Network A/B switch

[rdl]

I need to switch an internet connection between two different local networks. The best way would seem to be an RJ-45 switch after the cable modem. I've found some that are hand operated mechanical types, but I'd really prefer to have remote control. Does such a device exist or is there a better way?

[jeroen79]

What is the intended purpose?
Hobby or work?

How about a higher end switch/router that an be managed remotely?
Or roll you own with a rasberry pi or similar small linux board.

[rdl]

This would be for home use. The purpose is to have two local networks that are 100% isolated from each other. Only one network at a time would have an internet connection. This device will do that:

https://www.newegg.com/Product/Product.aspx?Item=9SIA7253X11005

However, I would prefer remote control (IR type, as used with TVs, etc.). I suppose I could rig up my own remote control button-pusher, but I doubt I would since it would be easy enough to just go push the button manually and it's something that would only be done occasionally.

Switches for the cable side are more commonly available (though I haven't looked for one with remote control), but that would require a second cable modem.

[Cliff Matthews]

Is this anything so important that using separate sub-nets wouldn't suffice?

To address the issue (pardon the pun) of having two DHCP servers on the same physical network, disable one and use static addressing for devices on the less complex of the two networks. Also, quick utility programs exist to help: https://sourceforge.net/projects/simpleipconfig/

[bingo600]

Use a cheap "web" managed switch ,where you can turn on/off the rj-45 ports

/Bingo

[JXL]

Use a (cheap) second router behind the router connected to the cable modem.

[rdl]

I don't see how adding a second router could provide any isolation. The "web managed" switch is a possibility, but I don't see how to perform A/B switching, where both networks are always isolated, without adding a third just to control the switching. I currently know little about managed switches though. If one port could be set for an upstream connection only (to the cable modem) and 100% blocked from access to any other part of the local network when necessary, then that might work just as well. On the other hand, this is not something that would need to be done frequently, and the cheap A/B switch linked in #3 does exactly what is needed. If no better solution is available, then I may have to settle for that.

[Cliff Matthews]

Since this is an electronics forum, I would hedge that many don't know many networks can co-exist over the same physical cable(s) and possibly the difference between layer-2 and 3 switching. Suffice it to say, you haven't stated if you have total control over both routers in order to shut-off DHCP on the lesser used router. You can have a network with multiple gateways (in your case, routers).. and professional networks often do not have the DHCP servers in the gateways for security reasons.

If you have a bunch of devices and want them to talk to whatever router that's got a connection (without touching cables) turn off DHCP on one, and only use manual addressing when talking to it. To toggle between several local IP configurations on each PC with a click of a mouse, you can use IPswitcher or the other Sourceforge one I previously posted (yes, other simple FOSS programs exist, or you can roll your own with a bit of script). One routers sub-net could be defined as 192.168.1.x and the other as 192.168.2.x

Where there's a will, there's a way. Cheers!

[JXL]

I don't see how adding a second router could provide any isolation.

This is how I setup 2 networks behind 1 cable modem:
Cable Modem (WAN IP address)
    +==> Router0 (network0 = 192.168.0.xxx through NAT)
             +==> 0.port 1 ==> device1 (192.168.0.1)
             +==> 0.port 2 ==> device2 (192.168.0.2)
             +==> 0.port 3 ==> device3 (192.168.0.3)
             +==> 0.port 4 ==> router1 (network1= 192.168.1.xxx through NAT)
                                 +==> 1.port 1 ==> device4 (192.168.1.1)
                                 +==> 1.port 2 ==> device5 (192.168.1.2)
                                 +==> 1.port 3 ==> device6 (192.168.1.3)
                                 +==> 1.port 4 ==> router7 (192.168.1.4)

The network0 devices can't "see" the network1 devices and vice-versa.  But both network0 and network1 can access the internet.  If you want to feel more secure, you can put another router on one of the router0 ports and put the 2nd network on that router like so:

Cable Modem (WAN IP address)
    +==> Router0 (network0 = 192.168.0.xxx through NAT)
             +==> 0.port 1 ==> router1 (network1= 192.168.1.xxx through NAT)
                                 +==> 1.port 1 ==> device1 (192.168.1.1)
                                 +==> 1.port 2 ==> device2 (192.168.1.2)
                                 +==> 1.port 3 ==> device3 (192.168.1.3)
                                 +==> 1.port 4 ==> router4 (192.168.1.4)
             +==> 0.port 2 ==> router2 (network2= 192.168.2.xxx through NAT)
                                 +==> 2.port 1 ==> device5 (192.168.2.1)
                                 +==> 2.port 2 ==> device6 (192.168.2.2)
                                 +==> 2.port 3 ==> device7 (192.168.2.3)
                                 +==> 2.port 4 ==> router8 (192.168.2.4)
             +==> 0.port 2 ==> leave unconnected
             +==> 0.port 3 ==> leave unconnected

The router solutions cost more than the A/B switch, but both networks have internet access simultaneously.

