dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4414
share rss forum feed

morisato

join:2008-03-16
Oshawa, ON
kudos:1
Reviews:
·TekSavvy Cable
·TekSavvy DSL

1 edit

is there a way to Create a Isolated wired Network?

Okay so i have renters Moving in and i want to Isolate them so they cannot be seen or see my Wired network, Thats easy to do on wireless is there some firmware Out there that can Do it on Wired? Or by mac etc..? i have a netgear wndr3700 so i can flash as needed.

I do not want to Double Nat or use 2 routers etc.. Ideally it would be nice if i could Just based on mac address Isolate certain Devices IE renters are Unable to see Any local network Like it would be VIa Wireless guest network I want a way to create a wired guest network p:)
--
Every time Someone leaves Sympatico an Angel gets its wings.

Dcite

join:2006-05-12
Mississauga, ON

1 edit
If you have access to a 2nd router with DD-WRT, you can hook the 2nd router to your main one with it's WAN port. After that lock down the router and configure iptables rules to block traffic to your local network.

For example the following up tables rule..
iptables -A OUTPUT -p all --destination 192.168.0.0/24 -j DROP
will block all attempted connections from "192.168.0.0 to 192.168.0.255"

Also since the 2nd router is hooked up via the wan port, all their broadcasts are contained, all your broadcasts are contained in your network as well.

In order in ensure your own security though, I would suggest making the 2nd router also physically not accessible to the renter and just leave them a network cable to hook up to for Internet. If you allow VPN pass-thru it should not affect their usage too much, but make them aware that they have no internet accessible ports from the outside world (HTTP/SSH servers for example won't work even if they are running one)

JaY_III

join:2005-08-06
Belleville, ON
reply to morisato
Google VLAN
The hardware has to support it however.
However your router can have the features added if it supports something like tomatoUSB / DD-WRT / Open WRT

Also if you have a managed switch it could be done at that level

It really depends on how you have everything hooked up and how you plan to share the connection.

morisato

join:2008-03-16
Oshawa, ON
kudos:1
Reviews:
·TekSavvy Cable
·TekSavvy DSL
Well My house has cat5 drops in all the rooms I just want to isolate 2 Drops to there own Virtual network's Thus preventing renter A from Seeing renter B and Both renter A And b from Seeing Me Landlord P:) also by doing this it would make it easy to Monitor Excessive usage or other Problems( I think).
--
Every time Someone leaves Sympatico an Angel gets its wings.


vlanman

@sunwave.com.br
reply to morisato
dd-wrt and some versions of tomato like shibby's support Vlans. Define a second vlan in a second netblock and assign the desired ports on the router to that Vlan. Other than seeing the router they'll have no ability to access the main network.

Here's an example from the dd-wrt wiki: »www.dd-wrt.com/wiki/index.php/VL ··· nternet)

It's likely possible with openwrt as well.

morisato

join:2008-03-16
Oshawa, ON
kudos:1
Reviews:
·TekSavvy Cable
·TekSavvy DSL

1 edit
reply to morisato
I wonder if I can traffic Shape Vlan's using my router to Limit Vlans, or implment QOS so renter traffic is Lower priority than my own P:)

After reading the DD-wrt Wiki it appears I am In Luck with this particualr router netgear commisioned some special features Like Per Subnet/mac/user Qos etc.. So I can become an Evil traffic Shaper and Limit Renter QOS to be less than mine MUWAHHAHA I feel The POOOWER!! My Arpu is rising!

On Other notes I will Do the flashing tommorow so if something goes awry its not 1 am P:) and report back on My Solution to this.
--

Every time Someone leaves Sympatico an Angel gets its wings.

JaY_III

join:2005-08-06
Belleville, ON
Check out tomatoUSB if you have support from shibby, i would go that route over dd-wrt

It has VLANS and QOS.
Very easy to setp and get working

You can also set up a traffic limiter for the VLAN
Say you have a 25/5 connection, you could limit the VLAN to never exceed 10/1 while still using QOS and traffic priority for example.

List of supported Routers
»tomato.groov.pl/?page_id=69


OSUGoose

join:2007-12-27
Columbus, OH
reply to morisato
VLANs are created for this exact purpose.


TwiztedZero
Nine Zero Burp Nine Six
Premium
join:2011-03-31
Toronto, ON
kudos:5
reply to morisato
said by morisato:

I do not want to Double Nat or use 2 routers etc..

You really don't have a choice in the matter if you really want to isolate you do need a managed switch and a secondary accesspoint (router) pretty much. Sorry. You might get away with an unmanaged dumb switch initially though.

Have a look around at various network topologies and strategies for achieving what might work ideally for your particular situation.
--

!- From the mind located in the shadows of infinity -!
Nine.Zero.Burp.Nine.Six
Twitter = @TwiztedZero
Chat = irc.teksavvy.ca


cable4me

@teksavvy.com
reply to JaY_III
Pretty much all of the Tomato/DD-WRT support consumer grade routers uses a switch with build-in VLAN support. They implement their WAN & LAN port as separate VLAN as their CPU/SoC only have a single Ethernet PHY. See: »en.wikipedia.org/wiki/One-armed_ ··· d_router

Once they are loaded with the right versions of Tomato/DD-WRT, they are pretty much the cheapest VLAN capable switch you can get.
Expand your moderator at work

InvalidError

join:2008-02-03
kudos:5
reply to TwiztedZero

Re: is there a way to Create a Isolated wired Network?

said by TwiztedZero:

You really don't have a choice in the matter if you really want to isolate you do need a managed switch and a secondary accesspoint (router) pretty much.

Most routers' switch ICs have at least basic VLAN support (VLAN tagging) even though almost none of them actually expose any of that functionality in their stock firmware.

IIRC, even the old WRT54 can do VLANs and that should make it theoretically possible to modify a firmware to isolate individual LAN ports on it using VLANs. Not sure there is any GUI fimrware that supports that though; so you'd likely have to use one of the more command-line-intensive ones.


BTC Kevin

join:2011-10-01
Nepean, ON
kudos:1
reply to morisato
Canada computers has a bunch of Cisco small business edition routers and switches with VLAN enabled ports. You can isolate each port to a separate network. And it's not very expensive.

My set up is a

4 port gig-e router with 3 VLAN's

VLAN ID 1 VOIP ATA's (ports 1,2)
VLAN ID 2 switch 1 (port3)
VLAN ID 3 switch 2 (port4)

Switch 1 8 ports on VLAN ID 2
Switch 2 8 ports on VLAN ID 3

This gives me 3 networks.

PHONE network
Network 1,
Network 2,

I use Phone network with QOS set to connect all voip phones.
Then Network 1 I use to host all NAS and Server machines.
Lastly Network 2 I use for my desktops.

I set it so traffic can not get from one VLAN to the Other. And this isolates the networks.