This guide explains how to set up a shared-use office network where multiple companies use the same internet connection, router, switches, and wireless access points, while keeping each company’s network traffic separated.
The example uses Grandstream routers, Grandstream managed switches, and Grandstream wireless access points.
1. Example Network Design
For this example, we will create separate VLANs for each company.
| Use | VLAN ID | IP Range |
| Management | 10 | 192.168.10.0/24 |
| Company A | 20 | 192.168.20.0/24 |
| Company B | 30 | 192.168.30.0/24 |
| Company C | 40 | 192.168.40.0/24 |
| Shared Guest Wi-Fi | 50 | 192.168.50.0/24 |
The Management VLAN is used for managing network equipment such as switches and wireless access points.
Each company gets its own VLAN and IP range.
2. Equipment Required
You will need:
Grandstream router or firewall
Grandstream managed switch
Grandstream wireless access point
Internet connection
Ethernet cabling
Admin access to all devices
Typical Grandstream equipment may include:
Grandstream GWN router
Grandstream GWN managed switch
Grandstream GWN wireless access point
3. Physical Network Layout
Connect the network as follows:
Internet connection into the Grandstream router WAN port.
Grandstream router LAN port into the Grandstream managed switch.
Grandstream wireless access points connected to the managed switch.
Client devices connect either by cable to switch ports or by Wi-Fi to the correct company SSID.
Basic layout:
Internet
→ Grandstream Router
→ Grandstream Managed Switch
→ Grandstream Access Points
→ Company devices
4. Create the VLAN Plan First
Before configuring any equipment, decide:
How many companies will use the space
Whether each company needs wired ports
Whether each company needs its own Wi-Fi
Whether there will be a shared guest Wi-Fi
Whether printers, NAS devices, or shared services are needed
Who will manage the network equipment
Example VLAN plan:
Company A: VLAN 20
Company B: VLAN 30
Company C: VLAN 40
Guest Wi-Fi: VLAN 50
Network management: VLAN 10
Keep a record of this plan. It will be used across the router, switch, and wireless access points.
5. Configure the Grandstream Router
Log in to the Grandstream router management interface.
Go to the network or VLAN section.
Create the required VLANs.
Example:
VLAN 10
Name: Management
IP Address: 192.168.10.1
Subnet: 255.255.255.0
VLAN 20
Name: Company A
IP Address: 192.168.20.1
Subnet: 255.255.255.0
VLAN 30
Name: Company B
IP Address: 192.168.30.1
Subnet: 255.255.255.0
VLAN 40
Name: Company C
IP Address: 192.168.40.1
Subnet: 255.255.255.0
VLAN 50
Name: Guest Wi-Fi
IP Address: 192.168.50.1
Subnet: 255.255.255.0
Enable DHCP for each VLAN.
Example DHCP scopes:
VLAN 20: 192.168.20.100 to 192.168.20.200
VLAN 30: 192.168.30.100 to 192.168.30.200
VLAN 40: 192.168.40.100 to 192.168.40.200
VLAN 50: 192.168.50.100 to 192.168.50.250
The router should be the default gateway for each VLAN.
6. Configure Internet Access Rules
Each company VLAN should be allowed to access the internet.
Create firewall rules similar to the following:
Allow VLAN 20 to WAN
Allow VLAN 30 to WAN
Allow VLAN 40 to WAN
Allow VLAN 50 to WAN
This allows each company to use the internet.
7. Block Access Between Companies
The most important part of this setup is network isolation.
Create firewall rules to block traffic between company VLANs.
Example rules:
Block VLAN 20 to VLAN 30
Block VLAN 20 to VLAN 40
Block VLAN 30 to VLAN 20
Block VLAN 30 to VLAN 40
Block VLAN 40 to VLAN 20
Block VLAN 40 to VLAN 30
Also block guest Wi-Fi from accessing company VLANs:
Block VLAN 50 to VLAN 20
Block VLAN 50 to VLAN 30
Block VLAN 50 to VLAN 40
Block VLAN 50 to VLAN 10
The guest network should normally only have internet access.
8. Protect the Management VLAN
The Management VLAN should only be accessible by authorised administrators.
Create rules such as:
Allow admin device or admin VLAN to access VLAN 10
Block Company A from VLAN 10
Block Company B from VLAN 10
Block Company C from VLAN 10
Block Guest Wi-Fi from VLAN 10
Do not allow normal company users to access the switch, router, or wireless access point management interfaces.
9. Configure the Managed Switch
Log in to the Grandstream managed switch.
Create the same VLAN IDs on the switch:
VLAN 10
VLAN 20
VLAN 30
VLAN 40
VLAN 50
The switch must use the same VLAN IDs as the router.
10. Configure the Router Uplink Port
The switch port connected to the router should be configured as a trunk port.
This port must carry all VLANs.
Example:
Port 1: Uplink to router
Mode: Trunk
Tagged VLANs: 10, 20, 30, 40, 50
This allows the router and switch to pass traffic for all VLANs.
11. Configure Access Point Ports
The switch ports connected to wireless access points should also be trunk ports.
Example:
Port 2: Access Point 1
Mode: Trunk
Tagged VLANs: 10, 20, 30, 40, 50
Native/Untagged VLAN: 10
This allows the access point to broadcast multiple SSIDs, with each SSID connected to a different VLAN.
