VLAN question - is this possible?

[JustInspired]

Me again

I am trying to find out whether I can have two VLANs on the same cable. (That's the best way I can explain it!)

I'm attaching a picture (greatly simplified) of my current setup.

Basically I have a single CAT6 cable running underground from the router at the front of my house to my workshop at the back.

Running more cables would be a major undertaking - perhaps something I might think about much later.

Basically the single cable stops halfway through the house; goes to a 5 port unmanaged Gigabit switch which feeds various things like my home server, CCTV DVR etc. The cable carries on from a port on that switch, to the back of the house, under the ground and up inside the workshop.

Another unmanaged switch splits it in the workshop.

I have one PC and a VOIP phone that I would like to keep on the 'main' network.

The rest of the machines in the workshop (i.e. customers' machines and my file server) I would like to isolate inside their own LAN/VLAN.

Is this even possible?

Other considerations might be two routers and a HomePlug mains/ethernet setup or some sort of fast WiFi bridge.

Please note that I am unable at present to have more than one WAN IP address with my cable TV and Internet package. (Virgin Media).

Any ideas would be greatly appreciated!

If someone has the time to help me set this up I will gladly donate via PayPal for beers or a charity of your choosing!

 

[SilverLeaf]

Actually, you could just insert a router between the switch in the workshop and the machines you want isolated. Configure it with a different network range (I use 10.50.100.0/24 for my isolated network) than your primary router. Devices on the new router would technically still be able to "see" your other devices if you specify them by IP address, but they would at least be on a different network. If you desire more security, you could configure a VLAN on the new router to connect the isolated devices to (assuming your new router supports VLANs). You could always add another switch if you need more ports for the VLAN.

 

[BriansTechSvc]

at my full time job (movie theater manager/projectionist) we have a similar setup, all of our digital projectors and servers are on an 'isolated' network. technically it is all the same network but the group of servers/projectors is addressed 10.33.0.(1/250) and 10.33.2.(1/250)

it gets the job done!

 

[JustInspired]

Actually, you could just insert a router between the switch in the workshop and the machines you want isolated. Configure it with a different network range (I use 10.50.100.0/24 for my isolated network) than your primary router. Devices on the new router would technically still be able to "see" your other devices if you specify them by IP address, but they would at least be on a different network. If you desire more security, you could configure a VLAN on the new router to connect the isolated devices to (assuming your new router supports VLANs). You could always add another switch if you need more ports for the VLAN.

I did insert a router in the workshop with the micro server and customers machines on it (with a switch) already yesterday. Third octet different on that router's lan.

Thought all was great until I opened 'Network' on a customer's Windows 7 machine this morning and discovered to my horror that all my home machines were visible!
I double clicked them and it said 'inaccessible' or similar but I'm still worried about it.

So will using a 10.xxx range help?

 

[SilverLeaf]

I did insert a router in the workshop with the micro server and customers machines on it (with a switch) already yesterday. Third octet different on that router's lan.

Thought all was great until I opened 'Network' on a customer's Windows 7 machine this morning and discovered to my horror that all my home machines were visible!
I double clicked them and it said 'inaccessible' or similar but I'm still worried about it.

So will using a 10.xxx range help?

Sorry, No. Since the WAN address for your new router is a LAN address from your first router, the devices on the second router have a routeable path to the devices on the first router. Not sure how much of a danger this poses to your personal equipment.

Given your restrictions, or without adding a bunch of hardware, this may require some more thought. I don't suppose that you buried the wire in conduit, and could perhaps pull another cable? Every possible solution I think of, falls apart when I look into it further. Maybe if you had a router on the front end that supported VLANS, you could tie the wireless to a separate VLAN, and connect to it from the shop via another router in bridged client mode (dd-wrt supports this). Then plug your isolated stuff into that router. All your personal stuff stays on the current config......just thinking out loud here

 

[JustInspired]

Thanks for giving my challenge some thought.

I wish there was an easy way to run another cable but alas there isn't.

Actually, getting another cable thru the conduit underground would probably be easier than running it the rest of the way through the house! For now I am going to say no, it's not an option. I wish I had run more than the 3 that are present now when I did install them but if wishes were horses, beggars would ride. The other 2 cables are running phone, alarm, doorbell and intercom stuff. Its a bit of a nightmare.

So, perhaps I should look at getting some homeplug devices and see if they work in my situation? Then I could get a router that handles VLANs (hopefully one that also has WiFi as I have so many devices and 'wall warts' at the moment as it is!)

 

[phaZed]

Why not insert a MANAGED switch instead of the unmanaged switch? Then you could make each port it's own VLAN and route everything to the ISP's router's DMZ? I picked up a Cisco 2970 24-port switch (GigE) on ebay for under $80 and am doing almost the same thing your trying to accomplish... I think

 

[JustInspired]

Why not insert a MANAGED switch instead of the unmanaged switch? Then you could make each port it's own VLAN and route everything to the ISP's router's DMZ? I picked up a Cisco 2970 24-port switch (GigE) on ebay for under $80 and am doing almost the same thing your trying to accomplish... I think

Hmm, if I understand you right, then that may be the answer!

Before, I was under the impression that enabling DMZ on the router connected to my cable modem would make everything open and insecure. Or is it like a kind of 'port forwarding on steroids' to just one IP address / device?

Wait...are you talking about the switch in the house or the one in the workshop? (see image attached to first post).

 

[Pclink]

Managed Switches are needed for VLAN's

In order to have more than one VLAN, you need managed switches. Currently the default is everything is on VLAN 1, this is the standard for every switch, even unmanaged. Assuming your router is a standard home router, it's actually a combination of a router (WAN port) and a switch (4 other ports). So your router would need the ability to have VLAN management. VLAN's happen at the layer 2 level (switches) and in order for VLAN's to talk with each other or on the internet, they need to be routed (Layer 3 level). If you want to isolate them out, you would probably need an ACL to block traffic from one VLAN to the other, or get a firewall, like a Dell Sonicwall, and create a rule on the firewall to block traffic from the one VLAN, but allow it to get to the internet.

You could also just setup a firewall at the end you want to isolate and only allow certain ports. I've done this before with OpenBSD and Packet Filter, but it would require some knowledge of Linux/UNIX command line. You should be able to do that with other firewalls as well.

 

[JustInspired]

Thanks for your answers and thanks to rsarceno for the PMs.

I want to keep it simple and inexpensive.
I'm going to first get a pair of homeplugs (http://www.devolo.co.uk/consumer/82_dlan-500-avplus_starter-kit_product-presentation_1.html?l=en ) to see if I can get 'a line' from the house to the workshop. Both are on the same electrical meter so hopefully I'll get a decent connection.

Then I was thinking of removing my existing router in the house and replacing it with one of the Billion 7800DX ones: http://www.billion.uk.com/product/w...G4G-LTE-ADSL2-Fibre-VPN-Broadband-Router.html

The Billion router is not that expensive and natively supports port based VLANs.

My thoughts are that I should be able to assign one port on that router from the others but still allow it Internet access.
Connect that port to the homeplug in the house and theoretically end up with an internet connection in the workshop that is separate from the 'main' network.