Allowing Remote Desktop Connection between VLAN's

[j3tz]

Greetings,

Am new to routers, but trying to isolate two computers connected to router via ethernet. Router gives me option to create VLAN's so I was thinking to create two VLANs for home and work computer. Both would be plugged into router in specific ethernet ports. Separate VLANs would be created for home computer port and work computer port.

I would need to be able to remote desktop (RDC) from home computer to work computer but not sure how to do this since the computers cannot see each other being on different VLAN's. Is it possible to do what I am trying to do?

 

[L&LD]

Welcome to the forums @j3tz.

If you segregate them just to link them, just put them on the same network.

 

[j3tz]

Welcome to the forums @j3tz.

If you segregate them just to link them, just put them on the same network.

I was hoping they could only be linked through Remote Desktop Connection and not sitting on the same network. In fact, I would like to restrict the communication between the devices solely to Remote Desktop Connection.

 

[L&LD]

What are the expected benefits of your wish?

Is Quick Assist a possibility?

 

[j3tz]

What are the expected benefits of your wish?

Is Quick Assist a possibility?

Just trying to keep work computer and home computer segregated for security and privacy reasons and read that VLANs can be good for isolating devices you'd like to keep separate. I only RDC to work computer from home computer to avoid needing a KVM switch - both devices are connected to home router.

 

[L&LD]

I'd keep the work computer at the office/workplace and always on in that case.

 

[j3tz]

I'd keep the work computer at the office/workplace and always on in that case.

Unfortunately, I'm a remote employee and there is no office aside from my home office. So just trying to do the best I can with the situation. It would be nice not to have the smart TV connected to the home computer connected to phones connected to neighbor's treadmill connected to random bull*hit connected to employer and vice versa.

I know it's possible.

Do you have any helpful advice?

 

[Michael3421]

With the right router, this is possible. I now that Peplink routers support this. You would define each VLAN as allowing communication between VLANs and then you would set two internal firewall rules. The first allows the RDP port in one direction, the second blocks everything else in that direction. And, you would need a firewall rule for the other direction that blocked everything.

This typically comes up when people want to isolate printers into their own VLAN and then just allow the traffic necessary for printing.

 

[coxhaus]

You need a router that supports VLANs and it is easy to do.

 

[L&LD]

My helpful advice @j3tz, is don't make anything more complicated than it has to be. Including your network setup.

Without telling us what equipment you have, our answers are necessarily more limited.

The same goes for giving partial information too.

On an Asus router, I would make a 2.4GHz band Guest Network 1 connection just for the work computer. And simply/physically work on that computer, rather than RDC'ing into it to do work.

 

[Michael3421]

You need a router that supports VLANs and it is easy to do.

I do not think that every router that supports VLANs also supports firewall rules to control the allowed and dis-allowed traffic flow between VLANs. If you know of a router that offers this feature, it would be helpful to note the model.

 

[j3tz]

I really appreciate the feedback

@Michael3421 I've heard of Peplink routers before, but not before I already purchased a new router in a hurry. I acquired the Asus GT-AX11000 Pro.

@L&LD It's good advice, I tend to overengineer things.

I believe the router I got can do all kinds of stuff, and who knows what is possible that the GUI doesn't cover.

I believe it can create VLANs. I believe the router can do a lot more than the GUI indicates.

So the situation I am trying to wrap my head around is the following:

The router connects about 8 devices and is going to be shared accross family members. There are phones, tablets, laptops all connected wirelessly. Work laptop is wired. Home desktop is wired.

As I learn more about networking, my initial thought was to possible do something really complicated.

I was going to try to subnet the LAN into several subnets with their own DHCP server. Then create VLANs for each subnet. Then make the home computer on its own VLAN be able to remote desktop into the work computer (on its own VLAN) using port forwarding or some other magic.

The router's GUI firewall options are not very good. I think I can only set rules in one direction.

 

[j3tz]

@Michael3421 I will say this router (Asus GT-AX11000 Pro) looks like in just runs linux firmware and I believe there is a way to place bash scripts in the /jffs/ partition and the router will run them at boot.

I am not a whiz at networking, but recently dusted off an early 90's copy of Red Hat System Administration and Networking I found in the closet and believe the router uses iptables and other linux modules for configuration.

