Network Isolation - VLAN, Guest Network, Dual Routers

I just did something like this over the last couple months.  Your typical home router won't do VLANs, but it's a normal feature on business class equipment -- including the small business/prosumer stuff.  There are a lot of small business/prosumer options that aren't too expensive at all, especially if you don't mind limiting speed to 1Gbps.

The guest network approach has one messy problem.  If it's done right it's Internet only and blocks all the devices on the guest network from talking to each other.  Now you can't use the setup app on a phone to configure your new gizmo.  Most consumer WiFi routers and combo cable modem WiFi routers support a guest network.

Using 2 consumer routers results in a double NAT situation which can be kind of annoying but generally does work.  It'll probably also break IPv6 behind the second one.  With this sort of setup one of your segments is going to be able to connect to anything on the other one.  If you're trying to protect your main network devices from the WiFi stuff they'll have to be behind the second router, so double NAT and IPv6 doesn't work.  IPv6 breaks because NAT isn't normally used with IPv6 and consumer routers normally don't know how to hint for more than a /64 prefix in a DHCPv6 request or assign prefixes to downstream routers.

If you think you have the technical chops for it I'd look into a cable modem + wired router + WiFi access point(s) and maybe some managed switches.  Depending on exactly what you want you can often just segment the network by assigning different LAN ports on the router to different subnets and using the firewall to control what passes between them, so you might not need to use VLANs at all.  If you do set up VLANs commercial access points will typically let you extend them onto the wireless network.  They usually allow multiple SSIDs and can map them to different VLANs.  I have 4 SSIDs running.  Computers & printers, phones & other gizmos, guest, and one just for my very naughty weather station that lets anyone on its subnet update its firmware with a phone app without a password.

As far as what to use goes... I'm not sure what to recommend.  You'll likely get better advice asking on a more tech-oriented forum.

I'm running a mix of MikroTik, TP-Link and Netgear equipment.  I have 1200/35 service feeding into a Netgear CM2050V modem.  The modem connects to a MikroTik RB5009UG+S+IN router over 2.5Gb ethernet.  The RB5009 connects to a MikroTik CRS326-24S+2Q+RM 10Gb switch over both 10Gb and 1Gb fiber, and everything else plugs into the CRS326 somehow.  I have a couple of 1Gb dumb switches, a 1Gb Netgear PoE switch feeding my TP-Link EAP610 access points, a few 10Gb hosts, laptop with a 2.5Gb USB ethernet adapter, etc.  The reason for the double connection between the switch and router is a pesky bug in the RB5009 router.  It totally clobbers internet speed down to about 250Mb for <=1Gb devices connected over the 10Gb SFP+ port if you have >1Gb Internet, so I had to use 2 cables and do some silly things with VLANs to let the 2.5Gb and faster devices get full speed.  The 1Gb stuff is still limited to ~850Mb.

If I were building a 1Gb network I'd likely just use all TP-Link Omada SDN stuff except for the modem and unmanaged switches.  $60 for a wired gigabit router, $100 for a controller, a couple access points (EAP610s for $100 each), and (optionally) some sort of PoE switch to power the APs over the ethernet cables.  The controller is optional but nice to have if you use more than one access point since you need it for fast roaming.  There's also a free software controller (but that means leaving a computer on all the time) and a cloud controller.  I only have the APs, but this stuff is easier to manage than RouterOS with everything being controlled by a slick web GUI.  I'm using the software controller since I have a Linux server I leave on all the time.

Netgear has a good reputation but they're not in the business/prosumer wired router space AFAIK.  The Netgear Orbi Pro mesh system supports VLANs over wired connections and multiple SSIDs over WiFi.  It's basically a prosumer setup.  It might be your best bet if you just want to segment your network without adding too much setup complexity.  The catch is it uses some sort of cloud thing for setup and management.  That also makes me want to run away.

Ubiquiti gear is pretty popular in the prosumer space.  It'll also do VLANs, etc.  I haven't used any of their stuff, but it's slick, not too expensive, and unfortunately tangled up with the cloud which again makes me want to run away.

The MikroTik stuff is feature rich for it's price, but it's also complicated, quirky and sometimes buggy.  I'm a software engineer who writes network applications for a living, and this stuff kept me up late a few times getting it set up.  I really wouldn't recommend it unless you understand routing, firewall rules, DHCP, IPv6 (manual setup on this one), etc. and how to use WireShark.  The up side is you get a near enterprise level of control even on cheap devices.  Like they'll sell you a WiFi router with VLAN support, 2.4Ghz WiFi 4/802.11b/g/n, four 10/100 ethernet ports and all the complexity of MikroTik RouterOS for $25.  I bought the RB5009 since at $220 it was easily the cheapest router I could find that had a 2.5Gb RJ45 and a 10Gb SFP+ port.  If you're brave enough to go this route or just happen to be a network engineer one quirk you should know about is that there's a firewall accept rule on the IPv6 input chain that only accepts DHCPv6 replies from a link local address.  Comcast sends them from a routable address in some service areas, so you may need to fix that rule and probably ought to fix it even if you don't need to since I've seen reports of Comcast switching from link local to routable.

