2 Separate Networks Using One Fibre Broadband Connection

Good evening folks,
I've tried searching the forums for a solution, but had no luck.
As the title suggests, I want to run 2 separate networks using 2 individual wireless routers but sharing a single fibre optic connection.

My ISP is TalkTalk and I currently have 2 Huawei HG533 routers (1 in use and 1 unused still in the box) and have also recently been sent the new Huawei HG635.

Now, although I'm not a total newbie to networking, I am a little out of my depth here.
What I am trying to achieve is 2 totally separate networks but I do have 1 pc that I would like to have access to on both networks (If that is possible)
The reason for the separate networks is that I want to keep mine and my partners devices on 1 dedicated network and the kids and any guest devices on another. I would also like to give internet priority to me and my partner, as the kids devices can sometimes slow our connection down.
The pc that I mentioned earlier that I would like access to both networks is essentially being used as a media storage and back up device which is accessed by all of us.

I understand that each router will have different SSIDs and IP addresses and be on different channels, but how do I go about achieving what I want? A while ago, somebody did mention that I could do this with 3 routers, 1 being used as a switch, and the other 2 connected via LAN ports to the 1st router, but I still wouldn't know where to start.
I hope I have been clear with my question and hope somebody can help, many thanks in advance.

You can get routers which support multiple VLANs, and/or guest networks.

Might be worth a look at that.

If you require physical separation things are going to get tricky, and expensive. As has already been pointed out however it is possible to get a single router that can manage two logically separate networks. Personally I would go with that option. I have a Draytek Router that has this feature, but I have not put it to use so cannot make reliable claims as to how well it works. But I have seen this done with netgear SoHo routers, and would imagine most routers of that broad category should manage to handle multiple logical networks.

One decent router with different wireless networks or vlans is the way to go. If doing on a shoestring one router to host connection then two hanging off it would work but a bit of a mess.

Thanks for the replies. I had already looked into the vlan option but the cost was somewhat prohibitive, especially considering that there isn't really a totally justifiable reason for me wanting to run dual networks. However if I find a low priced second hand router I may consider it.
If somebody could advise me on how I could set up using the routers that I have got, I would be very grateful,
cheers.

The existing routers you have may not be configurable enough to cope with a dynamic ip on the wan ethernet interface, suspect set up to expect an openreach modem rather than a simpler dhcp server

I'm no expert and I haven't done any of these things but here goes.

1. If you are willing to invest in a new router, you could purchase one with Guest Network Access such as one of the LinkSys Smart Wi-Fi routers or the TP-Link N600. You could then let your kids use the guest network and they should be totally isolated from the main network. This is probably the easiest solution. However, you should research the routers thoroughly to make sure there are no gotchas. For example, the N600 appears to only provide guest access on the 2.4GHz band (with the main network using the 5GHz band). This may not please your kids. You will also need to check that devices on the guest network are not isolated from each other.
2. If you are willing to flash alternative firmware onto your existing routers, you could look at DD-WRT. This allows you to cascade two wireless routers with network isolation. The big gotcha is that DD-WRT does not yet support the HG533 or HG635, although there appears to be an experimental version that supports the HG533. If you want to try this route, get the HG635 working before you mess with the 533s. If you fancy trying DD-WRT, you could get a couple of modem/routers that are supported. This may not be too expensive.
3. You could look at cascading your existing routers as they stand. This is possible but I don't know if this will provide the network isolation that you want. Probably not.

Hope this helps. You will need to trawl the Internet forums for further information since this is all that I can provide. However, other TBB users may have comments to make.

Edited by micksharpe (Thu 23-Oct-14 02:40:38)

This is completely doable. To meet the requirements that you have stated (allowing PC to reach both "networks"), you essentially need a VLAN capable switch, or VLAN capable switch + router combo. You do not need one that supports VLAN tagging (I was going to suggest this method as it is how I have done things, but requires a more advanced setup).

I also say "network" above because the VLAN solution would mean all devices sit on the same IP network (192.168.0.0/24 for example) but the VLAN configuration of the switch is then the method that blocks parts of that network from seeing other parts.

So assuming you already have the FTTC router (you have the modem by the sounds of it), simply purchase a small 4 or 5 port VLAN capable switch. Plug your router in on port 1. Configure the switch so port 1 can communicate with all other ports. Also configure it so that ports 2 and 3 CANNOT communicate with each other. Purchase 2 more dedicated wireless access points and configure them as two distinct networks running on different channels etc. Plug one into port 2 on the VLAN capable switch, the other into port 3 and that's it, you are done.

You now have 2 independent wireless networks that cannot see each other. But all devices can see the FTTC router and get online. Configure port 4 of your switch so it can see all other ports, and plug your PC into that one. You'll be able to see ALL devices on the network on this port. If you wish to stop your children's wireless network from seeing your PC, configure the VLAN switch so that port (2 or 3,in this example) can't communicte with port 4.

