What's new

Home network, how to « isolate » subnets on a budget.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Peter75

New Around Here
Hello everyone.

I’m working on my home network and thinking what can I do to prevent or minimize traffic across subnets.

I’ve got a great collection of old but still serviceable router. :)

Most of our devices are ETH cabled and only 1 wireless access point is activated, on router B, mainly for handheld devices.

My setup is as follow:
DOCSIS modem —> router A
router A —> router B
router A —> router C
router A —> router D

Router A acquires dyn IP from DOCSIS/provider.

Router B, C and D are connecting to router A through their WAN port and each acquire a dyn IP.

All routers are DHCP servers on their own separate unique subnets.

All of the routers are broadcasts routers.

I noticed that there is cross-talk between subnets B, C and D.

Is there a way to minimize or isolate the traffic between B, C and D, using static routes or other means?

Thank you.

- Peter
 
Why so complicated? What is the purpose? Only that the 3 subnets are isolated from eachother?
 
I noticed that there is cross-talk between subnets B, C and D.

What crosstalk?

If routers B, C and D are in double NAT behind router A and with their firewalls enabled there is no crosstalk. They can access router A attached devices, but not devices attached to other routers behind firewall. Something is wrong with your configuration if this is not the case.
 
More information needed.


I don't know what you mean by this.


There shouldn't be. How are you monitoring this and what are you seeing? I'm assuming that routers B, C and D still have their firewalls and NAT enabled.

sorry, broadcast as in multicast/broadcast type of packet traffic. Forgive my lack of precise term and I welcome any correction.

I thought as much that subnets B/C/D shouldn’t be visible to each other.

When I shutdown a 3b pi connected to Router A, my NAS on router B is coming out of sleep. This is systematic, and also I omitted to mention the pi connected to subnet A.

I removed the pi from router A subnet and monitored one of my subnet using wireshark. I’m not seeing B/C/D xtalks.

I will further cleanup, test, try, scan …
 
Why so complicated? What is the purpose? Only that the 3 subnets are isolated from eachother?
B is for home network, with devices I maintain.
C is for wife work network, with corporate laptop which has no reason to mingle with orher devices.
D is for my work laptop, for same reasons as C.
I’ll add E ( using yet another recycled router) for a Pi, which I also have no interest to be on same subnet as any other devices.

I’m mostly doing this to minimize risks of unwanted lateral movement.

What are your thoughts about this, I know it sounds parano yet the digital world is so complicated that I don’t want to rely solely on digital hygiene to secure my network, I want to see what more I can do, learn and improve.
 
Last edited:
Why so complicated? What is the purpose? Only that the 3 subnets are isolated from eachother?
B is for home network, with devices I maintain.
C is for wife work network, with corporate laptop which has no reason to mingle with orher devices.
D is for my work laptop, for same reasons as C.
I’ll add E ( using yet another recycled router) for a Pi, which I also have no interest to be on same subnet as any other devices.

I’m mostly doing this to minimize risks of unwanted lateral movement.

What are your thoughts about this, I know it sounds parano yet the digital world is so complicated that I don’t want to rely solely on digital hygiene to secure my network, I want to see what more I can do, lesr
What crosstalk?

If routers B, C and D are in double NAT behind router A and with their firewalls enabled there is no crosstalk. They can access router A attached devices, but not devices attached to other routers behind firewall. Something is wrong with your configuration if this is not the case.
yes, I think you nailed it: I suspect a Pi I had connected to A was waking my NAS on B.

I will cleanup.
 
Last edited:
A is for home network, with devices I maintain.

If you have no extra firewall settings devices connected to routers B, C and D can access devices connected to router A.
 
If you have no extra firewall settings devices connected to routers B, C and D can access devices connected to router A.
I’ve cleaned up subnet A, nothing else than 3 routers are now connected to it. I will further clean up and test next break I get.
 
Hello everyone.

I’m working on my home network and thinking what can I do to prevent or minimize traffic across subnets.

I’ve got a great collection of old but still serviceable router. :)

Most of our devices are ETH cabled and only 1 wireless access point is activated, on router B, mainly for handheld devices.

My setup is as follow:
DOCSIS modem —> router A
router A —> router B
router A —> router C
router A —> router D

Router A acquires dyn IP from DOCSIS/provider.

Router B, C and D are connecting to router A through their WAN port and each acquire a dyn IP.

All routers are DHCP servers on their own separate unique subnets.

All of the routers are broadcasts routers.

I noticed that there is cross-talk between subnets B, C and D.

Is there a way to minimize or isolate the traffic between B, C and D, using static routes or other means?

Thank you.

- Peter

For $22.99 at Amazon you can buy a smart switch which allows you to set up VLANs.

https://www.amazon.com/dp/B00N0OHEMA/?tag=snbforums-20
 
Quite inexpensive for a managed switch. I considered ACL level3 for IP management but most switch offering it are usually ranging in hundreds. I’ll look into your suggestion, tx!
It offers both port based VLANs as well as 802.1Q VLAN which makes it possible to run multiple VLANs across a single cable if you have a pair switches. Very reliable.
 
TP-Link has good cheap switches - see series Easy Smart and Smart (for 8 port: TL-SG108E and TL-SG2008).
It offers both port based VLANs as well as 802.1Q VLAN which makes it possible to run multiple VLANs across a single cable if you have a pair switches. Very reliable.
i like multiple vlans between switches over 1 cable. Worked with it on some projects at work and much appreciated the convenience and flexibility it offers. Little use for my home though, until I come up with something to warrant it :)
 
Little use for my home though, until I come up with something to warrant it :)
Buying TL-SG108E or TL-SG105E can be cheaper than the cost of electricity needed to power an additional 3 routers for a year.
 
Buying TL-SG108E or TL-SG105E can be cheaper than the cost of electricity needed to power an additional 3 routers for a year.

Where is Wi-Fi on the switches above?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top