• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Question Trying to secure home network/VLAN

Kristi2k

Kristi2k

Golden Member
I'm not a networking newbie but am not an expert either.

Here's what I have for equipment:
  • Zoom Cable modem
  • Synology SRM RT2600ac
  • Netgear JGS524E switch, it's a managed switch that can do basic VLAN
  • All devices plug into that switch with the exception of a ObiTalk device
  • I have an IP camera and NVR on that switch; they do not have a gateway and are also blocked on the router to not be allowed to access the internet
I want to know how I can isolate certain devices. For example:
  • Roku - internet only
  • IP Camera - NO internet but one a specified internal computer can access it
  • NVR - NO internet but one a specified internal computer can access it
I don't want those devices interacting with internal computers that are either wired or wireless.... What are my options? If I set up a VLAN on the switch, how can my desktop access the IP camera?
 
I wanted the same feature in SOHO routers, and someone posted a guide to doing so with Tomato firmware in my thread:

Question - Why are SOHO routers adding advanced features like Wifi Guest Networks, Wired VLAN, and even Dual-WAN, but no "Wired Guest Network"?

Like dual-WAN, it would use VLAN support of the wired switch chip, to create one or more ports of an "Isolated VLAN", that couldn't access your LAN resources (like a NAS), but could only access the WAN. Possibly, it would have it's own WIRED GUEST DHCP/IP subnet too. Basically, the wired...
forums.anandtech.com forums.anandtech.com

It really seems to me that router mfg's need to add this idea of a "Restricted/Guest Wired VLAN" to most router firmwares, on devices that support VLANs on their switch ports.
 
I've used DD-WRT and Tomato- both are great but the Synology router is great for ease of set up. I'm not sure that Tomato is still being updated for newer routers which is why I moved on. :|
 
I didn't know Synology was making routers, interesting.

you already got the basic stuff done. the rest is likely vlan for the IP cam and NVR, blocking wan and lan traffic, then allow the one IP access to the vlan
  • Roku - internet only
  • IP Camera - NO internet but one a specified internal computer can access it
  • NVR - NO internet but one a specified internal computer can access it

1. Roku - add it to a guest wifi, or vlans with firewall rules
2. IP Camera - Configure IP, subnet, but no Default Gateway. Without the DG, it can't get out of the LAN. Or...firewall rules for the whole config
3. NVR - same as IP camera

either way, the IP Camera and NVR will likely need static IP's or at least static DHCP reservations.
 
Unfortunatley, despite the router being an excellent router, it's no where near as being as customizable as Tomatoe is. There are firewall rules set up, but I just don't know how to segregate the roku (wired) from the rest. I'll look into that.

I get reading out devices phoning home or scanning network traffic, etc. and want to learn how to really lock devices.
 
So a lot of these customiztions can be done by using static routes in your routing table. The problem that I've found with vlans is that it's an 'all or nothing' design in terms of intervlan traffic on a lot of devices so you can't specify a single device. ymmv.

But you've got the basics nailed down, and frankly, most people wouldn't have done even as much as you have.
 
Kristi2k said:
I've used DD-WRT and Tomato- both are great but the Synology router is great for ease of set up. I'm not sure that Tomato is still being updated for newer routers which is why I moved on. :|
Click to expand...

FreshTomato firmware probably is the only one still in development.

FreshTomato – Alternative open source firmware for Broadcom-based routers

exotic.se exotic.se

[Fork] FreshTomato-ARM - development discussion only - for support always open your own thread

[FreshTomato-ARM] Forked off from Tomato-ARM by Shibby. Project page: https://freshtomato.org Latest version: 2021.2 - 2021-03-28 Source code: https://bitbucket.org/pedro311/freshtomato-arm Changelog: FreshTomato-ARM Downloads: https://freshtomato.org/downloads Issue tracker/Create issue...
www.linksysinfo.org
 
You can do what ch33 recommended as well.

But to achieve what you want to limit only one PC to have access to other devices, you probably need to have managed switch with ACL capability or powerful routers like pfsense or business class firewall routers.
 
Last edited:
mxnerd said:
But to achieve what you want to limit only one PC to have access to other devices, you probably need to have managed switch with ACL capability or powerful routers like pfsense or business class firewall routers.
Click to expand...
Not true. Even my old original Linksys routers allowed static routes and modifying the routing table.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top