how to share only internet but not computers securely?

[luv2liv]

I work together with other smaller companies in a building, more like a house. We share the same internet connection from this Verizon Fios router. I have 2 computers plugged in directly via cat5 and can see everyone else's' computers, and most likely they can see my 2 computers.
How do I create my own secure network so that only I can see my 2 computers and no one else can? I have no admin access to that Verizon box. Also if that Verizon network is compromised, how can I protect my 2 computers?

 

[VirtualLarry]

It's pretty simple, just get another router, plug it's WAN port into a LAN port on the Verizon FIOS router, and set it up as a different IPv4 subnet (there may be more to do when IPv6 gets implemented by VZ). Such as, if the Fios router is 192.168.0.1, set your router to have a LAN IP of 192.168.16.1 or something that none of your neighbors are using.

Then, your PCs will be on their own LAN, protected via NAT and SPI, from incoming connections over your "WAN" address, thus other PCs attached to the Fios router's LAN ports won't be able to "peak into" to your LAN.

I actually recommend this setup for any/all Fios customers, as VZ has some visibility into their routers, and any PCs on it.

Edit: That works for consumer connections, and mostly-outgoing / web-browsing / streaming-video connections, but because of the double-NAT, it's not ideal for businesses hosting internet-facing services.

I recommend getting multiple static IPv4 addresses from VZ (or a block), and then use the "Static NAT" in the G1100 Fios router's Advanced or Firewall section, and then set your secondary router's WAN port to a static IP, and then put the external VZ IP reserved for your LAN, and the WAN port IP, into the Fios router's "Static NAT" section. This will allow a 1:1 static NAT between the public static external IP, and the static WAN port IP address on your secondary router, thus should not be as problematic as double-NAT will.

 

[luv2liv]

so following your advice, I will use the spare Netgear router I have in my house and set it up to something like this?





Thanks!

 

[VirtualLarry]

Nope, that's the WAN IP section. I was talking about setting the LAN IP to 192.168.16.1, for an example, and then have the WAN IP be set to "get dynamically from ISP" (DHCP).

If you had a public static IP address, that you were going to 1:1 'Static NAT' in the G1100 Fios Router, then you would set the WAN IP to "Use Static IP address" as you have there in your picture, but a Static IP that was within the LAN IP subnet of the Fios router's LAN IP.

 

[VirtualLarry]

Basically, it may seem like what I'm saying is complicated gobbledy-beloved patriot, but think of it in LAYERS.

Outermost layer: Public IPv4 address provided by ISP - AAA.BBB.CCC.DDD
First router layer: WAN IPv4 as assigned by ISP, using DHCP most likely, could be static. AAA.BBB.CCC.DDD, LAN IP address designated in settings, usually but not always, 192.168.1.1 or .0.1.
Second router layer: WAN IPv4 address assigned by first router's LAN DHCP, so something in the 192.168.1.x range, could be set dynamic (DHCP), or static, LAN IP address needs to be on a different subnet than first router, so LAN IP would be 192.168.16.1, with a DHCP pool set to 192.168.16.50-100, say.

Then the PCs that you connect to your secondary router, will get IP addresses assigned (using DHCP) from the secondary router's LAN IPv4 range (DHCP pool), such as 192.168.16.54.

Note that if there are other PCs connected to the first router layer (primary Fios router), then they can still be accessed via IP address, from PCs behind your secondary router, but those PCs on the primary router, will not be allowed to connect inward to PCs connected to your secondary router.

If you want to have two isolated LANs (more or less), hanging off of the FIOS router, than you would want two secondary routers hanging off of it, LAN A and LAN B. Give them different local LAN IP subnet ranges.

With that configuration, if you wanted a shared NAS or ethernet-based printer, you could connect it directly to the Fios / primary router, and still have access to those network devices, from PCs behind both secondary routers. So you could set up a shared printer, for example, if two offices wanted to split the cost on a big shared networked office printer, for example.

 

[mxnerd]

[]

 

[JackMDS]

May be this can Help

Network Segregation - Adding security to Wireless Network.

Follow the principle since some of the other info is not any more relevant thses days.

 

[luv2liv]

i see the verizon box subnet is 255.255.255.0 and giving us 192.168.1.1 as the gateway and machines connected to it is 192.168.1.xxx.

on the second router attached, what is the subnet number i should set it to to achieve 192.168.16.xxx?

 

[VirtualLarry]

255.255.255.0 is not the subnet, it's the subnet mask.

For subnets of more-or-less them same order, use the same mask.

So for the secondary router, you would set:
LAN IPv4: 192.168.16.1
Subnet mask: 255.255.255.0
DHCP pool: 192.168.16.50-250
Gateway: 192.168.1.1

 

[luv2liv]

got it! thank you so much for your help.