I’m trying to decide the best way to isolate different computers on my network. From what I have read on this forum, it is better to use separate LANS instead of VLANs. Does this mean it is better to have a dedicated router for each computer instead of setting up network rules to separate everything on a single router (VLAN)? I have been having privacy problems at the local level, I suspect packet-sniffers are the source of the trouble. So I intend to use a VPN, possibly with a virtual machine, to evade my adversary. My plan is to purchase a simple 5-port switch and connect it to a cable modem. From the switch I could connect up to five routers. My thinking is that each router can be dedicated to a single computer to achieve total isolation, or at least as much isolation as possible. Perhaps one of the routers will be dedicated for laptops and devices that won’t be using a VPN and don’t require encryption. Is this a good plan? Can I do this with a simple 5-port switch, or do I need to buy a managed switch? How about routers? Is it okay to use consumer grade routers or will I need to purchase commercial routers? I will probably want to run pfSense or DD/Open-WRT for a firewall. What should I look for in a new router? Are there specific features that I need or should avoid? The number of router makes and models to choose from is daunting. It is difficult to decide what the best equipment for my situation is. I could also purchase a different cable modem if that enables some advantage. I am currently using an Arris TM1602. I think what I’m trying to achieve is pretty simple and straight forward. Several computers on the same network separated from each other, but not the internet, and no need to communicate with each other. Am I on the right track, or do I need to do something completely different? I don’t currently have access to a secure internet –connection on a regular basis so I may not be able to reply to this thread in a timely way. I will try to get back as often as possible to check for any replies. TIA
I think local segregation is an increasing requirement for a lot of reasons. We had a discussion relating here: https://www.wilderssecurity.com/thr...a-vpn-to-the-whole-house.384700/#post-2575117 Broadly, there are two main approaches, a) get a dd-wrt based set of cheap routers and hang them off a dumb switch, or double Nat if you want. b) get something like a 4-port router able to run pfSense. I use option b) which gives me 3 physically internal segregated networks, plus I've further segregated the Wlan using a VLAN switch and Wlan AP which supports 4 SSIDs which hook into that. pfSense supports VLAN directly on its ports. Of course, you are then reliant on a single box and its integrity, versus the issues you have with supporting multiple boxes. I think VLAN integrity is pretty good on modern switches if correctly configured.
@deBoetie I have had a similar idea on my ever-growing list of hardware projects for some time now . I keep promising myself that I won't take on anything new .... but then the Intel ME thing came up I didn't realize that dd-wrt based routers were available off-the-shelf ; I had assumed that I would have to flash a suitable router to use dd-wrt ( which indicates my general ignorance on the subject I guess ). Any recommends for a make / model ?
@quietman - haven't used them myself as I went down the pfSense route. I might add one if I were needing to isolate the Wlan more, or have it outside my pfsense boundary. Afaik Buffalo are ones who shipped with dd-wrt pre-installed, but most of the main players list that as compatible on some models. I don't think the flashing is going to be that bad. I think the website lists & discusses models in detail. There were a couple of compelling motivations for my changing off my old router, partly wanting to offer a guest/smartspyphone WLAN which was segregated from my real lans, and ditto for Iot/Voip/Webcams. Also, disgust with my ex-router vendor not updating proprietary firmware often.... Either dd-wrt or pfsense is greatly preferable.
You can check with www.dd-wrt.com for a list of compatible routers. I have flashed many routers, it's easy, just follow the instructions for your particular router. Also, Tomato is a good alternative to dd-wrt and, IMHO, may be a little faster.
Thank you for the reply and link. From what you write I guess you are satisfied with using a VLAN setup and don’t feel that separate LANS are worth bothering over. That is if I understand the terminology correctly. By dumb switch do you mean an unmanaged switch? I’m just looking into this now and it seems that a simple or unmanaged switch will not isolate the devices that connect by LAN. I suppose in this situation the isolation of the computers would occur at the level of firmware installed in the separate routers? Is it redundant to configure a managed switch to segregate traffic from routers that are already isolating their traffic with pfsense or WW-WRT? I see some routers online that come shipped with pfSense installed. They are a lot pricier than a basic wi-fi router but they look solid and have good cpu and memory specs.
