Network for building with different businesses, vlans?

Hi all, I need some network advise.
I work in a building with lot of different businesses that all need an internet connection.
There is an internet connection comming in from the ISP, right now everyone is kinda on that wifi in one big network but it’s very bad.
So I want to redo it somewhat better and separate it a bit.

Ideally running wired Ethernet to all rooms and from there everyone can connect there own router or switch. So I am looking for a way to divide the incoming internet to different individual lan’s that don’t interact with each other. each business their own network, I’ll just provide the internet.

I’ve looked into VLAN’s but I can’t seem to get internet to all of those. The other option is subnets but that they can access other peoples networks right?
What would you recommend? I have access to a managed switch and some old routers but there is no budget. Thanks!

What routers do you have there?

Doing this properly is somewhat complex. It is not just a matter of configuring vlans and then you’re done.

Without a firewall, this is the case for both traditional subnetting and vlans. Vlans allow you to accommodate multiple subnets on a single switch whereas traditionally, you would need to physically separate subnets on different switches.

Likely a NAT or gateway issue.

Just run a bunch of vlans on a vlan-capable gigabit switch with the parent interface mapped to the original lan. If you have automatic/hybrid Nat rules you won’t need to worry about setting up NAT

Then find a bunch of low cost routers that are openwrt-compatible and turn them in to wireless ap’s and repeaters accordingly.

With my suggestion you could get good wireless connection in all businesses with proper data prioritization.

Be sure to map each wifi interface to the specific vlan ID you want it to go to

For security you can go to the extent of creating firewall rules denying each vlan access to the other, sandboxing each business in their own network

there is the default ISP provided router, and than I have and old Cisco 888 and a lightningedge 310 router lying around myself.
In other old gear I also have a HP 2620-24 switch and a Sonic Wall hardware firewall

Vlans just divide a switch into multiple virtual switches right? So how could you connect internet to all of those without also connecting them together?

Don’t worry about wifi, I’d like to get it wired to all the rooms, and than they can put there own switch/router/ap down if the like to.

I do have a gigabit switch so I’d like to make each port correspond to each room, so a vlan for each port i guess. But than feed internet to all of those.
Would it be very hard to seperate those in firewall? I do have a sonicwall if that helps.
But I am just getting started with network stuff on this scale so I am still very much a noob.
A house I can handle but a building is new but I’d really like to try and learn from this

Yes

You either need a dedicated port for each vlan or be able to configure vlans on the router as well. Then you need to configure a subnet for each vlan with it’s own default gateway address. Then you need to configure the firewall so that the subnets can’t communicate with each other, block incoming traffic and enforce states. Finally, you need to configure NAT to masquerade over the default gateway.

It’s very likely that some/all of that won’t be possible on the ISP router. I’m not familiar with the other routers, but I imagine the Cisco can do it. If it’s really old though, it’s might be a security risk (receiving security updates?).


I guess you could use multiple vlans within a single subnet and then block things by interface on the router, but based on my experience, best practice is always 1:1 vlan to subnet (not including more complex scenarios with pvlans).

Apologies for length, this post grew and grew…

OK a few things you need to get straight in your head first (apologies if this is stuff you know, but we need to make sure):

  • VLAN: a virtual network segment on a switch. Only ports in the same VLAN can “see” each other without having to go through a router (exception: trunk ports, which are used to transport multiple VLANs from one switch to another switch, a router, or some other device which has multiple IP addresses on a single port)
  • Subnet: an IP range that is used to define a network. Ideally you want one (different) subnet per VLAN so that machines in different VLANs can use routing to get to another VLAN if required.
  • so, given that - VLANs (or physically and/or logically separated network segments) drive what, and how many subnets we have. Unless we do silly stuff (see below for why) like multiple subnets on one segment…

The two are similar but subtly different:

  • if you have machines in different VLANs they are separated from each other at layer 2 (below “IP” - so no matter what IP addresses people give their machines they won’t get outside of their own subnet - without going through a router where access controls may apply)
  • machines in different VLANs are not exposed to broadcast traffic from machines in other VLANs.

Without VLANs you are less secure:

  • if you have machines in different subnets on the same VLAN, there is nothing to prevent someone with the access or ability from changing their IP address to access machines on the other subnet, or seeing/sniffing/being slowed down by the ethernet broadcast traffic on the other VLAN. If both machines share the same router, then unless you block it, they will even just happily route to each other.
  • Also, unless turned off in your router, your router may even tell machines not to even bother using the router via an ICMP re-direct message (which essentially adds a host-route to the client machine directly to the other machine in its local routing table), which gives you non-deterministic traffic path (sometimes it will hit the router if it hasn’t already been told to re-direct, most of the time it won’t), and obviously isn’t secure. e.g., if a machine is permitted to do HTTP to a machine on the other subnet and gets an ICMP redirect, it won’t even bother to go to the router for a following ssh connection for example due to the local host route it now has from the initial ICMP redirect… so if you have a rule on the router blocking SSH to the machine that HTTP was permitted to, it doesn’t mean squat any more…

So what you need to do to properly split the different guys off to share an internet connection, is use both, which means you need to:

  • have network switches that can do VLANs
  • have a network router/firewall that is VLAN aware
  • select different VLAN numbers for each group you want to segregate
  • select diferent network subnets for each VLAN
  • set up a DHCP scope for each VLAN
  • Setup “helper addresses” on each VLAN on your switch to point to your DHCP server if necessary
  • place your router’s LAN interface on a TRUNK port on your switch so it can “see” all the VLANs
  • configure an IP address on a sub-interface on your router for each VLAN that needs to route
  • configure traffic rules for each sub-interface on your router’s LAN port to enable each VLAN to be NATed on its way out to the internet and to permit or deny access to various services or other VLANs as appropriate

This may seem like a lot of work, and it is, if you have an existing environment to keep running. I’d mock it up in a test environment first if you haven’t done it before! I’d also make sure you have a full backup of your current network configuration(s) and documentation for how things are before you start - so you can roll back if you can’t get it over the line.

