I am setting up a small office network (about eight workstations) that needs to have two segments. Computers on both segments need Internet access, but should not be able to see computers on the other segment or access them in any way.
They have a wireless router and a wired network switch already in use. I can buy additional equipment if necessary but they don't have a huge budget so it needs to be affordable, consumer-grade stuff if possible.
I have a fair amount of basic networking experience but this is beyond anything I've done previously. What do I need to get and how do I need to set it up? And perhaps most importantly, how do I confirm that the computers on both segments are in fact completely separate and unable to communicate?
Use a Y configuration. Have each of them on separate routers, each w/ its own network. Then have those two routers share a third (primary) router.
[router B - 192.168.2.x](wan)<-- wire -->(lan)[router A - 192.168.1.x](lan)<-- wire -->(wan)[router C - 192.168.3.x]
Each network has access to the internet via the upstream router A, yet routers B and C are completely isolated from each other thanks to their respective firewalls. Pretty simple configuration and doesn’t require anything fancy, just basic consumer grade routers.
NOTE: You could do the same thing w/ a single router/switch using VLANs, but that requires a more sophisticated device (or perhaps a dd-wrt compatible router). However, a newbie might quickly be in over their head having to deal w/ VLANs, providing the correct routing commands, bridging the individual VLANs to the router's VLAN, etc. In a business environment, that would probably be how it's done. But for the individual user or small businesses, using multiple routers makes it much simpler and doesn't require any special knowledge.