VLANs in AP, switch, or both?

[PsychBiller]

I have a mixed wired/wireless network in my home where I operate a small business. There are plenty of wired PCs, but also laptops that go back and forth between wired and wireless, tablets, and smartphones belonging to myself and family members.

I am trying to wrap my head around how to segregate traffic, but getting mostly a headache. Traffic from certain PCs is always going to be business, and others always personal. Personal needs to be further divided between adults and kids, and a guest network just for good measure.

There are VLANs and multiple SSIDs in wireless routers and there are VLANs and subnets in managed switches and wired routers. I'm not even counting the firewall itself! There are so many places to control traffic that I'm bewildered. Where do I start on redesigning this network? I'm replacing everything and upgrading to Gigabit Ethernet. My new laptop will have 802.11ac.

FTTH --> firewall --> switch --> both wired clients and wireless via AP (AP is wired)

Thank you for any advice!

 

[YeOldeStonecat]

It depends what your goal is..and what else you need to separate.

As for security for wireless clients...to keep it simple, have SSIDs with "client isolation mode" enabled on the "guest" ones, or the ones NOT related to your business. This separates "them" from your business network.

However, if any of "them" are on wired...(plugged into your switch)...those secured SSIDs can't help you there. So you have to look at how you want to segment your network physically. Managed switches with VLANs is one approach. Or another approach is the (IMO sloppy method) of having 2x routers...and one of them will be stuck behind double NAT.
ISP modem ==> First router, like 192.168.10.1...and have the "home" network there. And behind that...from one of the LAN ports a patch cable plugs into the WAN port of a second router, for your office...that second routers LAN IP must be a different LAN IP such as 192.168.11.1, and put all your office computers behind that. For increase reliability I'd assign a static WAN IP to that second router, like 192.168.10.245, 255.255.255.0, its gateway is the LAN IP of the outside router 192.168.10.1 for example, and hammer in secure DNS servers like OpenDNS. The drawback is that you're double NAT'd (possible triple NAT'd depending on what make/model "modem" is you have from your ISP). But if you're just surfing the web, most things work OK. Some software doesn't like multiple NAT, such as some VPN client software, some remote access software, etc.

Another approach, can use a managed switch that supports VLANs.

 

[PsychBiller]

Thank you for your suggestions.

Think of a jumble of "Business A" computers, "Business B" computers, personal computers/devices, and kid computers/devices that can all float between wired and wireless, and that's the soup I'm trying to sort out.

All my traffic from "Business A" computers, both wired and wireless, must be segregated due to HIPAA regulations. My husband's "Business B" traffic should be segregated, as well. That's mostly wired, but could be wireless at times. Then there are all the personal computers/devices, which are a mix of wireless and wired, but can float between the two.

Multiple SSIDs alone won't do it since the traffic can be either wired or wireless. Since we all share the same wireless access point in the kitchen, which is not the Verizon FiOS router, I don't think your quick and dirty multiple switches method would work very well.

Thank you again. The more responses I get, the more I hope I can clarify my thinking about how to tidy this up.

 

[L&LD]

To solve this as cheap and straightforward as possible:

I suggest a router for each 'division'. The RT-N56U with Padavan's firmware will do ($60 if you can find it on sale).


FTTH --> firewall --> switch --> to:

RT-N56U - With a 192.168.500.1 network for Business A
RT-N56U - With a 192.168.400.1 network for Business B
RT-N56U - With a 10.0.30.1 network for Personal Adults
RT-N56U - With a 10.0.20.1 network for Personal Kids


Attached to the RT-N56U's would be the wireless AP's for each network type; business, adults, kids. (Need to keep this in the 3 main channels we can use for 2.4GHz band).

Setup like above, it is a bit more expensive - but you know (physically) how things are connected and each network can now use the appropriate parental controls needed without affecting the other networks.


You also have built in redundancy so that you can have the network you need at that time running (hard/impossible to do with a single box when things go haywire).


If we further simplify it to a Business network and a Personal network, we can get by with two RT-N56U's and two AC class routers. Very cheap, very effective and very easy to setup and administer on a day to day basis. While also providing the redundancy I think you should be considering for the business side.

 

[PsychBiller]

I hear your points about redundancy, but with each business consisting of just a single person, I can't justify the expense and extra equipment. If there were a major connectivity failure to the premises, my husband could drive to the office that is normally too far away, and I could make do at a Starbucks with my WiTopia VPN to keep curious eyes out of my wireless traffic.

I'd prefer to do this with one AC1750 class router acting as an access point in the center of the house. The router would be wired back to the switch.

 

[L&LD]

Your other options (as I see them) is just as expensive if you want to segregate the networks properly.

1) A business class router (wireless or otherwise) to accomplish this adds a significant 'zero' to the end of the price tag (as in 10x the cost).

2) same cost in the end (time-wise, but possibly more rewarding too) is learning how to program the single router you're willing to buy to segregate your networks with vlans and such.


Of the two options that I can see; buying a couple of routers extra is by far the least expensive and the most straightforward setup possible.

Budget is a big concern always, granted. But if this network segregation is what you really need/want (and I would agree it is; especially as it is required for one of the businesses as you state), then either your time or your money and most likely both will need to be considered equally to achieve this goal optimally.


I also have to mention; Starbucks even with a VPN is not as secure as you may think.