• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Practical Home Network Isolation

T

TiredEngineer

Member
I currently use my Netgear R7000 guest network capabilities to section off my network. For example, I have a NAS connected to the LAN port, my "secure" family computer is on the primary WLAN, and any device I want to control my Chromecast/Harmony/Printer are on the primary WLAN.

My guest network is used for my work computer and most importantly my gaming desktop. I am paranoid about security, so my desktop is only used for gaming. This means mods and third party tools I do not necessarily trust. I ran a network mapper last night just to check, and found out that my desktop can at least see SOME details about all other devices on the network.

Other than buying a second internet connection, what is the best way to isolate my insecure wireless devices? Netgear specifically mentioned they removed wireless isolation. I was hoping the guest network was an isolating tool (and it is to some degree, but I want my desktop and work laptop to believe they are in a vacuum and the only thing that exist is the internet).
 
Thanks for the replies. Source, as paranoid as I am, I think you have exceeded it haha!

Jack, that link seems to confirm what I had in my mind (see below). I guess the main difference is that I still want wifi enabled on the second router. So basically I will purchase a cheap wireless-N router. I will then connect my R7000 into one of the ports. So my insecure network will be on the front router with its own SSID.

I will still have my secure network behind it. Theoretically I guess malware could attack the second router and propagate to the "secure" devices, but that seems pretty sophisticated. I don't necessarily trust devices such as my Harmony Hub and printer and had to force myself to allow it on my main network, but I find the convenience for someone as unimportant as myself too useful to give up.

-------------------------

Text from website:

"Assuming that you have a Wireless Cable/DSL Router that is connected to your Broadband Modem and provides Internet sharing to few Wired, and few Wireless computers

Buy a second Cable/DSL Router. You can find a Wired Router or an old 802.11b Wireless Router for less than $20. If the second Router is a Wireless Router disable the Wireless part of it (if it can not be disable the wireless through the menus, take off the Antennae).

Disconnect the Computers that you would like to be protected from the Front Wireless Router and plug them into the second (Shield) Router. Connect the WAN port of the second Router (using a crossover cable) to one of the regular port of the Wireless Router.

Log from a Wired computer to the second Router and configure the IP range of the second Router to use a different IP range than the first Router.

E.g. If the Wireless Router is 192.168.1.x configure the second Router's LAN side to 192.168.2.x

Configure the WAN port of the second Router to a static IP that is of the IP range of the first Router. I.e. 192.168.1.x

The whole thing should look like this: Network Segregation

Such a configuration shields your Wired system behind the second Router, thus even if your Wireless Network is invaded the invader would not be able to pass the second Router's Firewall and "Share" your Segregated Network."
 
If you are Not a valued institution (Banks, Gov, etc.). Sophisticated Hackers do not waste their time to Troll around private people computers unless they specifically know that One has a very desirable assets on their private network.

Most of the troubles of regular users comes in from their own doing.

Usually Downloading and installing Apps from ""Free"" sources or opening Malware loaded emails. Both has Nothing to do with Wireless Routers since they are brought in by the user "request".

In any case if you end up with two Wireless sources use the Front one for Guest and family members. The second One secure well with WPA2-AES, give it a different SSID and do not disclose the Wireless password to any one.



😎
 
Malware is easy to avoid. Know what websites you're going to, and know what SW you're installing. Don't use the simple install method if given the choice.

Hell, even enterprise networks don't segregate as much as some home users do.
If someone gets into your network, it's too late, regardless of how you segregate your network as they've already gotten through your router and whatever FW you have setup.

It's unwarranted. Not once have I ever setup anything other than a singular network, and not once have any external attacks gone through. I've never used Windows FW, only AV from time to time. Let the external HW do its job.
 
Honestly, you're spending way too much time worrying about this than is warranted. The other poster that has the edge router lite, he seems to segregate for lab and testing purposes. I do the same thing so that my tinkering and breaking my lab doesn't bring down the rest of the house's internet and cause my wife to throw something at me.

As far as segregation, the only real way to truly isolate it is with vlan's or a truly separate physical network. My sonicwall lets me use vlan's and I also run unifi wifi that also uses different vlan's. I have a separate guest wifi but not used much.

I'm actually curious what you're ACTUALLY worried about happening. Give us an example of what you think is worst case scenario? More than likely it's a situation that can happen in 1% of cases.
 
sourceninja said:
How so? I have a router with a zone based firewall. They haven't gotten around shit. That's the point of the segregation. Their guest network can not communicate with the 'home' network.
Click to expand...

I'm talking about internal segregation, not guest networks, which are essentially external.
 
Any attacks I am paranoid about are probably only theoretical. For example the malware would need to get through router isolation and then be able to infect devices with many different operating systems. I have Windows, OSX, iOS, Android, NAS (linux), and embedded devices (printers, Fire Stick, Chromecast, Harmony Hub, etc).

So I am just being paranoid.

Regardless, I did purchase another router. I now have my "secure" inner circle of just my main computer and NAS.
 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

Back
Top