Seperating two groups of computers

Urgh this reminds me of an exam question ;-)

What i would do here is probably create a DMZ zone using two firewalls you are going to need another router to do this i've drawn a diagram to explain it essentially you use the two routers to create a zone seperate from the internal secure lan .

Get a router that you can run dd-wrt . The feature you want is vlan support and/or guest wireless. You can build 2 networks and put firewall rules between them. The key feature that most consumer routers do not support is the vlan concept. Now you might be able to use a router that just has guest wireless support. You would use your office machine as the "guest" and 12 machine as the main. Pretty much it just prevents traffic between them so what you call them does not matter. The tricky part would come if you need multiple wired and wireless networks then you need the vlan support.

I wouldn't recommend setting up a DMZ. A DMZ network is going to open up that entire group of computers to outside network traffic which means you're going to have a lot more work cut out keeping the computers clean and protected. As bill001g is pointing out, your best option is going to be using VLANs to create multiple virtual networks. Your private, staff network would be set as one VLAN, such as 101, and your public network would be a second VLAN 102. Finally, any shared resources, such as network servers or printers, would be set in a third VLAN 103.

STAFF VLAN: 101
DEFAULT GATEWAY: 192.168.1.1
SUBNET MASK: 255.255.255.192
IP ADDRESS RANGE: 192.168.1.2 - 62

PUBLIC VLAN: 102
DEFAULT GATEWAY: 192.168.1.65
SUBNET MASK: 255.255.255.192
IP ADDRESS RANGE: 192.168.1.66 - 126

SHARED VLAN: 103
DEFAULT GATEWAY: 192.168.1.129
SUBNET MASK: 255.255.255.192
IP ADDRESS RANGE: 192.168.1.130 - 190

You will need to have a business-class router to be able to do this, as VLANs aren't supported on basic home wireless routers which are actually just gateways. One solution is dd-wrt on the right router as bill001g suggested, but another solution would be a small business firewall device like a Sonicwall TZ 105. I have set up numerous of these firewalls in different businesses locally and they have a huge range of features for the price. You will also need VLAN capable switches for connecting all devices through your switch. Then, using your firewall rules you can deny access to all traffic between the VLAN 101 and VLAN 102, but you can allow traffic between VLAN 103 and the other two, so that they each individually can have access to shared resources.

There is a lot of documentation out there for different products on how to set up VLANs and networking concepts like this, but it's not easy if it is your first time. Unless you have the ability to have your network down for a few days to try things out, test, and ensure everything is set up properly, I'd recommend that instead you find a network technician locally who can do this for you.

I'd do this the other way round .. the "basic" ISP router on the outside because its the only one that needs direct connectivity to the internet and your current ISP router will already be doing this for you so wont require any changes.

Purchase a second DSL router for the internal network ....in a sense what you are doing with the hardware is creating a Physical internal lan its very similar to the concept of Vlan's ( virtual lans suggested by bill but in this case you have a real second physical lan rather than a virtual one )

There is no reason why you can have both of these running wired and wireless networks , by the first router being wifi enabled as well "provide the key for the " public " wifi you just have to make sure these are running on different frequency's to get good performance out of the system.

On the internal network ... any file shares , shared drives between the wireless machines , Network attached storage ( nas ) or printers scanners " any" resource you want to share inside the internal ( secure network) will be accessible on the internal network only

Give this a read if you want a bit more detail but its actually a relatively straight forward principle .. the devices inside the DMZ part cant access the internal part because they are only aware of the IP address of the router so may only send data to that router which it can deny.

http://dfarq.homeip.net/2011/11/how-to-make-a-dmz-with-two-routers/

If at the moment everything is in the one zone as the Op mentioned then he wont have changed anything about his current traffic by implementing the second zone , the only reason a DMZ is less secure is you usually soften the defense of the first router when you create a DMZ ... in his situation the current initial router would have the same level of security so nothing would have changed in his network

best of luck but i think you'll be surprised how effective this setup can be provided you set up the rules on that second router correctly

Yes that's a good solution, it will introduce just one new router and it can be a simple wireless router at that. The first network would be a public network but not technically a DMZ because not all the network traffic ports would be allowed through at the first router. A second router behind that would provide a completely separate network range for the private network. The only down sides to this is:

1) there would not be any shared resources. Printers, servers, etc. would be connected to one network and only through that one network, and
2) network traffic can still traverse from one network to another. Automatic detection of shares and network devices in Windows would not show resources from one to another, but with basic routers it's not going to stop the outside network from pinging through to resources on the internal network. With using just basic routers, they won't block the traffic originating from that network.

You can solve this problem through a three-router configuration, though.

Router1 will be your outside internet connection. This is the first router in the chain, and for this example we will give it the 192.168.1.1 IP address for the default gateway. Router1 will be connected directly to two separate routers. Each of these routers will be the default gateways for your separate networks. Lets call these Router2 and Router3, and give them BOTH the IP address of 192.168.2.1 for the default gateway. All staff computers will connect to Router2 and all public computers will connect to Router3.

Now, since both of those routers are in the same network range (192.168.2.0) if a computer in the public network tries to access a computer in the staff network, lets say 192.168.2.10, the router at the public network default gateway will sense that it is trying to access an IP address within the same network and it will not be able to send out requests then to the staff network. It's kind of hard to visualize, but basically since the public and private networks are in the same network range, the individual gateways will just look to its own internal network to resolve IP addresses and will not even be able to tell that the other network is there.

exactly ;-) as far as i'm aware the objective Chris has is is to completely isolate the two systems so that file shares etc are not accessible from the computer room . Perhaps i shouldn't have used the term DMZ ... but when he asked the question i could visualize he topology he needed as a Dmz style diagram. By using the original router the open "customer / user network is no less secure as it would be in its current configuration.

This would definitely be a cheap and easy to implement way of splitting your zones and the tri router system would prevent any snooping ... however as my security lecturer used to say when i was still cutting my teeth "A system's security cost should be proportional to the value of the data you store" ... IE consider the typical user in the public use computer lab ...are they going to even know what ping is let alone know how to find hidden resources with it , if So then yes an extra expenditure on a third router would be worth doing .