sharing internet connection but isolated lans

frost

Hi, I'm looking for advice on a budget way to share internet connection across 4 groups of PCs while isolating each group from the other.

This is for a local community centre where 3 groups use the same building. All the groups currently share a single internet connection and all PCs can see each other. I think this is asking for trouble, and they plan to add a computer room for students on the same connection as well, so isolating the 3 groups + computer room PCs is even more important.

My first thought was to daisy chain several routers, giving each a different DHCP range. Ie:
Internet connection -- Router A [LAN port] -- [WAN port] Router B [LAN port] -- [WAN port] Router C etc.

However googling on this seems to say that PCs hanging off Router B would be able to see PCs hanging off router A but not vice versa. Not ideal.

So for complete isolation, another suggestion I read was to use a budget device like a Zywall 2 plus.

I havent seen that model on Irish sites (Komplett Elara etc) and maybe it's a bit out of date (the thread's 4 years old) but if anyone can advise hardware available in Ireland and configuration approach I'd appreciate it. There's no budget or expertise for CISCO devices, just looking to improve what they have for minimum cost/effort.

Thanks
Mike

William Powell

Why "Daisy Chain"? Plug the Wan Port into the Lan ports of the first router, provided it has the fairly std 4 ports.

frost

William Powell wrote: »

Why "Daisy Chain"? Plug the Wan Port into the Lan ports of the first router, provided it has the fairly std 4 ports.

yes you're right, that term is confusing/inaccurate

Are you suggesting that setting up with WAN into LAN would give me full isolation? That was my original plan but I thought it wouldn't give us full isolation? Anyway here's what I was thinking:

Huawei B260a Wireless Gateway (3 network) - picks up Internet on broadcast wireless signal. Has a single ethernet port. I have to check but I think that port gets a local IP address rather than a true internet address. Assuming it does, then:

Connect Huawei Gateway to a network switch, which serves Community Group 1.

Connect one of the ports on the switch to Router A's WAN port.

Router A is configured to use DHCP range 192.168.2.x and serves Community Group 2

Connect one of router A's LAN ports to the Router B's WAN port

Router B is configured to use DHCP range 192.168.3.x and serves Community Group 3

Connect one of router B's LAN ports to Router C's WAN port

Router C is configured to use DHCP range 192.168.4.x and serves Community Group 4

So would this work and provide isolation? We already have 2 routers and the gateway so all it would require is a switch (I may even have one lying around).

William Powell

You just spoilt a good idea by mentioning mobile broadband

So you don't have a broadband connection to share out to start with.

frost

William Powell wrote: »

You just spoilt a good idea by mentioning mobile broadband

So you don't have a broadband connection to share out to start with.

yes i know, but they have no other option. They're in Wicklow Town, but for some reason DSL doesn't work in their location, so they've been stuck with wireless bb.

Incidentally, I brought their gateway back to my office (in Glenealy village) where I have DSL broadband from Eircom. Just for interest, I tried it out, and their gateway gives better performance than my Eircom DSL.

THREE gives 5 Meg download and 1.6 meg upload (did speedtest and downloaded a large file from an Irish server)

EIRCOM DSL gives 2.5 Meg download and 318 k upload (just did speedtest)

To be fair, I only pay Eircom for 3 Meg (I think) but AFAIK I can't get faster DSL in this area at the moment. So I was surprised at the results and would consider switching as my Eircom contract is up.

Anyway coming back to my original question, this community centre has been using a wireless broadband connection for a few years and they have no other option so my original question still stands! ;-)

William Powell

What you suggest above should work given enough bandwidth, but I can't really see why you are trying to isolate the users on indiviual lans, being on a netork with other users is just part of having using a shared network and one reason for even Windows having its own built in firewall thats on by default. Your average Community Center user isn't going to come in and start hacking but even if they do once they spot they are on a mobile broadband connected connection they'll soon be off.

If you have an old PC and a couple of spare network cards (plus a good bit of free time ) you could even try something like ClearOS