Depending upon your threat model you may be able to accomplish what you want in a very simple manner. As a disclaimer; I have been known to go "Fort Knox" as opposed to simple, so this is an offering that could be implemented immediately without purchasing any new hardware. Lets leave your router alone, assuming you have decent "homeowner" security protocol down and its running fine. I would simply suggest adding ddwrt to it if you want but not needed. You mentioned you have several devices, which don't need anything but basic security and they are not running encryption protocols at this time. Fine, leave them alone too. Now lets say you have three machines which you want to run isolated from each other, in the sense that they cannot talk among or even see each other on the LAN network. Easy stuff. You can simply configure the 3 machines independently to unique VPN's and after doing so you can write strict (yet easy to do) IP firewall rules where ONLY that one VPN server can be seen by each machine. Nothing can come into or out of the machine except through the authorized server IP. No snooping from within the encrypted tunnel which is formed. Now all 3 are setup the same way with their own server. None of the 3 can see anything but their one server. Its so locked down they can't even see other devices on the LAN. The positive of this is those seemingly "innocent" non-encrypted devices cannot mess with any of the 3 critical machines. You never really know if a device is fully innocent. This level of device isolation is basic stuff to form and its impenetrable if setup well. Further if your router has a mfg backdoor or the ISP is dishonest, it doesn't matter. Neither of those two can snoop the 3 unique tunnels either. Once the tunnels are UP it is ONLY the one machine that can use it in any way. Really is simple!
I basically do what @deBoetie describes with pfSense and vLANs, plus what @Palancar describes with VPNs. I also use my main VirtualBox host as a router. It has a dual-port Gigabit server NIC. So I can route a nested VPN chain to eth1, and then to other boxes through a switch. That's how I created the IPv6 LAN for testing VPN services.
"satisfied with vlan setup" - I am satisfied, because it gives me multiple wlan isolation without having multiple wlan AP. But I also have physical segregation, with a Red (untrusted) LAN with devices on it only able to route to the internet, nowhere else on the local networks. So it's a combination of physical and vlan segregation. Of course, it's dependent on the pfsense router, but then that has to be strong enough to resist attacks from the internet in the first place, and at least can be managed, updated and implement consistent policies from a central management perspective.. I'd also caution against presuming our requirements or threat models are the same, we may have different priorities, skills or needs, so the solutions have to reflect that. The switch connected to the internet can be dumb/unmanaged. Virtually all the managed switches are VLAN switches these days. Logically, if any one of the physically separate routers (dd-wrt ones) is compromised, then that still leaves the networks off other routers intact (subject to more exotic attacks like side-channel - unfortunately, these seem to be getting less exotic, for example, stories of ultrasonic codes being transmitted via speakers and picked up acoustically by another device's microphone, which could well be on another local network). Also, I'd caution that if one of the routers is compromised, then the chances of another one being so is not independent. Similarly, it only takes one device on a LAN to be compromised, and all of them are then subject to local attack (but then this is more reason for extending or using VLAN approaches, because it becomes unfeasible from a cost and wiring point of view to have that many pfsense ports or dd-wrt routers. I think that relates to your question above, and there's nothing to stop you adding vlans to pfsense or dd-wrt (subject to compatible hardware support, you need to verify this if this is the way you want to go). The hardware/pfSense router bundles have the merit of being supported and having known good hardware compatibility - and rightly, that costs money. Unless you're willing to use a lot of time in selecting suitable hardware, there's a risk there. Whether pfsense hardware or dd-wrt/tomato, you should have a sense of what you want to use the firewall for, particularly whether it's going to terminate a VPN, and the extent to which you want to run other services such as proxies and IDS (for example Snort). This affects cpu load and memory - advice is available on the relevant sites. PS - I was reflecting how weird the world is, that non-corporate users are now having to even consider and implement solutions that used to be the preserve of quite large corporates and IT departments with big budgets. A sign of our times.
