Overthinking a small network

[LifelineIT]

I've got a small NPO client who teaches classes every day. They recently moved to a new office, and I went in and did wired runs for their ethernet, although they HATE being wired. When comcast came to install their new account, they put in one of those all-in-one modem/routers.

They do a lot of file sharing, etc. I have that locked down so that only they can access it regardless of who else gets on the LAN. However, they've decided that they want a completely separate VLAN for their students to use, which makes sense. I attempted to use their consumer-grade netgear router in bridged mode on a new subnet to make a new (and isolated) wifi network, but the router said NO, always with the double-NAT issue.

They have 4 office computers and one office networked printer. They want the 4 office machines completely isolated. They want the printer usable by anyone. They want a second wifi network for the students that is also completely isolated. Now, add into this that these ladies have literally the WORST computer habits ever. Constant infections, even running MBAM plus an AV. Constantly installing junk. Insisting they have Admin privileges. It means money for me, but it's frustrating and of course they call in a tizzy whenever something breaks.

SO---my thought is that they need an appliance. Untangle/pfsense/ipfire/whatever, I need to filter that internet. I believe I can replace the comcast all-in-one with a motorola SB whatever, drop in an appliance box, and then split the wifis from there and bridge the printer. I think I can also do basically all of that with just a beefy DDWRT/Tomato router, minus some of the filtering. I can definitely do VLANs and isolation that way.

So as you can see I've totally overthought this. It's entirely likely that the appliance might tick them off, they seem to enjoy being infected. Should I worry about the appliance or just do a nice router?

The office is ~2000sf2, single floor, basically a big open room with some drywall boxed offices.

 

[YeOldeStonecat]

Don't need to swap the Comcast gateway, they're easy to put your own firewall(s) behind and allow proper public IP subnet passthrough. (so your firewall(s) obtain the public IPs on their WAN interface.

Usually Comcast won't allow you to downgrade to a residential grade Surfboard modem on business accounts.

I also take advantage of the multiple subnets you gain by doing the above...production network behind your own firewall which is behind the Comcast gateway, and put a "guest" network directly connected to the Comcast gateway on that 10.1.1.x network. Nice 'n simple!

 

[ohio_grad_06]

Can't say I've dealt with everything you are doing, but Stoney sounds on the right track. When I got AT&T DSL/Uverse, they provided a unit like that. In my case, I just told their modem it was only allowed to give out one IP and locked it to a specific range to where it literally had one address available. Disabled it's wifi, and tried to have it pass all traffic through. I then hooked up my router, told it the one IP in the range from the provided router/gateway was to be it's IP for it's connection, set up the security, and all was happy. Seem to get better throughput also doing it this way I guess maybe since the combo box from AT&T does not have to do everything.

So I agree with Stoney. If you want to be anal, set it to allow 2 IP's, have it pass all traffic to your devices, put your own firewall behind, and assign it one of the 2 IP's, then put the internal network behind it, then maybe put a seperate router on the other IP, and put it on a weird subnet as he suggested and that can be your guest.

 

[LifelineIT]

Thanks to both of you. If we go forward, I suspect they'll decline the appliance. I quoted them a little over $300 to move to a moderately high end router with DDWRT plus setup of both WLANS and all their office machines. I suspect they'll balk at that price, and I feel like it's a WAY more than fair price, so I'm not gonna sweat it.