What's new

Network for safe work environment without compromising personal usage

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Josh90

New Around Here
Hi,

Thanks in advanced for anyone that is willing to help (my first post).
I am moving to a house that has a smart network infrastructure that will allow many spots in different rooms to access the network with LAN for best performance (such as TV for example). I would like to connect everything to the same router (probably will get a switch later because there are around 12 ports in total), and I was wondering if I can accomplish the following: I will list first the devices for each cause, and explain.

1. Work environment only: there are 2 PCs that are supposed to be for work purpose only.

2. Work environment and personal usage: 1 NAS (Synology DS716+II), that contains a special folder for work that has access to the administrator only, and a folder for media, that is for a user with less privileges. (This NAS is basically what makes my setup a little bit complex, because I want isolation from work for security but also want to use it in the TVs for the media).

3. Personal environment: All the other devices that will be connected and isolated from my work environment, however I would still like some of them to gain access of read-only from the NAS (again, the main thing that complexes this setup which caused me to write this post for the networking professionals), for media folder only.

* I know there is a feature such as "Guest Network" but not sure if it fits my needs because all the other devices such as phones etc. are not actually guests, and I want them to have access to everything in the house, as long as its not my work computers and NAS work folder. For example, I would in the network that is isolated from the work network, that iPhone A will have ability to airplay a video to an AppleTV that is connected to TV A (with HDMI). TV A would have access to the NAS media folder but iPhone A/AppleTV will not.

For a summary: Can I accomplish something like that with some kind of "Advanced Guest Network" or some similar concept that will allow me to have isolation from work network, and all the isolated devices can still connect to each other and only between each other (no access to work network), but with the exception that some of the home devices (let's say TVs A,B,C) will have read-only access only to the NAS media folder while the other devices are totally blocked from the NAS (and of course the work network in general)?

I was thinking to buy the ASUS AC88U, which looks great to me and also has 8 ports which is very nice for a start. But seems to me that reviews mostly show the speeds/coverage/other features but I could not find anything about security details that cover what I just asked for above.

Thanks in advanced! and my apologies if my English was not totally clear.
 
In order to get this separation (at layer 2) you should use vlans. Work PCs go to vlan 10 (for example), everything else goes to vlan 1 (default). The switch/router ports that connect your work PCs need to be in access mode on vlan 10. The rest of the ports stay in vlan 1.
Devices in vlan 10 have a different network subnet than devices in vlan 1 (e.g. 192.168.10.0/24 vs 192.168.1.0/24).
For the NAS you need your router to support a lan port in trunk mode carrying both vlans 1 (native) and 10 (tagged). Also, your NAS has to support this as well.
 
In order to get this separation (at layer 2) you should use vlans. Work PCs go to vlan 10 (for example), everything else goes to vlan 1 (default). The switch/router ports that connect your work PCs need to be in access mode on vlan 10. The rest of the ports stay in vlan 1.
Devices in vlan 10 have a different network subnet than devices in vlan 1 (e.g. 192.168.10.0/24 vs 192.168.1.0/24).
For the NAS you need your router to support a lan port in trunk mode carrying both vlans 1 (native) and 10 (tagged). Also, your NAS has to support this as well.

Thanks for the good information.
I'm not such an expert in this and the term VLAN is new to me and I did read about it today. Can the asus ac88u support such thing (I couldn't see it in its manual when I searched for vlan). If not, which router is ? And what if the NAS has link aggregation and I still would like to use it with that trunk feature? Which router is recommended to buy? That has good wifi too. Thank you!
 
Hi,
Actually after considering the options I have I think it will be simpler for me to just buy another cheap NAS for the media and keep my current one for work purposes only. However, I would like to still have one internet/router and just create two separate networks with it: 1 for work and one for the personal usage. Can I accomplish it with the asus ac 88 u or you can offer me a different one that is better for it? I am not even sure it has this all I could see was "guest network" but I don't want the personal devices to be like guests, just isolate because I still want them to communicate with each other as long as it's not the devices of the work network. Perhaps a router that has 4 ports of link aggregation and not only two like the asus one? But that's not important it's just a bonus. The most important thing for me is to be able to create two networks so in case there is any virus/malware or anything suspicious going on with some of the home devices it will not transmit into the work stations.
Many thanks
 
link aggregation is not what you need. That only helps when large numbers of devices are trying to reach the same server. It does not increase the bandwidth for a single device access. Maybe useful if you had 4-5 devices trying to stream 4k video all at once.

Find a router and APs that support tagged VLANs. Assign devices to specific VLANs by their mac address. All others will go to a "guest" vlan.
 
Yes, link aggregation can only increase the bandwidth to a server/nas - for instance, use 2 ports on the router + 2 ports on the NAS and increase bandwidth from 1Gbps to 2Gbps (with some limitations based on the hashing algorithm used).
I see that the RT-AC88U is supported by @RMerlin and you could install his firmware, but it doesn't support tagged VLANs explicitly. Not sure if it's just a hardware limitation, or if he never found use for them. I also couldn't find it under the OpenWRT support page (https://wiki.openwrt.org/toh/start?dataflt[Model*~]=). OpenWRT supported VLANs last time I checked.

There is one (less secure) way of doing it - instead of VLANs which offer layer2 separation, you can simply use different subnets. Your work PCs use 192.168.10.0/24 while your home devices use 192.168.1.0/24. Your router will have to have two addresses on the lan interface (br0, br0:0), and also your NAS will have the same thing. You should also add firewall rules on the router and NAS to separate traffic between networks, but there's nothing preventing a malware from listening or initiating broadcasts on your LAN that would reach all devices. It could scan and map your network and could even assign an IP from the other class and communicate with the devices directly. So, it's some separation, but not very secure (it would require a malware based on broadcast, or something specially crafted).
 
