[Networking] Small Business Networking with macOS


I'm preparing to start a consulting startup in China, and this question is about its internal networking.

Here is a list of features that I need:

1. WiFi access to both internal and guest networks, internal using certificates, and guest using passwords.

2. Isolated zones (guest, internal, test gears, process control), with internal having access to all but guest, and guest has access to nothing but Internet.

3. Internal network can access an external VPN server to circumvent great firewall, and internal network has its own VPN server to allow working from home.

4. Test gear network and process control network can receive incoming connections from internal, but not initiate connections to internal, except for certain DMZ rules.

5. All services and employee computers are on internal network.


I made an illustration for this, and my question is, is this achievable with macOS (with Server app, but without a Linux VM)?

Red is danger, green is safe, other colors are different zones that shouldn't access the green zone, but should also not be accessed from the red zone.

I would treat this as a networking issue, define VLANs for each use, and use a router to enforce separation of networks as desired.

I run Ubiquiti gear at home, and it’s well capable to do what you are describing. It’s also fairly easy and low-fuss once configured. Other brands of pro-sumer level gear could do it as well. (Aero, Meraki, Ruckus, Cisco, etc)

Then the Mac becomes just a client on the network you assign it to.

Google VLAN and watch a few videos, then get a VLAN capable switch, router, and WiFi access points. This is not really a MacOS question, at least as I understand the question.

Running routing, firewall, and NAT on macOS?  :palm: |O

"The problem is, a managed smart ROUTER (not just an L2 switch) running at 10Gbps is gonna be expensive."
Why you need a 10Gbps router? Your router only needs to match your uplink speed. You can get a cheap second-hand L3 switch couple hundred CNY in China (Juniper EX4200-48T / EX2200-48T[No IPv6 Routing] / Cisco C3750X). If you need 2 or 4 10G uplink port, you can get higher end one for less than 2000 CNY (Juniper EX3300-48T / Cisco C3750X with 10G module / Juniper EX4200-48T with 10G module). If you need POE on the switch, most Juniper and Cisco switches come with POE models which cost couple hundreds CNY more (Juniper EX3300-48P / Juniper EX4200-48P / etc). It can do everything you need except NAT, which you can use a cheap router to do it (Mikrotik hEX Gr3).


