Single ISP and two completely independent networks

[parlos]

Hello Community, was wondering if I can get some help. In the near future I will sublet an office inside my property. The property has a single internet line and will need to share this with the renter.

Currently I have a ISP provided modem/router where I have three PCs and Wireless devices connected.
I need to share the internet access to this office by means of a Ethernet Jack, this will allow him to place any type of wired/wireless network he needs by providing his own hardware.


My question revolves around security and how can I create these two 1000% separate networks .

My thoughts are:

Connect two routers from the WAN port to the LAN porta on the ISP provided modem/router.

Each router will have a fixed IP but changing the third Digit Ie. 192.168.x.y....x will be different in both.

The renter will not have any admin passwords to the routers or physical access to any hardware other than a Ethernet Jack in the office.

Is this all I need to guarantee completely independent networks and security that no access exists between computers on either network?

 

[L&LD]

No. There is no guarantee from a single ISP connection. Anything the renter does, online, you're responsible for.

Get your ISP to provide another line to your building and have the renter be fully responsible for signing up with the ISP (on their own).

 

[parlos]

I guess i should rephrase that. My main security concern is them having access to the PCs on my Network by some way or manner...If so what steps can I take to MAximize this security other than what i just mentioned.

Lets say that whatever he does online im willing to take a risk with that. Just dont want anyone connected after that Ethernet Jack to have access to anything in my LAN.

 

[L&LD]

No, I understood. Nothing changes on my suggestions.

You may think you're willing to take a risk, but the fact that you want to protect 'your' LAN shows you're not.

This is like giving a copy of your car/house keys to mere acquaintances. The insurance nightmare isn't worth it. And the potential risks are identical (to me).

Do you have an ironclad contract with the renter of what online activities are allowed on your connection? If not, don't.

A wired connection to the main router of a shared ISP? No guarantees. Unless you're willing to put up a secure/hardened pfSense type box between you and the renter (and you know how to manage it, of course), this is not a course of action I would pursue (and even with this hardened pfSense box, sharing an ISP with strangers (you have no idea who the renter will allow on their 'side' of the network) is just a bad idea to the end.

 

[Tech9]

Connect two routers from the WAN port to the LAN porta on the ISP provided modem/router.

Option 1 - two routers with separate subnets in double NAT and firewalls enabled. You may place your router IP address in ISP router DMZ to save extra port forwarding work. The other router user has to ask you to forward ports for him, If needed. Second router can't have own DDNS, you both share the same external IP. May run services on different ports though. If he ads another router after yours, that makes things more complicated.

Option 2 - when the ISP provides more than one external IP address. If available, your ISP equipment should be in modem mode and both routers get own external IPs, creating two completely independent networks. Both can communicate through Internet only. Own DDNS, port forwarding, control over the router - the best case scenario. No change in speed, bandwidth and responsibility - as per service agreement of whoever signed the contract.

 

[parlos]

Let me address both concerns. Ive also attached a diagram of what im thinking of, the renter will not have direct access to my ISP Router, I would Put a Router/Firewall inbetween.
The Renter could be online is of No concern to me, he could be running an illegal business online for all i care, i just dont want him to be able to access my personal PC and take the Pictures from my last Trip to Epcot Center.

This is the Hardware Setup im thinking of, is there extra either Hardware and/or Software safeguard i can place or ami just having a pipedream here?

 

[Tech9]

It will work, but see my post above.

 

[L&LD]

The Renter could be online is of No concern to me, he could be running an illegal business online for all i care

Which you'd be responsible for, legally.

 

[MichaelCG]

Which you'd be responsible for, legally.

This really depends on where you live and the local regulations. Just saying, this is nothing new, nor special. This is only different from say Starbucks since they have a commercial account. But the timeshares you rent aren't using commercial ISP services. Prove your segmentation is solid, confirm your ISP contract verbiage about guests and/or tenant usage, and carry on if you wish.

If I were doing this, it would be similar to what you have proposed. I would most likely collapse the first router and the house router into a pfSense box and then hang the apartment router off of a dedicated interface of the pfSense firewall. This adds an additional layer of DNS/DHCP segmentation away from the pfSense box while putting additional firewall features into action.

Your biggest challenges here will be IPv6 (unlikely to ever work in a setup like this) and preventing them from being asshats on your connection.

 

[parlos]

Thanks all for your responses....we all got a bit side tracked on the legal, insurance...thanks for all the tech tips