Separating networks with limited access between
I am trying to understand networks better and to help me learn I am working on a home project where I want to setup two networks, let's call them Client and Server, on the same geographic location. (Both networks get Internet from one single WAN, since I was not able to acquire multiple IPs from my ISP.) The two networks should be separated from each other, meaning I want to prevent malware or other threats from spreading across networks.
That being said, I am still trying to allow for a specific client to be able to periodically manage the servers from the client network.
I could of course switch the client between the networks physically, but it seems messy. My thought was to create a VPN tunnel instead, but I was curious if there are other/better options.
With three routers and some switches at my disposal, my questions are
- Is subnetting or VLANs the better option to separate the networks? I've read a lot on both lately but can't decide on what would be best for this scenario.
- Is VPN the most secure way for a client to access the server network, or would allowing it to access both networks all the time be just as secure?
- Does the routers need to have a separate IP from it's parent router or is the gateway IP enough?
- Do I really need three routers, or would it be enough with just one?
I have linked an image below to clarify my intended setup. Please let me know if this question is too in-depth for this forum. I am more than happy to learn on my own but need some pointers on where to start looking.
Intended Network Design
Is subnetting or VLANs the better option to separate the networks? I've read a lot on both lately but can't decide on what would be best for this scenario.
Subnets is logical division of networks. It works on layer 3; different IP networks cannot communicate directly with eachother, but must go through a router.
You can have multiple subnets in use on the same physical segment if you want.
VLAN's is physical separation. It splits the network at the Layer 2 level, so no packets can flow from VLAN 1 to VLAN 2, without some device that sits in both VLANs.
Very often a combination is appropriate, where a subnet matches a vlan, so that you have a 1:1-mapping between subnets and physical broadcast domains, but this is not a technical requirement.
Is VPN the most secure way for a client to access the server network, or would allowing it to access both networks all the time be just as secure?
VPN is a technique to transport packets securely over a unsecure network. Nothing more, nothing less. Depending on your threat model, using TLS and the Internet may be secure enough and far easier to deploy.
Does the routers need to have a separate IP from it's parent router or is the gateway IP enough?
???
Do I really need three routers, or would it be enough with just one?
Get a old computer with at least two NIC's. Install pfsense. Get a VLAN capable switch. Start playing. For added learning, add a second computer with pfsense, and set up a third subnet. Add routes between the networks. Deploy a dynamic routing protocol, such as OSPF.