN, but I do know that if I buy a decent router with guest functionality, said guest network will not see my dad's computer, right?

From then, the NIC can connect his secretary, and that ends the real "core" of the operation. Employee wifi and google machine are luxuries as far as I am concerned, and I don't think it's okay to provide those luxuries at the expense of what you are suggesting, which is about two months worth of revenue.

Edit: perhaps the google machines can also just use the guest WiFi, if that isolates them from the core network.

 

[Ralston18]

Physically, all five computers are connected to the router. Including the Secretary's.

What make and model is the existing "main router"?

Revise the diagram slightly. Replace "Internet" with a box labeled "Router". And out of the router there may or may not be a connection path to "Modem". Then a connection path to the business ISP.

Include switches, if any. Most non-commercial routers have only four ports - likely to be a switch somewhere if the business does not have a commercial router in place.

And, depending on the router, you can control the wired and wireless configurations. E.g., Wireless available only outside of normal working hours for employee wireless devices.

That router (or perhaps a more configurable router) most likely can be used to control end user access to the internet via Parental Control type configuration settings. Wired and wireless, Employees or Guests.

A shared folder could be set up on the Secretary's computer that only your Dad's computer would have access (read, write, delete) to any files placed there by the secretary.

The Secretary's PC could be blocked from internet access via the router.

As for computers being able to access each other: just do not give any user the necessary admin rights or other wise set up shared drives or folders between those computers.

Overall, it may be fairly straightforward to address the stated requirements.

My thought is for you to do some reading with respect "Parental Controls" and what may be possible. Likely to vary some depending the router.

Starter links:

https://www.tp-link.com/us/support/faq/1531/

https://www.makeuseof.com/tag/4-ways-to-manage-your-kids-internet-use-with-your-router/

Etc...

Not suggesting that the employees are kids but the overall security requirements are applicable.

You can get even more information by referring to the User Guide/Manual for any given router. First place to look is in the manual for the existing router. Or modem/router.

Again, I think the key is to start with the existing router and what may or may be configurable with respect to the business requirements.