What i always suggest is to draw a logical network diagram first, then add VLAN numbers and subnets to each logical segment to aid with planning.

Typically for subnets, i’d suggest to use a 10.0.0.0/8 based network scheme, mine works for multiple sites. Addresses are in the form of:

IP: 10.sitenumber.vlanNumber.hostid
subnet mask: 255.255.255.0 (a /24)

so

  • VLAN 1, site 1 will be 10.1.1.0/24
  • VLAN 2 site 2 will be 10.2.2.0/24
  • VLAN 2 site 1 will be 10.1.2.0/24

etc.

What will get a bit tricky is that most consumer-ish routers won’t to automatic NAT rule setup for you beyond a simple 1 WAN, 1 LAN interface scenario, so you may need to do some reading on NAT, or copy and modify the auto-generated rules from the first LAN interface it/you set up.

Have fun :smiley:

There is one thing not being said that i do not know if you know or not. If you are using Cisco switches to test VLans all Vlans other than the default VLan1 are administratively down (unable to communicate).

Wonderful explanation.

This is easier with pfsense by the way. The steps are reduced by half, much of this is automated :wink:

PAT, using Port Address Translation to specific ports segmented into VLAN’s?

Yeah i use pfsense. you still need to be aware of what it’s doing somewhat with the NAT setup, but yeah it does help make it easier.

Thank you so much for the detailed explanation!!! , some stuff I already knew but it’s best to include all to be sure!
I might still have some followup questions but that’s enough info for now to get started and to experiment!
I could also use a pfsense box if that turns out to be the best solution.

There isn’t really any existing working infrastructure so there is not much to lose. I just find it interesting to see if I can make it work better, and if i can, I learn a lot and everyone in the building is happy :smiley:

1 Like

In that case, take your time, and plan ahead - definitely adopt the subnet scheme i suggested above… even if you’re currently only one site - that may change.

:slight_smile:

I’m currently re-working this sort of stuff into a 25 year old, 40-50 site WAN and wish it had been planned with multiple sites and vlans in mind :smiley:

Also… i’d start a VLAN spreadsheet now and apply it to every site.

e.g. (just random vlan purposes vs. numbers for demo purpose)

  • VLAN 1 = untrusted (i suggest using VLAN 1 or the default VLAN as untrusted so that unconfigured switches aren’t automatically on some other important network
  • VLAN 2 = server out of band management cards
  • VLAN 3 = company A servers
  • VLAN 4 = wired end users company A
  • VLAN 5 = wireless end users company A
  • VLAN 998 = ISP XXX router (high nmbers above 255 for purposes other than internal networks on your own 10.x.y.z scheme)
  • VLAN 999 = span session monitoring

etc.

Its ok if you don’t know all your uses today or use all of your planned uses today, but record what you DO use and reserve those numbers for the same use on future sites. resist the urge to re-use a number somewhere else for something different.

It will save your sanity, especially if you ever need to put a link between two of your sites in future :smiley:

It’s also worth mentioning, if you go with pfsense and repurpose an old windows Vista PC, you can install at least up to 2 gigabit Ethernet nics in the spare pcie slots (sometimes there’s 3 spare slots, or a minipcie slot that can also be used for a gigabit nic)

You can create an interface for each gigabit nic in pfsense, and map a vlan to each one with its parent interface set to the original LAN interface. This will set each vlan to mirror the original network and its firewall rules, however keep it separate under its own network.

If you only need 2-3 VLAN’s, this would probably be the cheapest solution.

If you need more vlans, it’s just as easy finding a $20 openwrt-capable consumer router on Amazon or eBay, flashing the latest openwrt build on it and using the Ethernet ports as a switch. The wifi adapter on the router can then also act as its own virtual switch next to the physical ethernet ports. Allowing you to create a WiFi network for each vlan with little effort.

From my experience you may still want at least one wifi repeater in each business (which openwrt makes extremely easy) unless you’re using a business class wireless-router. It reduces stress on the network and allows you to do even more fine-grained network prioritization, which fits with your vlan setup quite well.

You can also turn multiple nics in to one Ethernet switch using pfsense (essentially making your own Ethernet switch) by mapping multiple nics together in a bridge, going to pfsense advanced settings and disabling packet filtering on the member interface, then enabling packet filtering on the bridge interface. As long as the original LAN is part of this bridge, you won’t get locked out of pfsense and you’ll have a pfsense box with a built-in switch

Ideally this is true, although you could use one physical interface on the router per vlan and then untag them to corresponding vlans on the switch. The router doesn’t necessarily need to know about the vlans if you trick it into thinking it’s plugged into different switches.

Best practice, of course vlans are consistent across all devices, but if that turns out to be the one blocking issue on the ISP router, then it can be worked around.

1 Like

Yeah, true.

But that doesn’t scale beyond less than 10 networks :slight_smile:

If you’ve got multiple companies, i’d suggest a sane starting point is at least 3-4 vlans per company on your LAN:

  • wired users
  • wireless users
  • servers / printers
  • OOB management

Reason for that? You can put in different network policies into your firewall based on subnet for those different types of operation to cover off large groups of similar machines. Wired/wireless is IMHO a different risk profile so being able to cut off the wireless pretty easily and quickly if you have to is a good thing.

A couple of companies with those 4 networks and you’re out of ports pretty quick.

1 Like

OP has one 24-port switch, so I figured not too many vlans. In fact, if that Berger’s has a port isolation feature, that might be a simpler solution. Idk what that HP can do though.