2

For simplicity, let's say my network looks like this:

                 [Internet/Modem]
                        |
           [Standard home wi-fi Router]
                        |
[Windows/Mac PCs]  [NAS Drive]  [XBOX]  [Printer]

As it is set up now, everyone can talk to each other and the internet, but I'd like to restrict it as follows:

  • The PCs should not be able to talk to the XBOX
  • The XBOX should not be able to talk to the Printer or the PCs
  • The NAS drive and the Printer should not have internet access and should not be able to initiate a connection to any device on the network.

Trying to figure out how to do this, I've been looking at routers, managed switches, smart switches, VPN firewalls, unmanaged plus switches, etc. and I'm suffering from information overload without enough of the right keywords to search for what I need.

What is a typical way to configure these kind of communication flow policies for a small home/office network?

Improve this question
3
  • 2
    You don’t do this in SOHO. Simple as that. For this to work, devices need to be on physically separate networks. A router with a firewall will do the rest.
    – Daniel B
    Commented Nov 10, 2014 at 21:20
  • Sorry, I'm a noob and it doesn't seem as simple as that. Is this not a more secure configuration? Regarding "physically separate networks" - will a router with the ability to create VLANs suffice? Which devices go in each VLAN if so? Regarding "a router with a firewall" doing the rest, my router has a firewall installed, but I don't see any options for controlling communication flow between different vlans. What kind of router and firewall are you referring to? I've seen so many different types of router and firewall devices out there...looking here for help to get started.
    – user388043
    Commented Nov 11, 2014 at 1:48
  • 1
    Secure, huh. I’d say it’s borderline paranoid. Yes, port-based VLANs would certainly do the job, though your router won’t do this unless loaded with some aftermarket firmware like OpenWrt.
    – Daniel B
    Commented Nov 11, 2014 at 6:22

2 Answers 2

Reset to default
1

For item 3, you can simply configure your printer and NAS with static IPs and no default gateways. You can also go the extra step if your router has a firewall, you can create a rule that blocks inbound and outbound traffic to/from their IP addresses.

For your other two items, there is no easy way to do that. The easiest thing to do would be to order a block of IPs from your ISP and physically separate into two networks as per Daniel's comment. Most ISPs require a business account to order a block of static IPs, however. If not, you could upgrade to a business class router that allows multiple networks over the LAN. I'm familiar with Zyxel USG products. The USG 50, for example, lets you assign different zones to different LAN ports. For example, port 1 could be 192.168.1.x and port 2 would be 10.0.0.x. You'd set your routing table and firewall to make sure that the network in port 1 cannot communicate with port 2 and vice versa.

Improve this answer
2
  • I don't see how I can configure my NAS drive or my Printer to not have a default gateway. They do not have configuration settings - I just plug their Ethernet cables into my router. I also don't see how to set my firewall up on my basic wifi router to block incoming/outgoing traffic per device. I get even more confused when you start talking about getting more external IPs to address internal LAN configurations. How would the USG50 be better than getting a wifi router with Tomato or DD-WRT?
    – user388043
    Commented Nov 11, 2014 at 1:56
  • Well, almost every NAS and network printer can be configured with a static IP address. It involves finding out what IP address was leased to them by your DHCP server and getting into the web config to make the changes. The problem is that there is no easy way to give step-by-step instructions on how to achieve your goals. There are too many different NAS, printers, routers etc to do anything other than point in the right direction.
    – pooter03
    Commented Nov 11, 2014 at 2:29
1

In the end, I figured out a simple way to do this, so posting my answer here.

Buy a basic switch that supports VLANs, like the Netgear GS108e.

Plug the devices into the switch as follows:

  • Port 1: Wi-Fi Router
  • Port 2: NAS Drive
  • Port 3: XBOX
  • Port 4: Printer
  • Ports 5-8: Mac/PC Desktops, Laptops, and/or a wireless access point for wireless clients.

Enabled Advanced Port-based VLAN support on the switch and set up the port-based VLANs as follows:

  • VLAN 1: Ports 1,5,6,7,8 (Internet access for desktops/laptops)
  • VLAN 2: Ports 4,5,6,7,8 (Printer access for desktops/laptops)
  • VLAN 3: Ports 2,5,6,7,8 (NAS access for desktops/laptops)
  • VLAN 4: Ports 1,3 (Internet access for the XBOX)
  • VLAN 5: Ports 2,3 (NAS access for the XBOX)

This setup does everything I was looking for except preventing the Printer and the NAS drive from initiating outbound connections. To address that issue, I set up the Printer and NAS drives with static IP Addresses, flashed my router with DD-WRT, and used iptables to restrict outbound traffic from those two static IPs.

Improve this answer

You must log in to answer this question.