You get the idea. Hope this helps!

See my other post. Edimax do wireless access points (2.4Ghz) for £30 a pop. You would need two of them, plus a VLAN capable switch, which would be about £25 or something. So total cost around £85, which can work with your existing setup.

Here is an example VLAN-capable switch http://www.ebuyer.com/186682-netgear-prosafe-plus-gs...

If it wasn't for the ability to prioritise traffic then everything else you want would be relatively simple (assuming you want to protect your devices from the kids and not the other way around). But traffic prioritisation requires a different level of device.

Yup, that's the exact one I have. I don't currently use any of the VLAN features on it though as the setup I've gone with uses (VLAN tagging)* instead, but definitely a good option for the OP and will do exactly what is required.

* The VLAN tagging is a feature of the Edimax wireless access points I mentioned earlier - the exact models I have are these:

http://www.edimax.com/edimax/merchandise/merchandise...

I note that these are now an "End-of-Life Product" on the Edimax site, which is a shame, because I think they're very good units. There's probably a new version which has more features now (worth some investigation). In any case, each unit allows for up to 3 additional SSIDs to be configured with custom VLAN tag per SSID, meaning that it is possible to run 3 distinct wireless networks from just a single unit, with the traffic from each entering onto your Ethernet segment with a specific VLAN tag. In order to make use of this, you also have to have a broadband router that supports creating Ethernet interfaces with VLAN tags, but thankfully Linux does this out the box, so that's how I've done things. I have a guest network running on 192.168.10.0/24 with VLAN tag 10 and have configured my broadband router (Linux) with an eth0.10 interface which can then service traffic with VLAN tag 10, and acts as the default gateway allowing guest clients to reach the rest of the Internet, but locked down so they cannot route to any other local area (192.168.0.0/16) IP network. And because all their traffic is tagged, they can't see anything else on network segment, even though everything goes through the same switch. I was going to suggest this to the OP but it's quite advanced and probably way beyond what is required. Besides, this does not address the "PC seeing both networks" requirement, in which case a basic VLAN segmented network is the best option, as I've already described.

Overnight remembered that the Asus RT-N66U supports 3x2.4GHz and 3x5GHz guest networks that are isolated from Intranet and the Traffic Manager QoS system will do limiting for specific IP addresses and you can do IP address reservation via MAC.

Are you going to lock the routers and modems in a cupboard?

Otherwise they could just press the WPS button to join the other network? Or possibly plug a network cable in?!

Another option that hasn't been mentioned yet, a dedicated firewall router, such as Smoothwall.

You'll need an (oldish) PC that can take a minimum of 3 network cards to meet your current needs, you can add a 4th card later if required. A KB, mouse and monitor is only required for the initial setup, Intel Pentium or it's AMD equivalent with about 2GB of ram is more than enough.

You'll have 3 separate networks, one for you, one for the kids and the wan interface. The biggest advantage is customisation, it can do QoS out of the box, you can setup various controls for timed access for the kids and most important for me, filtering options for the kids PCs.

SW can do PPPOE so you only need the VDSL modem on the wan side, then wireless APs for the 2 networks. You can setup rules to control access from one network to the other.

Disadvantages: Steep learning curve and the dedicated PC will need to be on when internet access is required.

You can get RJ45 blockers and WPS button can usually be disabled in firmware

Hi folks, my apologies for not checking back in sooner, been pretty hectic here over the past month. Thanks to all of you for the great advice given, quite a lot to take in. The project remains on hold for the moment due to various commitments, but I think I might take the "old pc" option, mainly due to the fact that I have an old pc sitting doing nothing, and a box of old components including network cards. Does anybody have a preference over which software to use? I am leaning towards pfsense, which by all accounts should allow me to achieve what I am looking for, assuming that I can get my head around the various config settings.

Just a quick update on this.

I have finally got a system up and running.

I went for the "old pc" option with 3 network interfaces (1 for wan and 2 for separate lans, I installed pfsense and configured it so that the lan nics were independent of each other, and then configured the 2 wireless routers to run on different subnets and to transmit different SSIDs..........

........and it all works perfectly, I now have the 2 separate networks that I needed and as yet haven't had to apply traffic shaping, because at the moment there have been no problems, even the fibre speed seems to be more stable now, i'm getting higher speeds than I was prior to using this set up, and the speeds are more consistent throughout the day.

My advice to anybody wanting to achieve something like this, is, go for it! Admittedly, I was lucky, my set up has not cost me a penny due to having all of the required hardware to hand, and pfsense firewall/router is freeware, but I can't imagine that it would cost a huge amount even if you had to buy all the hardware. You only need a fairly basic old pc and second hand wireless routers are in abundance.