Question Trying to secure home network/VLAN

Kristi2k

Golden Member
Oct 25, 2003
1,364
4
81
I'm not a networking newbie but am not an expert either.

Here's what I have for equipment:
  • Zoom Cable modem
  • Synology SRM RT2600ac
  • Netgear JGS524E switch, it's a managed switch that can do basic VLAN
  • All devices plug into that switch with the exception of a ObiTalk device
  • I have an IP camera and NVR on that switch; they do not have a gateway and are also blocked on the router to not be allowed to access the internet
I want to know how I can isolate certain devices. For example:
  • Roku - internet only
  • IP Camera - NO internet but one a specified internal computer can access it
  • NVR - NO internet but one a specified internal computer can access it
I don't want those devices interacting with internal computers that are either wired or wireless.... What are my options? If I set up a VLAN on the switch, how can my desktop access the IP camera?
 
 

VirtualLarry

No Lifer
Aug 25, 2001
56,570
10,205
126
I wanted the same feature in SOHO routers, and someone posted a guide to doing so with Tomato firmware in my thread:


It really seems to me that router mfg's need to add this idea of a "Restricted/Guest Wired VLAN" to most router firmwares, on devices that support VLANs on their switch ports.
 

Kristi2k

Golden Member
Oct 25, 2003
1,364
4
81
I've used DD-WRT and Tomato- both are great but the Synology router is great for ease of set up. I'm not sure that Tomato is still being updated for newer routers which is why I moved on. :|
 

ch33zw1z

Lifer
Nov 4, 2004
39,377
20,090
146
I didn't know Synology was making routers, interesting.

you already got the basic stuff done. the rest is likely vlan for the IP cam and NVR, blocking wan and lan traffic, then allow the one IP access to the vlan
  • Roku - internet only
  • IP Camera - NO internet but one a specified internal computer can access it
  • NVR - NO internet but one a specified internal computer can access it

1. Roku - add it to a guest wifi, or vlans with firewall rules
2. IP Camera - Configure IP, subnet, but no Default Gateway. Without the DG, it can't get out of the LAN. Or...firewall rules for the whole config
3. NVR - same as IP camera

either way, the IP Camera and NVR will likely need static IP's or at least static DHCP reservations.
 
  • Like
Reactions: mxnerd

Kristi2k

Golden Member
Oct 25, 2003
1,364
4
81
Unfortunatley, despite the router being an excellent router, it's no where near as being as customizable as Tomatoe is. There are firewall rules set up, but I just don't know how to segregate the roku (wired) from the rest. I'll look into that.

I get reading out devices phoning home or scanning network traffic, etc. and want to learn how to really lock devices.
 

SamirD

Golden Member
Jun 12, 2019
1,489
276
126
www.huntsvillecarscene.com
So a lot of these customiztions can be done by using static routes in your routing table. The problem that I've found with vlans is that it's an 'all or nothing' design in terms of intervlan traffic on a lot of devices so you can't specify a single device. ymmv.

But you've got the basics nailed down, and frankly, most people wouldn't have done even as much as you have.
 

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,103
126
I've used DD-WRT and Tomato- both are great but the Synology router is great for ease of set up. I'm not sure that Tomato is still being updated for newer routers which is why I moved on. :|

FreshTomato firmware probably is the only one still in development.


 

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,103
126
You can do what ch33 recommended as well.

But to achieve what you want to limit only one PC to have access to other devices, you probably need to have managed switch with ACL capability or powerful routers like pfsense or business class firewall routers.
 
Last edited: