2 separate networks with one provider?

[chnapo]

Hi guys,
in our office we have some apple devices, windows PCs, android phones and NAS. We have one internet provider only. We work on Macs that are connected to NAS, where data are stored. But we sometimes need to connect PCs and android phones to the internet, too. Due to security concern, we don't want PCs and androids to be able to reach NAS in any way. Is there a way how to create a separate network for "safe" devices (Macs and iPhones) that would be able to access NAS and a separate network for "unsafe" devices (Windows PCs and Android phones)? - so that NAS is accessible from "safe" devices and isolated from the "unsafe" ones? Or do we have to use another internet provider to connect "unsafe" devices?

One thing that can partially solve it is a guest network, but it sucks (you have to log in and write password into browser every time you connect, and it is wifi only).

Thanks, I hope there is a solution for us.

 

[kanewolf]

The guest network is an answer. The more generalized answer is VLANs or virtual local area networks. VLANs require hardware (switches and router) that support it. To have WIFI with VLANs you also have to have dedicated WIFI access points rather than a WIFI router. Everything you want is doable with a few hundreds of dollars of hardware. For a business, you should probably have an expert design/install this if you are not network savvy.

 

[chnapo]

The guest network is an answer. The more generalized answer is VLANs or virtual local area networks. VLANs require hardware (switches and router) that support it. To have WIFI with VLANs you also have to have dedicated WIFI access points rather than a WIFI router. Everything you want is doable with a few hundreds of dollars of hardware. For a business, you should probably have an expert design/install this if you are not network savvy.

Guest network could be an answer, but is not. It is rather annoying to log in every time we want to access the internet. I was thinking about something like connecting a second router and somehow disable any network sharing but internet connection with the first one, but I don't think it is possible. We are business, but we don't have an expert, we are very small business 😀 we do it ourselves

 

[failboat]

Why would you need to login? You can set a PW and save it like a normal wifi.

An edgerouter and unifi AP will do the VLANS, trunking, guest, and guest isolation for <$200.
The firewall rules still need to be setup write so that packets don't go from the guest gateway to the business gateway or vice/versa.

If your isp is giving you two ips you can use a second router. Plug the WAN into a switch and both routers into the switch.
The business side router should only have route rules to pass packets to the WAN side gateway.

 

[kanewolf]

The guest network is an answer. The more generalized answer is VLANs or virtual local area networks. VLANs require hardware (switches and router) that support it. To have WIFI with VLANs you also have to have dedicated WIFI access points rather than a WIFI router. Everything you want is doable with a few hundreds of dollars of hardware. For a business, you should probably have an expert design/install this if you are not network savvy.

Guest network could be an answer, but is not. It is rather annoying to log in every time we want to access the internet. I was thinking about something like connecting a second router and somehow disable any network sharing but internet connection with the first one, but I don't think it is possible. We are business, but we don't have an expert, we are very small business 😀 we do it ourselves

A college grad student could probably setup what you want. The Ubiquiti recommendation above is a good one. It is a few hundred $$$ to purchase. But incorrectly setting it up, negates the benefits of the purchase. "Do it yourself" isn't smart for unskilled computer security, electrical wiring or elective surgery. It is a business expense, treat it like one and deduct it from the business's taxes. It is no different than rent or electricity.

 

[eibgrad]

I have to agree in principle w/ the comments herein about consulting experts, esp. for a business situation. However, at some point you end up beating a dead horse, and some ppl are just resolute in solving the problem on their own. And in such cases, once warned, I like to provide a solution, even if imperfect.

Technically, you don't *need* VLANs. VLANs are certainly convenient, and would be my own preference if I was doing this for my own purposes. But you can also just daisy-chain a second router for those devices that should NOT have access to anything but the internet. The key is using firewall rules to prevent access to devices on the private network of the upstream (primary) router.

The net effect is the same as using a single device and individual networks. Both routers maintain their own networks, and you firewall the second network from the primary network. If you want those on the secondary network to have *some* access to resources on the primary network (e.g., a shared printer), you can make exceptions in the firewall. But at the end of the day, using separate networks on the same router, or separate networks on separate routers, it comes down the same thing; firewalling!

So if you want a cheap solution, that'll work. Just requires a router that gives you some control over the firewall configuration, preferably using iptables. Probably third party firmware would be required (dd-wrt, tomato, openwrt, etc.). Heck, you may already own such a device.

Again, I would still recommend an expert, but I know this is going to fall on deaf ears. So I thought I might as well offer a solution, and one that's relatively simple to implement.

 

[punkncat]

Workgroup/password protection. Easiest thing you can do.

Your NAS should have a user group pool as well. Go in and make it viewable by the accounts you want, disable guest log ins.

Even within my own home/office network (which is a little simpler w/o the Mac) I just create a different workgroup name, and set each computer I want to have access as a profile to the other machines I want it to see. Even with an Android device, it will cue for a username/pass before giving access to anything I am not "free broadcasting", like media/plex/etc

 

[failboat]

nesting would be more complicated to secure. you really wouldn't want any layer 2 overlap. there would be downsides of either being on the edge. with the vlans it's going out a firewall to other gateways running firewalls.

 

[eibgrad]

nesting would be more complicated to secure. you really wouldn't want any layer 2 overlap. there would be downsides of either being on the edge. with the vlans it's going out a firewall to other gateways running firewalls.

Not having to nest would certainly be my preference. But as I said, seems to me the OP is resolute about keeping things cheap. And regardless, it's still two separate, unbridged ethernet networks separated by a firewall. In either case, the security depends on the strength of that firewall. Most of us everyday are behind our ISP's router(s) using the same configuration! And they don't seem to have problems keeping their customers out of their own networks.

Again, we're in agreement in principle, but I've seen this before. The customer insists on the cheapest, simplest solution. Daisy-chaining will do the job. It's certainly an improvement over the current situation.

 

[failboat]

nesting would be more complicated to secure. you really wouldn't want any layer 2 overlap. there would be downsides of either being on the edge. with the vlans it's going out a firewall to other gateways running firewalls.

Not having to nest would certainly be my preference. But as I said, seems to me the OP is resolute about keeping things cheap. And regardless, it's still two separate, unbridged ethernet networks separated by a firewall. In either case, the security depends on the strength of that firewall. Most of us everyday are behind our ISP's router(s) using the same configuration! And they don't seem to have problems keeping their customers out of their own networks.

Again, we're in agreement in principle, but I've seen this before. The customer insists on the cheapest, simplest solution. Daisy-chaining will do the job. It's certainly an improvement over the current situation.

I don't agree. When you are on the same layer2 with an untrusted source it opens a lot more security holes.
It's not the same as how it works with the isp. I really wouldn't trust the ISP either, it's routine for them to use dpi to hijack your dns. information is revenue anyone will take and sell it. encrypt everything.

 

[eibgrad]

I don't agree. When you are on the same layer2 with an untrusted source it opens a lot more security holes. It's not the same as how it works with the isp. I really wouldn't trust the ISP either, it's routine for them to use dpi to hijack your dns. information is revenue anyone will take and sell it. encrypt everything.

Yes, but the only ethernet network we're worried about is downstream. We're not worried about the whether the upstream ("safe") network can play games w/ the downstream ("unsafe") network in this situation (at least I'm not). You're treating both sides of the WAN on the second router as if they are peers. They're not. All we care about is not allowing the downstream ("unsafe") network from having access to the upstream ("safe") network. That's why I didn't recommend having them reversed (as I've seen some ppl do), where the "safe" network has to traverse the "unsafe" network. In that case, yeah, all kinds of games are possible.

Again, all this is relative. Compared to the current situation, it's a significant improvement. But if I had the money and authorization to go the full monty, yeah, I'd be all over a single router w/ VLANs solution. But for now, consider it a stop-gap measure until the OP can afford something better (or comes to his senses ).

 

[chnapo]

I love eibgrad's solution. Guys I did not think I need to explain why I need diy solution, so I didn't, but now I see I should. We did not like that guests and a windows PC that we have, have to log in via browser. Our current router does not support wpa2 password for guest network, only browser login. So he picked simplest solution - use an LTE router and unlimited data for 12eur/month to create a completely separate network for PCs and Androids. This way they will not affect workflow on Macs in any way (not even internet speed, logically). He told me to either use this solution or come up with something else using our current network with maximum of some 100-200eur investment. As I didn't think that having 4G/LTE radiation 8h per day, 5day per week right behind my head is the healthiest thing (and speed of the LTE in our city is poor, max 5-10Mbps, while wired is 200Mbps) I decided to try and look for other solutions. So my boss will not pay an IT expert to solve something that is already solved. He does not have problem to invest in good stuff, but this is my suggestion to him instead of his solution. And please, let's not start a debate about if 4g is affecting health, 5mbps is too little speed anyway. I would be the one most often using PC and that slow network.

Other thing, actually there is no guest access to NAS, only for registered users. But even if it makes it safe from viruses, we had also some other problems with PCs on that network where Macs are. They simply must be separated.

 

[Sohom]

https://www.amazon.com/Ethernet-Splitter-Sharing-Connections-Single/dp/B002BVQF5A
You can use one of these... after that one to nas and another to another router...

i am a little noob at such things... but wanted to weigh in here...

 

[eibgrad]

If it helps, here's the firewall script I use for my own dd-wrt guest router.

https://pastebin.com/1df1XsuK

The reason *I* use this approach for my home network is I don't like keeping the guest network up unless we really have guests. But I don't want the spouse or kids messing around w/ the primary router to enable/disable the guest network on the primary router, which may be necessary when I'm on the road (and that happens a lot). Because I know what's going to happen; they'll mess it up to the point it doesn't work at all, and now I don't even have remote access.

So my solution was to grab an old dd-wrt compatible router (of which I have plenty) and configure as a guest router, using the aforementioned firewall rules. And now enabling/disabling the guest network is as simple as plugging/unplugging its AC adapter. So simple even a caveman could do it.

You can just as well use this technique in other scenarios, like yours. As I said, better than no solution at all. And it's dirt cheap.

 

[chnapo]

If it helps, here's the firewall script I use for my own dd-wrt guest router.

https://pastebin.com/1df1XsuK

The reason *I* use this approach for my home network is I don't like keeping the guest network up unless we really have guests. But I don't want the spouse or kids messing around w/ the primary router to enable/disable the guest network on the primary router, which may be necessary when I'm on the road (and that happens a lot). Because I know what's going to happen; they'll mess it up to the point it doesn't work at all, and now I don't even have remote access.

So my solution was to grab an old dd-wrt compatible router (of which I have plenty) and configure as a guest router, using the aforementioned firewall rules. And now enabling/disabling the guest network is as simple as plugging/unplugging its AC adapter. So simple even a caveman could do it.

You can just as well use this technique in other scenarios, like yours. As I said, better than no solution at all. And it's dirt cheap.

Just to be sure, you say that you setup firewall on the guest router, not on the primary router? (because that would be good - I don't want to mess with setup of primary router, although it does not seem right in my head how would it work).

 

[eibgrad]

If it helps, here's the firewall script I use for my own dd-wrt guest router.

https://pastebin.com/1df1XsuK

The reason *I* use this approach for my home network is I don't like keeping the guest network up unless we really have guests. But I don't want the spouse or kids messing around w/ the primary router to enable/disable the guest network on the primary router, which may be necessary when I'm on the road (and that happens a lot). Because I know what's going to happen; they'll mess it up to the point it doesn't work at all, and now I don't even have remote access.

So my solution was to grab an old dd-wrt compatible router (of which I have plenty) and configure as a guest router, using the aforementioned firewall rules. And now enabling/disabling the guest network is as simple as plugging/unplugging its AC adapter. So simple even a caveman could do it.

You can just as well use this technique in other scenarios, like yours. As I said, better than no solution at all. And it's dirt cheap.

Just to be sure, you say that you setup firewall on the guest router, not on the primary router? (because that would be good - I don't want to mess with setup of primary router, although it does not seem right in my head how would it work).

Yes, *everything* is configured on the secondary router. The primary router is totally oblivious to all this. It doesn't even know the IP assigned to the secondary router's WAN and part of its own network is a router. It just another LAN device on its network as far as it's concerned. In fact, you could take the same router and plug it into a neighbor's network and it would work (assuming you didn't have an IP conflict between the two networks). Or take it on the road and plug it into the LAN port at the hotel. It's all self-contained, and why you can plug it or unplug it at-will to take advantage of it.