[gromitnz]

Hi

Please bear with me my network knowledge is pretty basic!

I have a Fibre internet connection and an Orcon Genius Lite modem. This modem appears to be a rebranded iinet BoB Lite as it looks to be identical.

Then stemming from this a simple home network of unmanaged switches connecting a bunch of gear from PC's to PS3 and WAP etc etc.

In a downstairs flat I have someone staying with whom I want to share the internet, but stay completely private from as I share my media openly on my network via DLNA etc etc. I am reading that VLAN is probably a good option for this complete security.

He has a single PC (actually a 300 year old mac the size of a small refridgerator!) that is connected via ethernet cable.

The routers IP address is 10.1.1.1 and the rest of my network 10.1.1.x and 255.255.255.0.

The ONT is connected to port 4 in the router, and my entire network from port 1. The router supports VLAN, as shown in this screenshot, but I am unsure of what exactly to do here. Actually I think I know how to take a good guess, but kinda nervous about screwing up the current default and/or losing connection with the ONT or Router.
Orcon | Flickr - Photo Sharing!


Im guessing I can just plug his cable into say LAN2.

What exactly step by step would I enter or change here? Do I need to edit the default as well, to take LAN2 out of that group?

Help appreciated!
Paul

 

[Wand3r3r]

You would need to create two vlans. Guest vlan and home vlan. You would note the guest computers mac address and then you would do a ip reservation so the guest always gets the same ip address. If no reservation possible in the router you would need to assign a static ip to the guest.

Lan port the guest is connected to would have the guest vlan. All of your pcs would have the home vlan. Internet port should have both vlans but I am not seeing the wan port listed so perhaps that's a default.

 

[gromitnz]

Ok, forgive my ignorance but why is giving him a static ip address important? Isn't the point of a VLAN that as he is on a completely different domain anyway? Does the router not automatically give him a DHCP address within the guest domain range?

Also, wouldn't I need to then delete the default VLAN that is currently listed? As it currently covers all three LAN side ports?

Sorry for my complete ignorance here. Absolute step by step would be great lol; click here, type that...

 

[gromitnz]

I should mention I can handle setting him a reserved/static ip address, that's not a problem. It's just the VLAN stuff.

 

[TheCyberMan]

The problem i see here is that your vlan setup only allows a static ip address setup not DHCP to be assigned to each Lan port and as you are using unmanaged switches connected to i assume Lan port 1 on the router which is the default vlan.

So other devices connected to the switch probably will not get an ip address from the router DHCP pool.

 

[gromitnz]

So other devices connected to the switch probably will not get an ip address from the router DHCP pool.

I would not connect the guest pc to the switch that my gear is connected to but it's own LAN port, say LAN2, with all my stuff off LAN1.

Attached is a grab of the DHCP setup page which does seem to indicate it might have a problem with handling more than one domain at a time?

Ahh, if I completely stuff up the settings on VLAN and say suddenly can't access the unit, does the physical reset button on the router usually reset these settings too?...

 

[Fjandr]

There should be an administration or settings tab which allows you to back up and restore the configuration. That way you can fiddle with settings and not have to worry about being unable to get it working properly again. It may be under "Advanced Settings" or "Handy Tools."

 

[TheCyberMan]

Looking at the vlan settings you can only set a static ip address which suggests that only one device is able to connect at any one time, so other devices connected to switch will not receive a ip address from the router.

Removing Lan2 from default vlan would remove access from other computers on network and DHCP reservation or static assignment to the mac would work.

It is the default vlan where the problem will lie as i have described in my last post.

Agree with Fjandr you can backup current settings before tinkering for easy restore.

It looks as tho your router only supports static vlans so you only be able to assign static vlans to the router Lan ports not the switch.

If you have more devices than Lan ports then that is the problem.

Workaround use a vlan switch with the amount of required ports for wired devices and use that for vlans instead of router.

 

[gromitnz]

Hmm ok thanks... looks like I'm a bit limited.

Sooo, is it preferable then to achieve what I want done by other route; perhaps by obtaining another DHCP router just to supply the guest and have that on another domain, say make that one hand out addresses 192.168.1.x? And make its gateway my current router address?

So have the new guest router simply plug into an output of my current router?
Would this work?

 

[TheCyberMan]

No not router that is not what i said is it?

I suggest some googling on vlan swiches.

As your Lan port 1 on router is connected to an unmanaged switch it maybe be better to a vlan switch which could be configured to receive DHCP from router and have your home network devices connected to a vlan1 named home network on different ports as this is normally default vlan. You would add port which internet router is connected on to vlan1 to give internet access to your home network.

