Separate a physical network into two networks (sharing a NAS)

inntheboat · Aug 10, 2015

I am helping a buddy who started a coffee shop set up his network. We decided to do two subnets — one for the POS system and one for the office/employee computers. We decided to do this because the POS provider has access to the POS devices and we'd like to prevent the POS system from communicating to the office.

Additionally, I'll be purchasing and installing a Synology DS214.

I am wondering the best way to set up this network. The three options I was considering were:

1) Three RT-N66U routers — connect the modem to the first router (192.168.1.1), then connect the other two routers via LAN ports (192.168.2.1 and 192.168.3.1).

I'm not sure if this gives me the security that I think it does? Could a user just change his gateway to access the other network? Are there other disadvantages/problems?

Could I simply connect my NAS to the first router to allow all devices to connect to it?

2) One RT-N66U flashed with third party software using VLANs — I've never used Tomato or DD-WRT, but my understanding is that I can flash Tomato (Shibby) or DD-WRT onto my router and set up two VLANs to prevent the devices from talking.

Could the NAS still communicate between both VLANs?

3) Get a business class router (Cisco or Ubiquiti?) — I've never set up a business network and therefore only have experience with consumer routers. I assume the process would be similar as #2 (VLANs).

We will probably add security cameras and maybe guest wi-fi down the road if that makes any difference.

gbb0330 · Aug 10, 2015

inntheboat :

option 1 and 2 are great for a school project, but if you put this setup in a business environment you are just asking for trouble. Go with option 3, or buy a firewall like Dell Sonicwall it will do routing, subneting and a lot of other things. TZ 500 are nice, if you want to provide WiFi for the clients as well. TZ 300 and 400 have about the same feature set but less bandwidth. you will need a firewall anyways for the POS - PCI compliance.

inntheboat · Aug 10, 2015

gbb0330 :

So would something like a SonicWall TZ 105 work? I would set up two VLANs -- one for the office and one for the POS. In the future, I would set up a third for IP cameras and probably a fourth for guest wifi.

Do I then connect an unmanaged switch to each port on the TZ 105? For example, an unmanaged switch on port 1 (VLAN1), one on port 2 (VLAN2), etc.? And each device connects into that switch, depending on what VLAN I want them in?

Could I then plug the Synology NAS into the fifth port on the TZ 105 and allow all VLANs to connect to it? (The IP cameras, VLAN3, would also need to connect.)

Am I able to specify VLAN1 (Office) for the built-in wifi on the TZ 105 or would I have to get an access point and plug it into the switch that's part of VLAN1?

gbb0330 · Aug 10, 2015

inntheboat :

gbb0330 :

So would something like a SonicWall TZ 105 work? I would set up two VLANs -- one for the office and one for the POS. In the future, I would set up a third for IP cameras and probably a fourth for guest wifi.

Do I then connect an unmanaged switch to each port on the TZ 105? For example, an unmanaged switch on port 1 (VLAN1), one on port 2 (VLAN2), etc.? And each device connects into that switch, depending on what VLAN I want them in?

Could I then plug the Synology NAS into the fifth port on the TZ 105 and allow all VLANs to connect to it? (The IP cameras, VLAN3, would also need to connect.)

Am I able to specify VLAN1 (Office) for the built-in wifi on the TZ 105 or would I have to get an access point and plug it into the switch that's part of VLAN1?

TZ 105 is an old generation firewall, if you really wanna go cheap get the SOHO. you can do vLANs but you will need a vLAN aware switch also vLANs complicate things a little bit, you may have to pay someone to do it right.

the sonicwall has multiple LAN interfaces. I would do something like that.
configure LAN 1 as 192.1681.x - use it for POS.
configure LAN 2 as 192.168.2.x - plug in a cheap gigabit switch and use it for general office stuff, printers, desktops, security camera, NAS.
configure LAN 3 as 192.168.3.x - plug in a ubiquiti UniFi access point and use it for client WiFi.

jsmithepa · Aug 10, 2015

Easiest: if NAS can be fitted with two NICs. No other pieces needed.

inntheboat · Aug 10, 2015

gbb0330 :

inntheboat :

TZ 105 is an old generation firewall, if you really wanna go cheap get the SOHO. you can do vLANs but you will need a vLAN aware switch also vLANs complicate things a little bit, you may have to pay someone to do it right.

the sonicwall has multiple LAN interfaces. I would do something like that.
configure LAN 1 as 192.1681.x - use it for POS.
configure LAN 2 as 192.168.2.x - plug in a cheap gigabit switch and use it for general office stuff, printers, desktops, security camera, NAS.
configure LAN 3 as 192.168.3.x - plug in a ubiquiti UniFi access point and use it for client WiFi.

Ahh, you are awesome! So if I used a SOHO with multiple LAN subnets, would each LAN be able to communicate with the others? (I don't want them to, with one exception below...)

If they aren't able to communicate, can I set up firewall rules to allow exceptions? For example, we'd want the POS LAN to communicate with the single NAS IP address (on LAN 2) for backups.

I would only need my cable modem and the SOHO then, right (plus any switches)? i.e. No routers like a consumer grade Linksys or ASUS.

inntheboat · Aug 10, 2015

jsmithepa :

Well the DS214, which I had planned to get, does not have the capability of two NICs. But if I got one that did, what would my other hardware setup be? Two routers with different subnets and connect each to the NAS?

gbb0330 · Aug 10, 2015

inntheboat :

gbb0330 :

inntheboat :

TZ 105 is an old generation firewall, if you really wanna go cheap get the SOHO. you can do vLANs but you will need a vLAN aware switch also vLANs complicate things a little bit, you may have to pay someone to do it right.

the sonicwall has multiple LAN interfaces. I would do something like that.
configure LAN 1 as 192.1681.x - use it for POS.
configure LAN 2 as 192.168.2.x - plug in a cheap gigabit switch and use it for general office stuff, printers, desktops, security camera, NAS.
configure LAN 3 as 192.168.3.x - plug in a ubiquiti UniFi access point and use it for client WiFi.

Ahh, you are awesome! So if I used a SOHO with multiple LAN subnets, would each LAN be able to communicate with the others? (I don't want them to, with one exception below...)

If they aren't able to communicate, can I set up firewall rules to allow exceptions? For example, we'd want the POS LAN to communicate with the single NAS IP address (on LAN 2) for backups.

I would only need my cable modem and the SOHO then, right (plus any switches)? i.e. No routers like a consumer grade Linksys or ASUS.

yes you can do all kinds of routing between the subnets, you can restrict/allow access on certain ports, sonicwall has a lot of features.

all you need is a sonicwall, switches, cables and a wireless access point in case the built in WiFi is not enough to cover the whole building.

Search

Separate a physical network into two networks (sharing a NAS)

inntheboat

Reputable

gbb0330

Reputable

inntheboat

Reputable

gbb0330

Reputable

jsmithepa

Polypheme

inntheboat

Reputable

inntheboat

Reputable

gbb0330

Reputable

TRENDING THREADS

Latest posts

Moderators online

Share this page