Join Log in
Score:-1
megahertz avatar Server

Separating networks with limited access between

us flag
megahertz

I am trying to understand networks better and to help me learn I am working on a home project where I want to setup two networks, let's call them Client and Server, on the same geographic location. (Both networks get Internet from one single WAN, since I was not able to acquire multiple IPs from my ISP.) The two networks should be separated from each other, meaning I want to prevent malware or other threats from spreading across networks.

That being said, I am still trying to allow for a specific client to be able to periodically manage the servers from the client network.

I could of course switch the client between the networks physically, but it seems messy. My thought was to create a VPN tunnel instead, but I was curious if there are other/better options.

With three routers and some switches at my disposal, my questions are

  1. Is subnetting or VLANs the better option to separate the networks? I've read a lot on both lately but can't decide on what would be best for this scenario.
  2. Is VPN the most secure way for a client to access the server network, or would allowing it to access both networks all the time be just as secure?
  3. Does the routers need to have a separate IP from it's parent router or is the gateway IP enough?
  4. Do I really need three routers, or would it be enough with just one?

I have linked an image below to clarify my intended setup. Please let me know if this question is too in-depth for this forum. I am more than happy to learn on my own but need some pointers on where to start looking.

Intended Network Design

43
1 + 0
vpn
Score:1
vidarlo avatar Server
ar flag
vidarlo

Is subnetting or VLANs the better option to separate the networks? I've read a lot on both lately but can't decide on what would be best for this scenario.

Subnets is logical division of networks. It works on layer 3; different IP networks cannot communicate directly with eachother, but must go through a router.

You can have multiple subnets in use on the same physical segment if you want.

VLAN's is physical separation. It splits the network at the Layer 2 level, so no packets can flow from VLAN 1 to VLAN 2, without some device that sits in both VLANs.

Very often a combination is appropriate, where a subnet matches a vlan, so that you have a 1:1-mapping between subnets and physical broadcast domains, but this is not a technical requirement.

Is VPN the most secure way for a client to access the server network, or would allowing it to access both networks all the time be just as secure?

VPN is a technique to transport packets securely over a unsecure network. Nothing more, nothing less. Depending on your threat model, using TLS and the Internet may be secure enough and far easier to deploy.

Does the routers need to have a separate IP from it's parent router or is the gateway IP enough?

???

Do I really need three routers, or would it be enough with just one?

Get a old computer with at least two NIC's. Install pfsense. Get a VLAN capable switch. Start playing. For added learning, add a second computer with pfsense, and set up a third subnet. Add routes between the networks. Deploy a dynamic routing protocol, such as OSPF.

0 + 7
megahertz avatar
us flag
megahertz
Thank you for providing a very comprehensible answer! Regarding VPN, I understand the purpose, but I thought since it's often used to enable traffic from one network to another that I could use it to allow one client to access the server network. Am I incorrect in that it would be a solution to my second question?
0
Reply
megahertz avatar
us flag
megahertz
My third question was mainly due to me chosing to setup a separate subnet for granting both networks internet access (172.16.1.0). I was thinking if I could skip this and just allow the parent router to grant internet access directly via each respective subnet.
0
Reply
megahertz avatar
us flag
megahertz
Anyway, I will look into pfsense and play around. Will I need a separate client for this or will I be able to accomplish the same thing with modern routers?
0
Reply
vidarlo avatar
ar flag
vidarlo
VPN is for connecting networks that doesn't talk directly. It doesn't *really* make much sense if you control the physical network, like you do in your scenario. PFSense is a operating system that run on normal computers. Most SOHO routers is a piece of crap with outdated software and hides all kinds of configuration away from the user. An altenative to pfsense would be e.g. Edgerouter series, or Vyetta (also installs on a PC). If you have access to *real* routers from e.g. Cisco or Juniper, they're excellent, but somewhat expensive...
0
Reply
vidarlo avatar
ar flag
vidarlo
pfsense is a great compromise; it allows you to configure a lot of details, yet allows you to skip some nitty-gritty details, and it has a fairly large and well established user base. And it runs on almost any old computer, or in a VM, so you can get started quite cheaply.
0
Reply
megahertz avatar
us flag
megahertz
Funny you should mention it, I actually bought an Unifi Edgerouter X and a Dream Machine Pro just for this project. I understand that VPN makes less sense, but if I were to permanently allow communication between the networks, wouldn't that mean that potential malware could spread from the client network to the server network? I want to be able to manage the server network without exposing it to any risks.
0
Reply
vidarlo avatar
ar flag
vidarlo
Set up sensible firewall rules. A VPN doesn't really change that; firewall rules does.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.