[stevelup]

You don't even need multiple routers to do this with 100% security. Any decent hi-end router will offer multiple VLANs.

[Cliff Matthews]

Configurations abound and many get cumbersome. What about possible presence of other devices like printers and servers or even if the users should remain oblivious to A/B switch changes?

It's worth noting that a cheap Wind-blows server with a few network ports can share an internet connection and manage everything automatically (and securely allow file and print sharing across both networks). Another free option is a Smoothwall Express 3.1* on a low end PC and 3 network cards, again sharing and throttling the internet connection to both networks (with caching and DNS filtering too).

*Edit: You won't have to get into Linux much either https://sourceforge.net/projects/smoothwall/
I've customizied Smoothwall's for >14 years (always lots of possibilities) https://community.smoothwall.org/forum/viewforum.php?f=109

[macboy]

I don't see how adding a second router could provide any isolation.

This is how I setup 2 networks behind 1 cable modem:
Cable Modem (WAN IP address)
    +==> Router0 (network0 = 192.168.0.xxx through NAT)
             +==> 0.port 1 ==> device1 (192.168.0.1)
             +==> 0.port 2 ==> device2 (192.168.0.2)
             +==> 0.port 3 ==> device3 (192.168.0.3)
             +==> 0.port 4 ==> router1 (network1= 192.168.1.xxx through NAT)
                                 +==> 1.port 1 ==> device4 (192.168.1.1)
                                 +==> 1.port 2 ==> device5 (192.168.1.2)
                                 +==> 1.port 3 ==> device6 (192.168.1.3)
                                 +==> 1.port 4 ==> router7 (192.168.1.4)

The network0 devices can't "see" the network1 devices and vice-versa.  But both network0 and network1 can access the internet.  If you want to feel more secure, you can put another router on one of the router0 ports and put the 2nd network on that router like so:

Cable Modem (WAN IP address)
    +==> Router0 (network0 = 192.168.0.xxx through NAT)
             +==> 0.port 1 ==> router1 (network1= 192.168.1.xxx through NAT)
                                 +==> 1.port 1 ==> device1 (192.168.1.1)
                                 +==> 1.port 2 ==> device2 (192.168.1.2)
                                 +==> 1.port 3 ==> device3 (192.168.1.3)
                                 +==> 1.port 4 ==> router4 (192.168.1.4)
             +==> 0.port 2 ==> router2 (network2= 192.168.2.xxx through NAT)
                                 +==> 2.port 1 ==> device5 (192.168.2.1)
                                 +==> 2.port 2 ==> device6 (192.168.2.2)
                                 +==> 2.port 3 ==> device7 (192.168.2.3)
                                 +==> 2.port 4 ==> router8 (192.168.2.4)
             +==> 0.port 2 ==> leave unconnected
             +==> 0.port 3 ==> leave unconnected

The router solutions cost more than the A/B switch, but both networks have internet access simultaneously.

In the first config, network 1 does have access to network 0 through NAT. When it accesses a network 1 address, a port is opened (by NAT) in its firewall to allow the connection through. This is identical to how private, firwalled network 0 accesses the internet.

The second config works. Each private network firewalls itself from the outside world. Each router can access only the WAN side interface of the other router, so each is isolated.

As someone else mentioned, this could be done also with VLANs on hardware that supports that. I've played around with that a little with OpenWRT  firmware, and it works. The biggest security hole here is that both VLANs have, in theory, access to the browser-based configuration of the router, so someone could get in a mess around with the VLANs, connecting between networks. In the 2-extra-router setup, if you simply deny config access from the WAN side, then it is "impossible" to make changes to one router from another.

Make sure to turn off UPnP and auto-discovery features, since they can quietly open holes in firewalls.

[madires]

I'd get a cheap TP-Link router supported by OpenWrt, install OpenWrt, create two (W)LANs, and configure the firewall. That's a typicial setup for an isolated WLAN for guests.

[rdl]

One of the "networks" is actually just a single PC that has interchangeable drives and can be booted into multiple operating systems without needing to use VMs. This PC is the one I want to be able to completely isolate, but only in one particular configuration. Normally it will be connected to the rest of the local network.

The cable modem connects to a simple switch and everything else is downstream from there. I just realized that by simply rearranging connections a bit I can do what I want by unplugging just one cable, so that is the current plan. However, thanks to the replies here, I have realized how little I actually know about networking, so I think I will order this inexpensive managed/smart switch to experiment with.

https://www.newegg.com/Product/Product.aspx?Item=N82E16833122381