Y configuration Dmz

[Will4555]

Hi I was looking to setup a y configuration of routers with a modem going to master router, then from the mater router LAN ports to two other routers wan ports to give a guest and private network. I understand that this will all work fine for normal web surfing but can be very long winded when setting up port forwarding which i would need on the private netwok so I was wondering if I could get around this by setting up a DMZ on the master router for the private network router allowing all the port forwarding to be taken care of by just the one router. Would this work and would the two networks still be secure from one another. Thanks

 

[tomatthe]

That's a bit of a complicated setup with double NAT going on twice. Have you looked at getting a router that supports vlans? That would allow you to manage everything from one interface, and still allow the two different networks. Most of the custom firmware support this, and those routers start around $50. It's not that complicated to setup, and would be the best way to do this imo.

What you described sounds like it should work, but I wouldn't recommend it.

 

[Will4555]

Yes, but would those different networks be carried through to all access points? In my proposed setup the routers would be just wired (no wireless) and each connected to a switch with multiple acces points connected to it and placed around the house. So using one of those vlan routers when access points are connected to it would they also broadcast both networks.
Thanks.

 

[tomatthe]

If you hooked up a dumb switch to a port that was specified on your main router as vlan 1, then anything hooked up to that switch would be considered in vlan 1. You would not want to hook up a switch to ports that were in multiple vlans.

What do you mean when you say access points? If you mean wireless access points witch dhcp disabled etc, then it should still be recognized as being in whichever vlan you have connected to the switch.

If you are going to have this much equipment connected you might want to look at a managed switch to do this properly if that is an option budget wise.

 

[Will4555]

Ok thanks so it should all work and does sound muck simpler, just to clarify does this setup still prevent anything in network 2 accessing anything on network 1 they are completely separate. If this is the case could you please explain to me how I would setup vlan and what equipment is needed

 

[tomatthe]

Yes, you're correct in things in different vlans not being able to access each other. How you configure them completely depends on the hardware you are using.

A very basic router running dd-wrt will serve this function. Here's a link with info on how to do this in dd-wrt, but again it really depends on the router/firmware as to how you set it up.

http://www.dd-wrt.com/wiki/index.php/VLAN_Support

 

[Will4555]

Do you recommend using dd-wrt, I've never heard of it before or are there routers that support this as standard.

Also when using vlan are the networks on different subnets eg on network 192.168.1.x and the other 192.168.2.x or do they both use the same subnet and it just prevents them from comunicating

Thanks

 

[tomatthe]

Generally you would use different subnets, but I suppose you could have them in the same one and it wouldn't really matter other then being confusing to troubleshoot.

If you have a router that supports dd-wrt there is no harm in trying to set it up. Maybe someone else with a home network setup using vlans can respond, I've never used them with dd-wrt I just know it supports them. The stuff I've worked with has been fairly expensive managed switches that wouldn't really relate to something you might use at home so I'm not sure what to recommend.

 

[Will4555]

Best answer selected by Will4555.