I would think the created vlans would show up as network interfaces with their own SSID's (as outoput by ifconfig command)

Then perhaps iptables could be used to define the firewall rules for these vlan interfaces?

 

[glens]

You could probably do all you suggested, but the way you'd have to do it making it "stick" is via Merlin firmware, which doesn't yet have the software-defined networking stuff, to make it easier.

 

[glens]

... recently dusted off an early 90's copy of Red Hat System Administration and Networking I found in the closet and believe the router uses iptables and other linux modules for configuration.

The firmware doesn't use anything near current kernels (likely current-enough when Broadcom developed their "development boards" to hawk to their customers, who then make [minor] changes for the user interface/control), and it's definitely not Redhat-based (kind of "thank God"). But your book will have nuggets of useful information anyway...

[edit: add what was in the back of my mind but didn't state: have been using GNU/Linux exclusively since about the time W95 was fixin' to be released.]

 

[L&LD]

I don't believe you will be able to achieve anything worth pursuing if the work computer is connected via an Ethernet port.

I could be wrong, but we still don't know which router you're attempting this on.

 

[coxhaus]

I do not think that every router that supports VLANs also supports firewall rules to control the allowed and dis-allowed traffic flow between VLANs. If you know of a router that offers this feature, it would be helpful to note the model.

All the routers I have used support firewalling between VLANs. I would not have it any other way.

Which VLAN routers don't support firewall rules?

 

[Michael3421]

A VLAN sounds exactly what you are looking for. Each VLAN is its own subnet with its own DHCP server and the router has a different LAN IP in each VLAN.

I have used Asus devices enough to know to stay away from them, so I can only speak about Peplink routers. Peplink lets you assign a VLAN to either an SSID or a LAN port. Or multiple SSIDs or multiple LAN ports. In your case, your two wired computers would use a VLAN that consists of just the one LAN port they are connected to.

With Peplink this is simple to do in the GUI. See
https://routersecurity.org/vlan.php
Linux scripts and iptables are beyond me.

 

[coxhaus]

Usually, it is not multiple DHCP servers but 1 DHCP server with multiple DHCP scopes. A scope for each network.
The only time you would use multiple DHCP servers is if you use multiple consumer routers which is not the best way to set up an network. VLAN routers DHCP server supports multiple scopes and networks. This is the way of business networks.
And yes, you need wireless APs that support multiple VLANs also so you can assign a VLAN to a SSID. This allows multiple VLANs being assigned to a SSID each.

 

[j3tz]

@L&LD Sorry, the router is an Asus GT-AX11000 Pro I bricked my Linksys WRT3200ACM router and bought this Asus contraption in a panic. I do not know how I feel about my purchase yet. I'm still trying to figure out how it works. I don't understand why these linux based routers have busybox on them? My last router did too. It's like they took all the useful networking commands that linux comes with and removed them from the kernel and then stuck that in the router. All I have to work with is netstat and ifconfig. The interfaces keep morphing and changing each time I run ifconfig.

@glens I wish I could say that I was using linux since the purchase of that old Red Hat Networking book. I'm just now getting into linux, dragged into linux by necessity.

The more I learn about networking the more disturbed it makes me feel. How many different ways of getting something's IP address is there? ARP, NAT, DHCP, DNS, DDNS, /etc/hosts, /etc/resolv.conf, it makes me want to scream. Then I learned the TCP/IP protocol has the source IP address and destination in the IP header. Why can't these devices just read the information in the header, say OK this device is wanting to connect to me and it is at Ip address whatever, send response to that IP address? Instead it needs to ping a bunch of servers to figure out where to connect.

Right now my LAN private IP devices are pinging 8.8.8.8 Google's DNS to get "instructions" for how to find what exactly? I thought the WAN interface was the one who needed to ping some external internet DNS server that told it which IP address corresponded to some text domain name?

Why does a Private LAN network even need a domain name to translate? Why do my private IP LAN devices generate hundreds of UDP messages to the internet using tons of random ports? Why is everything listening on foreign address 0.0.0.0:*

The internet was obviously created by lunatics.

UPDATE: After reading more about the services that are running on these Asus consumer routers, I am not happy with my purchase but I'm stuck with it. What's the difference between a consumer router and a business router?