The access point itself should normally be managed on the Management VLAN.
12. Configure Wired Company Ports
For wired devices, assign each switch port to the correct company VLAN.
Example:
Ports 3 to 6: Company A
Mode: Access
Untagged VLAN: 20
Ports 7 to 10: Company B
Mode: Access
Untagged VLAN: 30
Ports 11 to 14: Company C
Mode: Access
Untagged VLAN: 40
Ports 15 to 16: Guest or shared use
Mode: Access
Untagged VLAN: 50
A device plugged into an access port does not need to understand VLAN tagging. The switch handles it.
13. Configure Wireless Access Points
Log in to the Grandstream wireless controller or access point interface.
Create one SSID per company.
Example:
SSID: Company A Wi-Fi
VLAN: 20
Security: WPA2/WPA3
Password: Unique strong password
SSID: Company B Wi-Fi
VLAN: 30
Security: WPA2/WPA3
Password: Unique strong password
SSID: Company C Wi-Fi
VLAN: 40
Security: WPA2/WPA3
Password: Unique strong password
SSID: Guest Wi-Fi
VLAN: 50
Security: WPA2/WPA3 or captive portal
Client isolation: Enabled
Do not use the same Wi-Fi password for every company.
14. Enable Wireless Client Isolation for Guest Wi-Fi
For the guest Wi-Fi network, enable client isolation.
This helps stop guest devices from seeing or communicating with each other.
Recommended guest settings:
Guest VLAN: 50
Client isolation: Enabled
Access to local network: Blocked
Internet access: Allowed
Bandwidth limit: Optional
15. Optional: Add Bandwidth Limits
In a shared office, one company or guest user may consume too much bandwidth.
You can apply bandwidth limits per VLAN or per SSID.
Example:
Company A: 100 Mbps
Company B: 100 Mbps
Company C: 100 Mbps
Guest Wi-Fi: 20 Mbps
This is optional, but useful in shared environments.
16. Optional: Add Content Filtering or DNS Filtering
For guest and business networks, consider adding DNS filtering.
This can help block:
Malware sites
Phishing sites
Adult content
Known malicious domains
This can be configured on the router, through a DNS filtering provider, or through another security service.
17. Test Each VLAN
After configuration, test each network.
Connect to Company A Wi-Fi.
Check that the device receives an IP address like:
192.168.20.x
Confirm it can access the internet.
Then test that it cannot access:
192.168.30.x
192.168.40.x
192.168.10.x
Repeat the same test for each company VLAN.
18. Test Wired Ports
Plug a laptop into each wired port.
Confirm the laptop receives the correct IP range.
Example:
Company A port should receive 192.168.20.x
Company B port should receive 192.168.30.x
Company C port should receive 192.168.40.x
If the wrong IP range is received, check the switch port VLAN assignment.
19. Test Wi-Fi VLAN Assignment
Connect to each SSID and check the IP address.
Company A Wi-Fi should receive 192.168.20.x
Company B Wi-Fi should receive 192.168.30.x
Company C Wi-Fi should receive 192.168.40.x
Guest Wi-Fi should receive 192.168.50.x
If the device receives the wrong IP address, check the SSID VLAN setting and the access point switch port trunk settings.
20. Common Issues
Device gets no IP address
Check that DHCP is enabled on the router for that VLAN.
Check that the switch uplink to the router is a trunk port.
Check that the VLAN is tagged on the correct ports.
Check that the SSID is assigned to the correct VLAN.
Wi-Fi connects but no internet
Check the firewall rule from that VLAN to the WAN.
Check DNS settings.
Check that the VLAN gateway exists on the router.
Company devices can see each other across VLANs
Check firewall rules.
Block traffic between company VLANs.
Do not rely only on VLANs. The router or firewall must enforce the separation.
Access point does not appear online
Check that the access point management VLAN is correct.
Check that the switch port connected to the access point allows the management VLAN.
Check whether the access point expects an untagged management VLAN.
Wrong IP address on Wi-Fi
Check the SSID VLAN ID.
Check the switch port connected to the access point.
The access point port should usually be a trunk port.
21. Recommended Security Settings
Use strong admin passwords.
Disable unused switch ports.
Keep router, switch, and access point firmware updated.
Use WPA2 or WPA3 for wireless networks.
Use different Wi-Fi passwords for each company.
Do not allow guest Wi-Fi to access internal networks.
Restrict management access to trusted admin devices only.
Back up the router, switch, and access point configuration.
Label switch ports clearly.
Document all VLANs, IP ranges, passwords, and firewall rules.
22. Example Final Configuration Summary
| Item | Setting |
| Router to switch port | Trunk |
| Switch to access point ports | Trunk |
| Company wired ports | Access ports |
| Company Wi-Fi | One SSID per VLAN |
| Guest Wi-Fi | Separate VLAN |
| DHCP | Provided by router |
| Inter-company access | Blocked |
| Guest to internal access | Blocked |
| Internet access | Allowed for all VLANs |
| Management access | Restricted |
23. Final Notes
A multi-company shared network should always be designed around separation.
Each company should have its own VLAN, its own IP range, and its own Wi-Fi network.
The router should control DHCP, internet access, and firewall rules.
The switch should carry the correct VLANs to the correct ports.
The wireless access points should map each SSID to the correct VLAN.
Once complete, each company can share the same physical network and internet connection while remaining logically separated from the others.