-1

I am trying to understand networks better and to help me learn I am working on a home project where I want to setup two networks, let's call them Client and Server, on the same geographic location. (Both networks get Internet from one single WAN, since I was not able to acquire multiple IPs from my ISP.) The two networks should be separated from each other, meaning I want to prevent malware or other threats from spreading across networks.

That being said, I am still trying to allow for a specific client to be able to periodically manage the servers from the client network.

I could of course switch the client between the networks physically, but it seems messy. My thought was to create a VPN tunnel instead, but I was curious if there are other/better options.

With three routers and some switches at my disposal, my questions are

  1. Is subnetting or VLANs the better option to separate the networks? I've read a lot on both lately but can't decide on what would be best for this scenario.
  2. Is VPN the most secure way for a client to access the server network, or would allowing it to access both networks all the time be just as secure?
  3. Does the routers need to have a separate IP from it's parent router or is the gateway IP enough?
  4. Do I really need three routers, or would it be enough with just one?

I have linked an image below to clarify my intended setup. Please let me know if this question is too in-depth for this forum. I am more than happy to learn on my own but need some pointers on where to start looking.

Intended Network Design

megahertz
  • 3
  • 1

1 Answers1

1

Is subnetting or VLANs the better option to separate the networks? I've read a lot on both lately but can't decide on what would be best for this scenario.

Subnets is logical division of networks. It works on layer 3; different IP networks cannot communicate directly with eachother, but must go through a router.

You can have multiple subnets in use on the same physical segment if you want.

VLAN's is physical separation. It splits the network at the Layer 2 level, so no packets can flow from VLAN 1 to VLAN 2, without some device that sits in both VLANs.

Very often a combination is appropriate, where a subnet matches a vlan, so that you have a 1:1-mapping between subnets and physical broadcast domains, but this is not a technical requirement.

Is VPN the most secure way for a client to access the server network, or would allowing it to access both networks all the time be just as secure?

VPN is a technique to transport packets securely over a unsecure network. Nothing more, nothing less. Depending on your threat model, using TLS and the Internet may be secure enough and far easier to deploy.

Does the routers need to have a separate IP from it's parent router or is the gateway IP enough?

???

Do I really need three routers, or would it be enough with just one?

Get a old computer with at least two NIC's. Install pfsense. Get a VLAN capable switch. Start playing. For added learning, add a second computer with pfsense, and set up a third subnet. Add routes between the networks. Deploy a dynamic routing protocol, such as OSPF.

vidarlo
  • 6,654
  • 2
  • 18
  • 31
  • Thank you for providing a very comprehensible answer! Regarding VPN, I understand the purpose, but I thought since it's often used to enable traffic from one network to another that I could use it to allow one client to access the server network. Am I incorrect in that it would be a solution to my second question? – megahertz Jul 03 '21 at 21:37
  • My third question was mainly due to me chosing to setup a separate subnet for granting both networks internet access (172.16.1.0). I was thinking if I could skip this and just allow the parent router to grant internet access directly via each respective subnet. – megahertz Jul 03 '21 at 21:38
  • Anyway, I will look into pfsense and play around. Will I need a separate client for this or will I be able to accomplish the same thing with modern routers? – megahertz Jul 03 '21 at 21:38
  • VPN is for connecting networks that doesn't talk directly. It doesn't *really* make much sense if you control the physical network, like you do in your scenario. PFSense is a operating system that run on normal computers. Most SOHO routers is a piece of crap with outdated software and hides all kinds of configuration away from the user. An altenative to pfsense would be e.g. Edgerouter series, or Vyetta (also installs on a PC). If you have access to *real* routers from e.g. Cisco or Juniper, they're excellent, but somewhat expensive... – vidarlo Jul 03 '21 at 21:40
  • pfsense is a great compromise; it allows you to configure a lot of details, yet allows you to skip some nitty-gritty details, and it has a fairly large and well established user base. And it runs on almost any old computer, or in a VM, so you can get started quite cheaply. – vidarlo Jul 03 '21 at 21:41
  • Funny you should mention it, I actually bought an Unifi Edgerouter X and a Dream Machine Pro just for this project. I understand that VPN makes less sense, but if I were to permanently allow communication between the networks, wouldn't that mean that potential malware could spread from the client network to the server network? I want to be able to manage the server network without exposing it to any risks. – megahertz Jul 03 '21 at 21:56
  • Set up sensible firewall rules. A VPN doesn't really change that; firewall rules does. – vidarlo Jul 03 '21 at 22:00