3 internal networks connected from 1 comcast modem

Toggle sidebar Toggle sidebar
C

cah8429

Honorable
Feb 27, 2013
33
0
10,540
I'm trying to figure out the best method to set up 3 internal networks behind a Comcast modem. Here is what I want: 1 network for my servers that I point to the Internet, one for home users, and 1 for guests. The servers don't need to be on a wireless network, but my home/guest users will be. I don't know how Comcast stuff works, and I expect the worst experience from them (seeing how horrible their router UI is and no option for DNS). I would like to know what people have done and if they can confirm my thoughts on what I think the topology would be like:

Comcast modem -> wireless router/firewall

Modem set to bridged mode and then I would like a DD-WRT/pfSense router/firewall setup in front. 1 Ethernet port goes to a switch for my servers which I want to port forward out to the Internet (LAN1).

Can a Linksys AC1900 with DD-WRT handle 3 networks like I want? Or will I be needing another router. I'd like to know what others have done

Thank you
 
Solution
Solandri
Dunno about the Linksys, but DD-WRT and the high-end Netgear routers can do it. Technically the Asus routers can do it too, but not via the GUI (you have to telnet in and use the command line).

The key to doing what you want (without buying a lot of hardware) is VLANs - virtual LANs. The traffic goes over the same hardware, but the hardware knows the traffic is supposed to be separate. So you set up VLAN 1 on ethernet port 1 - that will be your server network. Ethernet ports 2-3 and Wifi (either 2.4 GHz or 5 GHz or both) will be VLAN 2. And ethernet port 4 and WiFi (again either 2.4 Ghz or 5 GHz or both, but with a different SSID than the home WiFi network) will be your guest network.

The router will keep traffic on VLAN 1...
Sort by date Sort by votes
Solandri

Solandri

Illustrious
Jan 4, 2012
4,919
98
39,240
Dunno about the Linksys, but DD-WRT and the high-end Netgear routers can do it. Technically the Asus routers can do it too, but not via the GUI (you have to telnet in and use the command line).

The key to doing what you want (without buying a lot of hardware) is VLANs - virtual LANs. The traffic goes over the same hardware, but the hardware knows the traffic is supposed to be separate. So you set up VLAN 1 on ethernet port 1 - that will be your server network. Ethernet ports 2-3 and Wifi (either 2.4 GHz or 5 GHz or both) will be VLAN 2. And ethernet port 4 and WiFi (again either 2.4 Ghz or 5 GHz or both, but with a different SSID than the home WiFi network) will be your guest network.

The router will keep traffic on VLAN 1 separate from traffic on VLAN 2 separate from traffic on VLAN 3. All three will be able to access the Internet, but not each other. (This does get a bit dodgy when you do this on ethernet ports. The switching hardware should keep traffic from, say, VLAN 1 ever being sent to a device on VLAN 2. But if for some reason you're using a hub or the VLAN 1 traffic gets sent to a VLAN 2 port, an ethernet device in promiscuous mode could evesdrop onto VLAN 1 traffic even though it's on VLAN 2. The problem is more relevant to, say, a business which wants employees to be able to plug into a single wall jack in their room and connect to the VLAN their department is assigned to, rather than have to physically rewire each room's ethernet port depending on which department the employee works in. This is why the guest networks built into modern routers are normally restricted to just WiFi - no ethernet port is included.)

On Netgear's router setup GUI, VLANs are on the Advanced tab, Advanced Setup, very last option (VLAN / Bridge settings). I haven't used the functionality in DD-WRT in years so I won't give instructions in case they've changed it. But DD-WRT is a lot more flexible. I was able to bypass a broken WAN port on an old router by using DD-WRT to reassign the WAN (it's just a VLAN) to one of the regular LAN ports.
 
Upvote 0 Downvote
Solution
C

cah8429

Honorable
Feb 27, 2013
33
0
10,540
Thank you for the information! Yeah I have experience doing this at the enterprise level with cisco hardware/software and it's easy doing this stuff with inter VLAN routing, but I've never tackled this with consumer-grade solutions. And staying on a budget makes it harder as well. I imagine the Linksys DD-WRT routers could do interVLAN routing and I've had great success with them in the past. And I want to stick with it primarily for good DD-WRT support. Are you saying that creating a VLAN going over wireless will eat an Ethernet port?
 
Upvote 0 Downvote
Solandri

Solandri

Illustrious
Jan 4, 2012
4,919
98
39,240

No it won't. I was just giving it as an example in case you wanted to allow a guest to connect via ethernet for, say, a faster download of a large file. Most routers come with guest WiFi networks, so some people might not be aware you can make ethernet ports part of the guest network as well.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom