Deploying a Network Within Another Network

Silverwolf_7 · August 1, 2022

I've been tasked with designing a network for the floor of a small CNC shop. This network needs to be isolated from the main LAN IP space so that is can be added to the current network with minimal configuration. Each CNC cell needs it's own identical subnetwork that can be easily duplicated as cells are added. This network handles control communication between devices within the cell and isolates each cell from any others within the shop to prevent the possibility of one cell's devices conflicting with another's. These devices do not need internet connectivity however the ability to enable it temporarily if necessary (machine updates?) would be nice. The only external connectivity that is needed from inside the cell is to a local server. This server will need internet access as well as access to a computer within each cell to access the cell's current status. Here's a diagram of the basic design.

I've placed a https://www.antaira.com/products/Wireless-Routers/ARS-7235-AC in each cell as a NAT device. Another will be placed on the network layer above all the cells to directly connect to the main shop network.

My main questions are:

Does it make sense to setup a network this way?

How to grant internet connectivity to devices within these subnets?

manikyath · August 1, 2022

it's quite common to do it this way for machine setups that need to communicate with each other, but not with the outside world. while in a perfect world you wouldnt want random routers dotted around the place, it's better to do it this way than to rely on the above infrastructure to reliably provide a private subnet for each setup.

as for how to provide internet: easy: each of the router's WAN side has an ip address in the company lan, each has the main router as it's default gateway.

then each of the setup components has the local router as it's default gateway.

then for how to not have internet access: unplug the cable going to the main network.

LAwLz · August 1, 2022

I would say this is a very bad way of configuring things. It will be overly complex, have a lot of limitations, requires a lot of hardware and be inflexible. If you ever need to make a change to this network, it will be a pain in the ass. Let's say you suddenly want to be able to make an API call to the robots on two of the networks but not the third. You would be pretty screwed in that scenario.

My advice would be to use separate IP ranges and then not do a bunch of NAT.

A fairly low end Fortigate and some managed switches will give you a far simpler and flexible network.

I hope this illustrates what I mean.

This gives you a lot of flexibility, easy to follow traffic flows, a lot of room for easy expansion that doesn't require buying a bunch of new hardware, and very granular control of exactly which machine is allowed to do what, from a single management point.