Question Trying to secure home network/VLAN

Toggle sidebar Toggle sidebar
Kristi2k

Kristi2k

Golden Member
Oct 25, 2003
1,364
4
81
I'm not a networking newbie but am not an expert either.

Here's what I have for equipment:
  • Zoom Cable modem
  • Synology SRM RT2600ac
  • Netgear JGS524E switch, it's a managed switch that can do basic VLAN
  • All devices plug into that switch with the exception of a ObiTalk device
  • I have an IP camera and NVR on that switch; they do not have a gateway and are also blocked on the router to not be allowed to access the internet
I want to know how I can isolate certain devices. For example:
  • Roku - internet only
  • IP Camera - NO internet but one a specified internal computer can access it
  • NVR - NO internet but one a specified internal computer can access it
I don't want those devices interacting with internal computers that are either wired or wireless.... What are my options? If I set up a VLAN on the switch, how can my desktop access the IP camera?
 
VirtualLarry

VirtualLarry

No Lifer
Aug 25, 2001
56,572
10,208
126
I wanted the same feature in SOHO routers, and someone posted a guide to doing so with Tomato firmware in my thread:

Question - Why are SOHO routers adding advanced features like Wifi Guest Networks, Wired VLAN, and even Dual-WAN, but no "Wired Guest Network"?

Like dual-WAN, it would use VLAN support of the wired switch chip, to create one or more ports of an "Isolated VLAN", that couldn't access your LAN resources (like a NAS), but could only access the WAN. Possibly, it would have it's own WIRED GUEST DHCP/IP subnet too. Basically, the wired...
forums.anandtech.com

It really seems to me that router mfg's need to add this idea of a "Restricted/Guest Wired VLAN" to most router firmwares, on devices that support VLANs on their switch ports.
 
Kristi2k

Kristi2k

Golden Member
Oct 25, 2003
1,364
4
81
I've used DD-WRT and Tomato- both are great but the Synology router is great for ease of set up. I'm not sure that Tomato is still being updated for newer routers which is why I moved on. :|
 
ch33zw1z

ch33zw1z

Lifer
Nov 4, 2004
39,574
20,196
146
I didn't know Synology was making routers, interesting.

you already got the basic stuff done. the rest is likely vlan for the IP cam and NVR, blocking wan and lan traffic, then allow the one IP access to the vlan
  • Roku - internet only
  • IP Camera - NO internet but one a specified internal computer can access it
  • NVR - NO internet but one a specified internal computer can access it

1. Roku - add it to a guest wifi, or vlans with firewall rules
2. IP Camera - Configure IP, subnet, but no Default Gateway. Without the DG, it can't get out of the LAN. Or...firewall rules for the whole config
3. NVR - same as IP camera

either way, the IP Camera and NVR will likely need static IP's or at least static DHCP reservations.
 
  • Like
Reactions: mxnerd
Kristi2k

Kristi2k

Golden Member
Oct 25, 2003
1,364
4
81
Unfortunatley, despite the router being an excellent router, it's no where near as being as customizable as Tomatoe is. There are firewall rules set up, but I just don't know how to segregate the roku (wired) from the rest. I'll look into that.

I get reading out devices phoning home or scanning network traffic, etc. and want to learn how to really lock devices.
 
S

SamirD

Golden Member
Jun 12, 2019
1,489
276
126
www.huntsvillecarscene.com
So a lot of these customiztions can be done by using static routes in your routing table. The problem that I've found with vlans is that it's an 'all or nothing' design in terms of intervlan traffic on a lot of devices so you can't specify a single device. ymmv.

But you've got the basics nailed down, and frankly, most people wouldn't have done even as much as you have.
 
mxnerd

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,103
126
Kristi2k said:
I've used DD-WRT and Tomato- both are great but the Synology router is great for ease of set up. I'm not sure that Tomato is still being updated for newer routers which is why I moved on. :|
Click to expand...

FreshTomato firmware probably is the only one still in development.

FreshTomato – Alternative open source firmware for Broadcom-based routers

exotic.se

[Fork] FreshTomato-ARM - development discussion only - for support always open your own thread

[FreshTomato-ARM] Forked off from Tomato-ARM by Shibby. Project page: https://freshtomato.org Latest version: 2021.2 - 2021-03-28 Source code: https://bitbucket.org/pedro311/freshtomato-arm Changelog: FreshTomato-ARM Downloads: https://freshtomato.org/downloads Issue tracker/Create issue...
www.linksysinfo.org
 
mxnerd

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,103
126
You can do what ch33 recommended as well.

But to achieve what you want to limit only one PC to have access to other devices, you probably need to have managed switch with ACL capability or powerful routers like pfsense or business class firewall routers.
 
Last edited:
S

SamirD

Golden Member
Jun 12, 2019
1,489
276
126
www.huntsvillecarscene.com
mxnerd said:
But to achieve what you want to limit only one PC to have access to other devices, you probably need to have managed switch with ACL capability or powerful routers like pfsense or business class firewall routers.
Click to expand...
Not true. Even my old original Linksys routers allowed static routes and modifying the routing table.
 
mxnerd

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,103
126
Adding static route <> Networking ACL. (Access Control List)


 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom