Multiple Networks in one office

[Chris Wilkinson]

Hi,

Is it possible to have two networks within one office using different IP
addresses.

We have 4 PC's in a branch of which 2 PC's are for customer access
(which only have access to the internet) & the other 2 PC's are for
staff use (They have internet access, sharing printers & files etc.).

What I would like to do is separate the 4 PC's into groups (e.g.
Customers & Staff) but still using one router & one ADSL modem for
internet access.

If anyone could let me know if this is possible.

Regards
Chris Wilkinson

 

[Richard G. Harper]

I personally would recommend a second router to segregate the networks
physically. Honestly, I've never tried doing what you propose on purpose
and I don't know what the results would be but I suspect you might have
connectivity issues.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Steve Winograd [MVP]]

Hi,

Is it possible to have two networks within one office using different IP
addresses.

We have 4 PC's in a branch of which 2 PC's are for customer access
(which only have access to the internet) & the other 2 PC's are for
staff use (They have internet access, sharing printers & files etc.).

What I would like to do is separate the 4 PC's into groups (e.g.
Customers & Staff) but still using one router & one ADSL modem for
internet access.

If anyone could let me know if this is possible.

Regards
Chris Wilkinson

I recommend creating two completely isolated networks: one for
customers and one for staff:

1. Get two more inexpensive wired broadband routers.

2. Connect each new router's WAN (Internet) port to a LAN port on the
old router.

3. Connect staff computers to LAN ports on the first new router.

4. Connect customer computers to LAN ports on the second new router.

5. Configure the new routers use a different subnet than the old
router. For example, if the old router uses 192.168.1.x, configure
the new ones to use 192.168.0.x.

Customers won't be able to see (or infect!) staff computers and vice
versa, but everyone will have Internet access.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[GTS]

I recommend creating two completely isolated networks: one for
customers and one for staff:

1. Get two more inexpensive wired broadband routers.

2. Connect each new router's WAN (Internet) port to a LAN port on the
old router.

3. Connect staff computers to LAN ports on the first new router.

4. Connect customer computers to LAN ports on the second new router.

5. Configure the new routers use a different subnet than the old
router. For example, if the old router uses 192.168.1.x, configure
the new ones to use 192.168.0.x.

Customers won't be able to see (or infect!) staff computers and vice
versa, but everyone will have Internet access.

Steve,

What is the advantage of using two additional routers vs. (for example)
adding one additional router set to a separate subnet and used for the
customers only?

 

[Steve Winograd [MVP]]

Steve,

What is the advantage of using two additional routers vs. (for example)
adding one additional router set to a separate subnet and used for the
customers only?

With two additional routers, there's complete isolation between the
two networks. I think that's essential in a business.

If you get one additional router and connect it to a LAN port of the
old router, computers connected to the new router will be able to
access computers connected to the old router, but not vice versa.
The new router's WAN interface is connected to the old router and has
an IP address in the old router's LAN subnet. The new router will
relay access requests from its computers to the old router's
computers.

Now, that's not as bad as it could be, because those access requests
will only work by IP address, not by computer name. But why leave
even that much of a hole, when complete isolation is so easy to
accomplish?
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[GTS]

With two additional routers, there's complete isolation between the
two networks. I think that's essential in a business.

If you get one additional router and connect it to a LAN port of the
old router, computers connected to the new router will be able to
access computers connected to the old router, but not vice versa.
The new router's WAN interface is connected to the old router and has
an IP address in the old router's LAN subnet. The new router will
relay access requests from its computers to the old router's
computers.

Now, that's not as bad as it could be, because those access requests
will only work by IP address, not by computer name. But why leave
even that much of a hole, when complete isolation is so easy to
accomplish?
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

I see your point.
Thanks!
--

 

[Richard G. Harper]

The problem with only two routers is that router #2 will, by default, allow
traffic "backwards" into the network of router #1. If you follow Steve's
advice with router #1 connecting only to routers #2 and #3 with customers on
#2 and your staff on #3 (or vice-versa, doesn't matter) you have complete
isolation between #2 and #3 and all they can see "backwards" to is router
#1.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Chris Wilkinson]

I see your point.
Thanks!

Would this still be possible if I also have a VPN setup to our head
office using router # 1 & pass it through to router # 2 (staff),

Regards
Chris