Isolating a PC from home network

[AssafMalki]

I have a laptop, 2 desktops and few mobile devices on my home network.

I would like to setup remote desktop (using port forwarding) on one of the PCs so I will be able to connect to it over the internet.

Obviously I will choose an insane password an a weird port.

However, I would like to totally isolate this computer from my home network so if an attacker do goes through, he won't be able to see any other computer or device.

I'm going to work on this PC using remote desktop. All that is going to be connected to it is power and Ethernet.

Any ideas about how to isolate it (so the attacker won't be able to change it once connected)?

Thanks,
Assaf

 

[Zeee530]

Having on a different subnet is a start, and maybe ACLs to block certain connections, I'm sure there is a better way to do this though.

 

[Red Squirrel]

This is a great use case for vlans and is what I do. I have several vlans based on various purposes and risks and split stuff up accordingly. In the firewall I can then decide on the accesses between each vlan. So from a certain vlan I may still want to be able to access a certain thing on another vlan, so I can set this. In your case you'd want to have a vlan that cannot access the rest of the network, and put that machine on that vlan. You can choose wether or not that PC is accessible from the other vlan, your choice.

Pfsense will easily let you do this, and you will need a managed switch but there are a lot of Ebay and they are fairly cheap.

I personally would not port forward RDP directly though, consider setting up a separate machine/VM on that same vlan to just be a basic Linux box with SSH, port forward SSH, enable fail2ban, and then use a SSH tunnel for RDP.