That's just the stuff I've played with, plus Ubiquiti since so many people seem to like it.  There's lots of other stuff out there and I ignored a lot of good equipment when I was looking because it didn't have the right port setup or it cost a lot more than the MikroTik I bought.

Another possible way, If you've got a box with at least 3 network interfaces, you can do that by turning a dedicated box into a firewall.  The Telephony makes it a bit more goofy, so I don't think you can just set it to bridge mode and have voice still work.  If there's a DMZ option in the firmware, you could try setting that.  Xfinity stuff has really bad documentation so I don't know if that's an option on your device.

Internet <--> Voice TG1682G direct

                 |

                 <--> Data DMZ <---> Firewall Wan Interface <--> Subnet/VLAN 1

                                                                                                     <--> Subnet/VLAN 2 (multiple configuration possible)

                                                                                                     <--> .....Additional Interfaces for more Subnets.....

Firewall can be anything.  Ubuntu box.  pFsense/opnsense makes it easy.  Firewall Appliance you buy.  Your internal subnets can be isolated, or you can create rules for routing traffic between them, but that kind of defeats the purpose.  Then you just need a cheap unmanaged switch for each of your Subnet/VLANs and you put whatever you want on them.  WiFi Access points or not.  Your call.  They're isolated.

Is it a 'double nat'?  Yeah, pretty much.  Traffic that doesn't match VoIP hits firewall interface.  Should work fine.

I have voice service and I doubt it'll be any trouble.  I haven't tried it on a rented modem but I used an Arris SVG2482AC cable WiFi router in bridge mode for a while and voice worked fine.  I've since switched to a voice-enabled cable modem.  I don't know exactly how they do it, but I'm betting the VoIP part has a separate IP address.  For those of you who haven't used Comcast residential voice service or checked the specs, it's only VoIP to the modem or cable router.  The phone jacks on the router or modem are plan old RJ11 analog jacks.

DIY is always an option for a router, though I have a hard time suggesting using a dedicated PC for one unless you have a fast connection.  If you've got an always on Linux server machine you could pile another task on that's a different story.  But I have no idea what AllMostTreadingWater has so ????

Thank you zandor60657 and flatlander3 for your prompt responses!  I have a couple pressing items to finish up during the week and will be back with some responses/questions shortly.

Fair enough.  I'll be around, though not necessarily right when you're ready to talk.  Standard forum rules... we'll be here when we feel like it.  I hope you can get your problem sorted out with or without me and flatlander3.

Presently have a very simple setup.  The Xfinity Arris TG1682G router/modem combo provides two RJ11 phone ports, four LAN ports and a dual band (2.4 GHz/5.0GHz).  The Arris SVG2482 is identical.  Its just the commercial compatible device.

RJ11 Port  à  Phone service

LAN Port 1  à  Ethernet cable to PC1 running Win10.  PC1 has a shared printer for network

LAN Port 2  à  Ethernet cable to PC2 running Win10

LAN Port 3  à  Ethernet cable TV for ChromeCast

Wireless supports: Laptops, Smart Phones, Tablet etc.

For network printer to be accessible for other network devices File and Printer sharing needs to be activated which in turn allows all devices on the network to be visible to each other.  My desire is to isolate some WiFi Enabled devices such as: Generac Wifi Module, non-family guests, and other TBD future WiFi enabled devices from the main network. 

My experience in this arena is zero.  DMZ appears under the Advance control setup on my TG1682 however, xfinity has it locked down and instructs you to go to xfinity.com/myxfi which doesn’t allow a change that I could see.  I checked the SVG2482 model instructions and while it appears you could setup a DMZ host, it cautioned -  The designated DMZ Host device is not protected by the SVG2482AC firewall.  It is exposed to the Internet and thus vulnerable to attacks or hacking from any computer on the Internet.

I went through the options, researched a lot of the terms and appreciate your responses but to honest I think its beyond what I want to tackle.  I was hoping for a fairly easy solution but it appears that is not the case. 

While a network printer is convenient, I can easily get along without it.  If I disable file and print sharing in Win 10 does that help to minimize security risks from WiFi enabled devices? 

