Our network setup (the copy cat way)

Good things will come to those who wait.
In our case: A stable and secure network for our beloved testing devices alongside to but separate from our host company's network, yet both sharing the same internet connection.

With some old routers, switches and a veteran Airport Extreme base, we thought we could make this happen somehow. And yes, we had several functional setups, but all missing one crucial feature: We couln't separate the two networks from each other. It seemed that every combination of the different hardware we had resulted sooner or later in one network exposed to the other.
At one point we consulted the agency's network guru, and he kind of put us off the whole idea by promoting a "real firewall" solution, which would cost us "500 Euros only" if we'd found a used one somewhere. Well, since we're more or less funding the whole ODL out of our own pockets, the prospect of spending 500 Euros or more was a bit, let's say, disencouraging.

Right about that time the guys from the ODL Nuremberg published a blog article describing their network, and as it turned out they had the same conditions and the same ideas of two private networks and one shared internet connection.

We discussed their approach and decided to follow their setup, down to the hardware used - even if it meant to invest in two additional routers (did I mention we run on a tight budget? :-)).

The benefit of following ODL Nuremberg's example: Setting up the new network configuration was a piece of cake since everything seen from the agency's side of the network stayed exactly the same. Printers, servers, and of course access to the internet - no need to change anything on any machine.

Setup

Router 1 VDSL modem/router (the box that came with the internet connection)

  • IP: 192.168.0.100
  • subnet mask: 255.255.255.0
  • no DHCP
  • no wifi
  • WAN connected to VDSL
  • LAN ports connected to router 2 and router 3

Router 2 (company network)

  • IP: 192.168.100.100
  • DHCP
  • wifi WPA/WPA2
  • gateway: 192.168.0.100
  • WAN connected to router 1, static IP 192.168.0.1
  • LAN connected to company network switches
  • firewall blocks TCP/UDP traffic to 192.168.0.2

Router 3 (ODL network)

  • IP: 192.168.200.100
  • DHCP
  • wifi WPA/WPA2, 2.4 and 5ghz
  • gateway: 192.168.0.100
  • WAN connected to router 1, static IP 192.168.0.2
  • LAN not connected
  • firewall blocks TCP/UDP traffic to 192.168.0.1 and 192.168.0.100

(the IPs are for illustration purposes only)

Unlike Nuremberg we decided to have our ODL's wifi WPA/WPA2 protected - currently we have only one device that's not working with WPA/WPA2 and needs a WEP wifi, so we opted for the safer encryption. Ideally the ODL wifi should only be on when needed anyway, the less microwaves buzzing around the office, the better.

Many thanks once again for the input and help by ODL Nuremberg, namely Joschi Kuphal, who never tired in answering our questions. If you're near Nuremberg, visit them at Tollwerk. These are good guys!
Network illustration by wondertom