Isolating clients on LAN subnet

[tlp95129]

I want to set up a small network on a single subnet using a simple SOHO router, maybe with DD_WRT. How do I ensure that none of the DHCP clients can see each other on the subnet. For example, say this is a small motel. I can't guarantee that the clients have file sharing turned off, so how can I protect them from snooping by other clients.

 

[sinshiva]

well, dd-wrt should have something like ap isolation that prevents wireless clients from talking to eachother, you need this to work over wired connections, too? it gets more complicated this way, but can be done.

 

[stevech]

I want to set up a small network on a single subnet using a simple SOHO router, maybe with DD_WRT. How do I ensure that none of the DHCP clients can see each other on the subnet. For example, say this is a small motel. I can't guarantee that the clients have file sharing turned off, so how can I protect them from snooping by other clients.

A good SOHO quality WiFi router will have an option to prevent WiFi clients from exchange traffic among one another via the WiFi access device. If you have access points, I'd think the same would be set into that. On my ASUS RT-N12 ($35), in router and AP mode, it has a setting "Set AP Isolated" which does such.

The same SOHO router would have VLAN capabilities.

I strongly urge you to have two ISP services: one for guests and one for business systems, as if not, something will go wrong, someday!

 

[YeOldeStonecat]

If you're talking about a small hotel network...or any business, you want to use business grade products and not mess with pizza tech home grade stuff flashed with 3rd party firmware like DD. You want to stick with business grade products at a minimum...and with those products, you'll get solid features.

Wireless access points like Ubiquiti Unifi....where you can flip on "client isolation mode", each wireless client is in their own isolated VLAN and cannot access ANYthing else on the network except the gateway thus the internet. Plus the business grade APs like the Ubiquiti Unifis are centrally managed through a console, naturally for a hotel you'd have a bunch of them spread out across the hotel for good coverage, and you want to keep it easy to manage them.

And you'll want to run managed switches like HP ProCurves...if you want to wire up the guest rooms with the ethernet jacks on the night stand...and enable the Private VLAN feature on each port.

And of course you'll want a beefy router at the edge which can handle a large load, and do good QoS and traffic shaping so that some greedy guest doesn't bog down the network for everyone else.

You can get fancier and do tagged VLANs...so that the Ubiquiti APs have a wireless network for the office, and a wireless network for the guests...and they'll be separated on a second layer (although client isolation mode on the guest network would be enough).

 

[stevech]

I suggest not even using VLAN switches to isolate business systems from guest room traffic. Best practice would be two separate ISPs and physically independent networks.