Are you trying to cut all WiFi devices off from your PCs or just some of them?  If you just want to block off a few of them the guest network feature typically available on WiFi routers, combo modem/router units, mesh kits, etc. would do.  If you want no WiFi at all on the network with the PCs you'll need something a little more advanced.  Typical consumer equipment doesn't support turning WiFi off for the main network unless you turn WiFi off entirely.

I think you might want to take a look at the Netgear Orbi Pro 6 line if you want to totally block off a network from WiFi and want something simple.  I had a look at the user manual and IMHO they've done a pretty nice job of simplifying VLANs down to just what you need for a home or small business setup.  They have 3 different speed tiers of the Pro 6 (more speed = more $), plus older WiFi 5 models.  Depending on what speed you want and how many satellites you want Orbi Pro 6 packages range in prince from $99 (just an AX1800 WiFi router) to $1350 (AX6000 router with 3 mesh satellites).

Product list:  https://www.netgear.com/business/wifi/mesh/

AX1800 manual:  https://www.downloads.netgear.com/files/GDC/SXK30/SXK30_UM_EN.pdf

AX 5400 manual:  https://www.downloads.netgear.com/files/GDC/SXK50/SXK50_UM_EN.pdf

AX 6000 manual:  https://www.downloads.netgear.com/files/GDC/SXK80/Orbi_Pro_WiFi_6_UM_EN.pdf

One spot where I think they simplified a little too much is with VLAN isolation.  It looks like it's either on or off, and I would have liked an option to just block incoming connections from other VLANs.  Instead it just blocks all traffic between VLANs.

I wouldn't mess with the DMZ feature unless you're running an Internet server.  That basically puts anything in the DMZ on the Internet without filtering.  I'd much rather have my machines exposed to a password protected WiFi network than the Internet.

I wouldn't buy an SVG2482AC unless it's used and cheap.  I have one I bought in 2017 but I've since upgraded to a DOCSIS 3.1 model that supports the 1200/35 plan.  The problem with that model is it has a buggy Intel Puma chipset that causes poor performance in some situations.  I didn't have any trouble but that doesn't mean you won't.  On stuff like this bugs that get through QA testing tend to not show up all the time.  Usually there is some sort of condition that triggers them.  Intel has admitted the issue exists and it's widely reported.

Only some of the WiFi devices need to be cutoff from the PCs.  Normally Win10 Laptops have file and print sharing disabled since they are used outside of home.  Sharing is temporarily enabled when home and have a need to share files or utilize the printer. 

My desire is to isolate some WiFi Enabled devices such as: Generac Wifi Module, non-family guests, and other TBD future WiFi enabled devices from the main network.  So at present I just need 2 separate networks.  Depending on TBD future WiFi enabled devices I may need additional isolation. 

The AX1800 Dual-Band Orbi Pro WiFi 6 Mini Mesh looks very interesting.  I called and talked to Netgear support and they felt I should be able to put the existing Arris 1862 in bridge mode, which shuts down the router, and then hook up the Orbi.  An Xfinity article “Using Bridge Mode on your Wireless Gateway” confirmed that this should work.  The orbi provides up to 4 WiFi SSIDs so that should work for my needs.  See any issues if I log into my Arris combo unit, turn on bridge mode and then check to assure I still have phone service.  Provided voice support is just on the modem I think the Orbi may be good fit.  I guess even any router that provides a guest network option would also work.  Xfinity replaced the normal guest network feature with their WiFi hotspot that is open to all paying Xfinity users.  Obviously I cant connect the Generac to that.   Any experience with Orbi reliability and Netgear support?  Are you aware of any other routers that offer multiple SSIDS?   

Generac... I read that as "generic" the first time lol.  Reading it again I see you're talking about a Generac generator.

I haven't played with an Orbi Pro.  I just ran across them and thought they might work well for your situation.  Either way it sounds like you really just want "home network" and "untrusted".  Orbi Pro ought to do nicely there, and personally I'd give the Generac it's own SSID.

I'm no expert in what's available, but I'm pretty sure Ubiquiti has UniFi routers that support multiple SSIDs.  That's about all I can think of for routers off the top of my head.  Multiple SSIDs are a standard feature on commercial WiFi access points, but those are just access points and don't do routing.

Voice shouldn't be a problem.  I have Comcast voice and I've used it with an Arris SVG2482AC in both router and bridge mode and also with a Netgear CM2050V modem.  Worst case the Comcast gateway does something screwy with your Internet when you put it in bridge mode and you end up going out and buying a cable modem with voice support, but that seems to be more of a problem with XB7s.

I only reviewed the Orbi Pro at this point and it looks very promising.  I will be looking over options for WIFI routers to that support multiple SSIDs and once I get everything up and running I will update my post.  Thanks zandor60657 for your support and advice!