Edit: apparently you can use vlans on RMerlin firmware, but you need to configure them from a shell: http://www.snbforums.com/threads/vlans-on-merlin-mini-howto.20529/
Hi,

I'm not such an expert and those things are fairly new to me. I prefer having a router that already has it built in, and has a wifi etc.
1. Do you know such router that is similar to that Asus but has the tagged VLANs support?
2. If I configure VLANs, and lets say VLAN 1 is for work PC, and work laptop, and VLAN 2 will be used for all other devices, and one of those devices downloads torrents or has some virus with surfing in shady websites etc. will it absolutely guarantee none of this malware can somehow find its way to the work pc and laptop that are on the work VLAN ?

Thanks again
 
You should be able to use vlans configurable from the web interface with any router that suports openwrt - but check specifically their site first: https://wiki.openwrt.org/toh/start

Regarding separation - vlans offer layer 2 separation, which acts like different wires on a shared wire. So viruses and malware can't jump vlans (without special QinQ methods which I haven't seen in regular exploits), but malware can still attack your router and if it has vulnerabilities, it can be infected and from there attack the other network. Also, depending on how you want to communicate between these LANs, you may be protected if there is no communication between them, or vulnerable if there are firewall rules which allow specific traffic like Samba - which is usually used by malware to propagate. So - no guarantees, but better protection.
 
You should be able to use vlans configurable from the web interface with any router that suports openwrt - but check specifically their site first: https://wiki.openwrt.org/toh/start

Regarding separation - vlans offer layer 2 separation, which acts like different wires on a shared wire. So viruses and malware can't jump vlans (without special QinQ methods which I haven't seen in regular exploits), but malware can still attack your router and if it has vulnerabilities, it can be infected and from there attack the other network. Also, depending on how you want to communicate between these LANs, you may be protected if there is no communication between them, or vulnerable if there are firewall rules which allow specific traffic like Samba - which is usually used by malware to propagate. So - no guarantees, but better protection.


Hi,

What if I want to guarantee it? There will be absolutely no communications between the devices.
Perhaps if I buy 2 routers it will fix my problems?
I currently have an internet modem, which I should plug to my current wireless router's WAN port, and then I can have access to internet using its LAN ports and wifi.
Can I achieve isolation if I buy a router for the work which only 2 machines be connected to it and router for the home stuff? They both will have wifi and both should share the WAN because I don't want to pay another internet company. Please let me know if it's doable. Thank you!
 
There are a couple of ways to attempt to accomplish the isolation you are asking for.

1.) Buy two routers and use a double NAT to isolate
-- Modem --> Router1 --> LAN1 --> Router2 --> LAN2
-- this doesn't 100% isolate both networks form each other
-- this prevents the first network accessing the second network (but not the other way around)
-- this introduces other potential headaches due to the double NAT

2.) Purchase/build a VLAN capable Router, Switch, and Access Point
-- permits Layer2 and Layer3 isolation
-- firewall provides ability to restrict any and all traffic flows between subnets
-- If you want WiFi on both VLANs, it may require additional WiFi AP hardware depending on the solution

If I were building what you are asking for, I would be using a pfSense or OPNsense firewall, a managed switch, and one or two Ubiquiti APs. This would give the ability to have WiFi for both parts of the network via the Ubiquiti APs and managed switch. Then the pfSense/OPNsense firewall can have the rules set to not allow any traffic flows between the two networks.

Can this be done with other equipment? I'm sure it can...I just don't have any idea how flexible various consumer router devices really are and prefer to use role specific devices when possible to get more flexibility.
 
Hi,

What if I want to guarantee it? There will be absolutely no communications between the devices.
Perhaps if I buy 2 routers it will fix my problems?
I currently have an internet modem, which I should plug to my current wireless router's WAN port, and then I can have access to internet using its LAN ports and wifi.
Can I achieve isolation if I buy a router for the work which only 2 machines be connected to it and router for the home stuff? They both will have wifi and both should share the WAN because I don't want to pay another internet company. Please let me know if it's doable. Thank you!

While anything seems to be possible today, two routers double NATed is probably very safe unless you have state players trying to get in and in that case it probably would be faster and easier for them just to break into your home and physically compromise your network.

Just be sure that your business network is on the second router and access from the WAN is disabled on this router as well as enabling all other good network security practices.
 
As I said, there are no guarantees: https://en.wikipedia.org/wiki/VLAN_hopping. There are ways to build specially crafted packets that could fool a switch/router and the packet could leak into the other network. It's very difficult to get bidirectional communication, but for some exploits it may not be necessary. (Maybe I'm too paranoid).
Here are some examples:
 
As I said, there are no guarantees: https://en.wikipedia.org/wiki/VLAN_hopping. There are ways to build specially crafted packets that could fool a switch/router and the packet could leak into the other network. It's very difficult to get bidirectional communication, but for some exploits it may not be necessary. (Maybe I'm too paranoid).
Here are some examples:

VLAN hopping hasn't been a huge risk for years. Most switches can mitigate via proper configuration or input validation. There are much simpler ways for most attackers to the data they want than chasing this.

If being that paranoid about home networking.. .Your best bet is to just disconnect from the Internet. Rarely will a home user be targeted by anyone that skilled or motivated. Most of that fun is reserved for higher profile and higher reward of corporate fun.


Sent from my iPhone using Tapatalk
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top