Questions

Using Netgear switches to distribute internet to separate groups

+
0 Votes
Locked

Using Netgear switches to distribute internet to separate groups

smackenzie
Here's the setup: in a small office, I have a Netgear DG834 router, with one port hooked up to a GS105e switch, which has 2 PCs and a printer connected to it. A second router port is connected to a GS724P switch in a separate location; cabling from this point feeds 10 access points throughout the building (2 wired, 8 wireless using PoE).

Currently, any device connected to either switch can access the Internet; however, any device can also access the office computers. I need to create 4 separate user groups: 3 on the GS724TP, and 1 in the office. Each member of each group must have internet access, but none may have access to any other group on either of the two switches.

I am comfortable with simple networking concepts, and believe the hardware is capable of the task; I believe I understand the basics of the VLAN concept. However, I lack the experience that the documentation assumes, and would therefore welcome assistance and advice on the specific settings required on each of the 3 devices to achieve my goal.

- xlrtech
  • +
    0 Votes
    robo_dev

    The simplest way to do this is to swap your router/firewall for one with multiple LAN interfaces. This would allow you to assign one interface to your office network and the other interface to your WLAN. These would be two separate subnets. You would then plug your one switch into one interface, and the other switch into the second interface.

    VLANs allow you to split an ethernet switch into what effectively looks like multiple physical switches. BUT, a VLAN capable switch typically needs a router to route between VLANs, and for two separate VLANs to get to the internet, they need two different LAN default gateways (which your current router cannot provide). So the short answer is that you don't need a switch that can do VLANs, you need a router/firewall that can support multiple LANs.

    +
    0 Votes
    JPElectron

    A very similar example of what you want to create is shown here: http://dnsredirector.com/networks/09/

    The GS724TP does allow for VLANs, so that's good.
    The DG834 doesn't support VLANs nor does it have a dedicated DMZ port, you'd would need a router that will support at least one of those to create a separate guest network.
    If you need to isolate more than 2 networks, then you need a firewall with more than 2 internal LAN interfaces, or support for VLANs. I'm not confident Netgear offers VLANs in any of their routers, but I know Cisco ASA 5505 (20 active VLANs with the Security Plus license) or ASA 5510 (100 active VLANs with the Security Plus license) could do it.

    +
    0 Votes
    smackenzie

    robo_dev and JPElectron, thank you for your replies. I now understand the issue better, and have studied the example provided. I already have a GS105e switch attached to the DG834; from your responses and what I've read, I understand I will need both this switch and an additional device to implement what I've outlined. The additional device could be one of the Cisco devices mentioned, or a Netgear device such as the FVS318G or FVS336G - it would be helpful if you could confirm this.

    +
    0 Votes
    JPElectron

    FVS318G or FVS336G both have a DMZ port, so you could use the LAN port as VLAN1 and DMZ port as VLAN2 (effectively creating two separate LANs)

    The GS105E switch is not a smart switch or managed switch, so it doesn't understand VLANs or trucking. Whatever you plug into a GS105E is all part of the same flat LAN.

    If you need more than two separate networks, you'll need a Cisco.

    The Netgear FVS318N latest firmware seems to support VLANs, where you might be able to create more than 2 networks, but I cannot confirm this.

    +
    0 Votes
    smackenzie

    Thanks JPElectron, that's really helpful. So if I have this right, I should ditch the GS105e and replace with an FVS318G (don't need wireless). Using the illustration you provided, I can then set up 2 LANs, one in the office and the other (using DMZ) in the remote location, using the GS724TP. I don't need a 3rd LAN; however, if possible I wish set up subgroups on the second LAN using the VLAN capability of the 24-port switch.

    +
    0 Votes
    JPElectron

    Yes, but be aware that...
    FVS318G NAT throughput is 25 Mbps
    FVS336Gv2 NAT throughput is 60 Mbps
    FVS318N NAT throughput is 95 Mbps
    ...the router should be as fast or faster than your Internet connection.

    ...although I just tested FVS318N with the latest firmware, and there seems to be a few bugs, the most obvious of which was constant DNS lookup failures even when DNS Proxy was disabled - you can disable the wireless completely - but I'd stay away until a better firmware is out.