Then create vlan2 and name it guest network and add port of router to that vlan for internet access for the mac downstairs but would not add vlan2 to acl for vlan1 keeping your home network seperate from the tenants computer for local access.

 

[gromitnz]

I understand you didn't mean router, what I'm proposing would be to scrap the idea of using VLAN altogether.
And essentially do this:
http://www.tomshardware.com/forum/34062-43-connect-routers-cable-modem

It may simply be beyond me to set up the VLAN scenario, just that this two router setup seemed like an easier method for someone ignorant of VLAN. I possibly even have an old router in the garage.

My original naive assumption of using the VLAN method ended at about someone talking me through the one page of setup on the web interface of the current router.

 

[TheCyberMan]

Do not think splitters will do the job if thinking of using off the router they will not seperate home network from the guest.

 

[gromitnz]

Sorry splitters?? Ignore the op's suggestion. It's more the guy 'emerald's help here:

"connect a computer to the belkin and log in.

setup the wireless security and save the settings

change the LAN IP to 192.168.0.1

change the WAN setting to Static and assign it IP 192.168.1.253, subnet mask 255.255.255.0, gateway and DNS server 192.168.1.1 Save the settings

now log into the Linksys and assign 192.168.1.253 to the DMZ and save the setting

then connect a network cable from the Linksys LAN port to the WAN/Internet port of the Belkin.

putting the Belkin into the DMZ will be the same then connecting it directly to the modem, none of the Linksys security settings will apply to the Belkin"

 

[gromitnz]

Something like this:

 

[gromitnz]

Ok so I'm reading that this should work but just that I have the networks inverted. Ie my network should be behind the generic router as a shield, and the Mac should be plugged into the main Orcon router. Sound about right?

 

[TheCyberMan]

This is how i suggest you do this leave your home network as it currently stands connected to the orcon.

That network diagram is about right.

The second router you have as in the network diagram connect an ethernet cable from orcons Lan2 port to the second routers WAN or INTERNET marked port the yellow port.

Set the WAN settings on the second router to automatic DHCP to receive an IP address from the orcon dynamically.

No need to configure wireless settings if only the mac is going to be connected using an ethernet cable you can disable wireless on that router altogether.

What you would need to do is change the Lan IP address of the second router to a different IP address if it is in the same subnet as the orcon.

For example if the orcon Lan IP address is 192.168.1.1 then set the second router Lan IP address to 192.168.0.1 so it is in a different subnet you see what i mean.

This way the mac computer will not be able to communicate or see your devices connected to the orcon as it is in a different subnet it will just be using the orcon for access to the internet.

 

[gromitnz]

Gotcha! Thank you very much for your help! :grin:

WiFi could be enabled as well on this router too correct? Space a few channels apart and with a different SSID to my own and it becomes a good guest internet access?

Will I still be able reach the new routers web gui from a PC on my subnet for config, or does it need to be done temporarily from a connection to that router/subnet?

 

[TheCyberMan]

No worries glad to help.

Yes you can enable wi-fi on second router with different SSID but must be at least five channels apart, channels 1, 6 and 11 are the best wireless channels to use as they do not overlap with any other channels. Something to be aware of any wireless devices connecting to the new SSID will be visible to the mac. But if the second router supports a guest wireless network that can be setup and and there should be an option to disable Lan access meaning it will not be seen by the mac and no communication between devices connected to guest wireless network and Lan with the mac connected will be possible.

You will be able to access the second routers web interface if you connect your pc to the second router using an ethernet cable from the pc's ethernet port and connect the other end into one of the Lan ports on the second router.

No wireless access will be available as they are in different subnets.

Please let us know how it goes.

 

[Wand3r3r]

sorry to say but the diagram in post #14 does not secure your lan.

This is because your router is closest to the modem which makes the "guest" network going thru your private network. The guest can get to your stuff with just a little work.

For this to be secure you need the guest network first [closest to the modem] and the private network second from the modem.

This way the guest can get to the internet but can't go "upstream" to your private network.

Note: the reason I suggested either a reservation or static assignment to the guest vlan is it appears the routers vlan configuration also wants a ip address. In small networks vlans do not need to be associated with ip addresses.

 

[gromitnz]

Thanks to both of you. How's this then? It saves me buying any gear as I simply better utilise the tp-link router. It actually works better for my physical layout too.

In this setup I go into the WAN port on the tp-link right? It's running dd-wrt. And have DHCP enabled on both routers?