This is an important point - routers can be linux hosts, particularly in a virtual machine context, and optionally mapped to physical interfaces within that box. It's possible to create quite elaborate virtual networks serving various different virtual machines, and indeed, pfSense itself can be one of those virtual machines, acting as a gateway, and VPNs set up within those networks. It simply wouldn't be feasible to create these logical structures in hardware without major commitment. That's quite a useful way of learning about pfsense and experimenting with configs if that's the way you decide to go.
Right. One can learn hoe to build typical enterprise networks in one VirtualBox host. Except for switches, which are not explicitly present. VMware is more realistic, but virtual network setup is harder.
Thinking over this router topic , it looks like an excellent project for a Raspberry Pi , but maybe there is an obstacle that I can't see ; it wouldn't be the first time It is certainly a simple matter to use a Raspberry Pi as a highly configurable router ( details here ) . OK , so there won't be a switch , but that is a minor detail . If I buy a router that allegedly supports dd-wrt and then flash the firmware , and brick it , I risk ending up with an expensive ( and ugly ) paper-weight. That couldn't happen with Raspberry Pi . I don't want to spend a whole heap of time on this only to find that someone has already been down that road , and found it to be a dead-end . Has anybody else tried it ? I have done some searching for "dd-wrt on Raspberry Pi " but haven't found much . I looked at several routers that are advertised as having dd-wrt pre-installed , and I read their data sheets but it appears that they can be very region-specific . Recent happenings on both sides of the water mean that for me this is no longer a project for a rainy day , and has now become an imperative . But I don't want to simply throw money at the problem ; that would just add insult to injury . A low cost home-built solution would be be very satisfying indeed . -
I don't know about *wrt, but I believe that I've seen that pfSense runs on Pi. Better than Raspberry Pi are Banana Pi and other Pi that have real gigabit NICs, rather than USB NICs. The USB NICs are slower, and load the Pi CPU. If you'll be doing VPNs, you might want more capable CPU. Or even a board with hardware crypto. Edit: I was wrong about pfSense, it seems. But it does run on other Intel/AMD (and some ARM) microcomputers.
We have an evil choice to the extent to which we do or do not trust Intel. On the other hand, I wouldn't put much more trust on Amd or Arm frankly, the only real recourse there is to go down the open cpu route. If we're talking pfSense (as an example), that's best supported with Intel Nics, and preferably hardware crypto (e.g. AES-NI). There are some fully integrated silent Nucs available with 2 or 4 ports which specifically advertise as being pfSense ready, and these could act in many different roles if this one didn't suit (e.g. file server or htpc). My choice at the time was: https://www.wilderssecurity.com/threads/vpn-in-a-dual-tomato-router-setup.367886/#post-2580938 I have thought about the RPi as a solution, and think it will work OK but only as a regular Unix box with IP Tables (not that that's a bad thing!). It's rather limited from the IO perspective to act as a router serving other devices, you'd at least need a USB Ethernet dongle.
@mirimir Thanks for that , after a bit of reading I can see that Banana Pi may well be the better choice of hardware . This model in particular seems to be ready to go , right out of the box - Banana Pi BPI- R1 It already has some useful router hardware onboard and a space and a socket for HDD It claims to have native support for OpenWRT , but this , and anything else OS related would need some careful checking . ( I now take these claims with a pinch of salt ) On the minus side , there is much less support / community involvement compared to Raspberry Pi , .... so it could be a case of flying solo . Maybe it's worth starting a new router / hardware related thread here on this topic ?
Neat - I wasn't aware of that unit, looks useful. Suppressed a wry smile at their claims that Android was better than Linux.... I'm sure you'll be learning a lot if you go down this route - please keep us informed of what goes down.