    Cisco ASA 5505 throughput is 150 Mbps
    Cisco ASA 5510 throughput is 300 Mbps

    Be aware that you can have multiple VLANs on the GS724TP, but if you only have two interfaces in a non-VLAN-aware router (the LAN port and the DMZ port) then that's the max number of VLANs you can create that will actually route traffic out to the Internet.

    If you wanted to have multiple VLANs on the switch, that all route out to the Internet, you'd need one of the following...
    - a firewall with more than 2 interfaces
    - a switch with routing capabilities, Netgear calls these "fully managed" switches like the GSM series
    - a router that supports VLANs and trunking (multiple VLANs in one port)

  • +
    0 Votes
    robo_dev

    The simplest way to do this is to swap your router/firewall for one with multiple LAN interfaces. This would allow you to assign one interface to your office network and the other interface to your WLAN. These would be two separate subnets. You would then plug your one switch into one interface, and the other switch into the second interface.

    VLANs allow you to split an ethernet switch into what effectively looks like multiple physical switches. BUT, a VLAN capable switch typically needs a router to route between VLANs, and for two separate VLANs to get to the internet, they need two different LAN default gateways (which your current router cannot provide). So the short answer is that you don't need a switch that can do VLANs, you need a router/firewall that can support multiple LANs.

    +
    0 Votes
    JPElectron

    A very similar example of what you want to create is shown here: http://dnsredirector.com/networks/09/

    The GS724TP does allow for VLANs, so that's good.
    The DG834 doesn't support VLANs nor does it have a dedicated DMZ port, you'd would need a router that will support at least one of those to create a separate guest network.
    If you need to isolate more than 2 networks, then you need a firewall with more than 2 internal LAN interfaces, or support for VLANs. I'm not confident Netgear offers VLANs in any of their routers, but I know Cisco ASA 5505 (20 active VLANs with the Security Plus license) or ASA 5510 (100 active VLANs with the Security Plus license) could do it.

    +
    0 Votes
    smackenzie

    robo_dev and JPElectron, thank you for your replies. I now understand the issue better, and have studied the example provided. I already have a GS105e switch attached to the DG834; from your responses and what I've read, I understand I will need both this switch and an additional device to implement what I've outlined. The additional device could be one of the Cisco devices mentioned, or a Netgear device such as the FVS318G or FVS336G - it would be helpful if you could confirm this.

    +
    0 Votes
    JPElectron

    FVS318G or FVS336G both have a DMZ port, so you could use the LAN port as VLAN1 and DMZ port as VLAN2 (effectively creating two separate LANs)

    The GS105E switch is not a smart switch or managed switch, so it doesn't understand VLANs or trucking. Whatever you plug into a GS105E is all part of the same flat LAN.

    If you need more than two separate networks, you'll need a Cisco.

    The Netgear FVS318N latest firmware seems to support VLANs, where you might be able to create more than 2 networks, but I cannot confirm this.

    +
    0 Votes
    smackenzie

    Thanks JPElectron, that's really helpful. So if I have this right, I should ditch the GS105e and replace with an FVS318G (don't need wireless). Using the illustration you provided, I can then set up 2 LANs, one in the office and the other (using DMZ) in the remote location, using the GS724TP. I don't need a 3rd LAN; however, if possible I wish set up subgroups on the second LAN using the VLAN capability of the 24-port switch.

    +
    0 Votes
    JPElectron

    Yes, but be aware that...
    FVS318G NAT throughput is 25 Mbps
    FVS336Gv2 NAT throughput is 60 Mbps
    FVS318N NAT throughput is 95 Mbps
    ...the router should be as fast or faster than your Internet connection.

    ...although I just tested FVS318N with the latest firmware, and there seems to be a few bugs, the most obvious of which was constant DNS lookup failures even when DNS Proxy was disabled - you can disable the wireless completely - but I'd stay away until a better firmware is out.

    Cisco ASA 5505 throughput is 150 Mbps
    Cisco ASA 5510 throughput is 300 Mbps

    Be aware that you can have multiple VLANs on the GS724TP, but if you only have two interfaces in a non-VLAN-aware router (the LAN port and the DMZ port) then that's the max number of VLANs you can create that will actually route traffic out to the Internet.

    If you wanted to have multiple VLANs on the switch, that all route out to the Internet, you'd need one of the following...
    - a firewall with more than 2 interfaces
    - a switch with routing capabilities, Netgear calls these "fully managed" switches like the GSM series
    - a router that supports VLANs and trunking (multiple VLANs in one port)