G+_Henning Andersen Posted September 29, 2013 Share Posted September 29, 2013 Hello fellow SN listeners! I have a small security scenario i would like some help with! I've tried google for a while now, but can't seem to find a solution myself.. I share network with my parents (neighbours), and in this house, someone else is renting the apartment upstairs. They are now also connection to the same network as us, via cable. I wonder if there is some way to keep their two computers from accessing the rest of the network? They can access the internet, but not "see" or access any of my computers or NASes.. I just ordered a NAS and would like to keep it "open" and probably unencrypted so that i can easily connect devices such as pcs, ps3s and mobile phones to it. Another reason i would like to "keep them of" is to prevent them from placing i.e spyware, trojans or any other bad thing into one of my shared and open folders! Thanks in advanced! I'm sure there is a simple solution that i've missed... Workgroups? (if there is passwords, will a PS3 be able to access photos or video? I don't think it can "log in" to a protected computer) Link to comment Share on other sites More sharing options...
G+_Mike Robertson Posted September 29, 2013 Share Posted September 29, 2013 I say setup a router for those people to connect. That way they can be connected to they're own network and not yours. Link to comment Share on other sites More sharing options...
G+_John Mink Posted September 29, 2013 Share Posted September 29, 2013 I'd say VLAN...or just put a router in front of your stuff to separate it from their stuff. You can create a separate IP range like 192.168.2.x for your stuff too. Link to comment Share on other sites More sharing options...
G+_Tim Harder Posted September 29, 2013 Share Posted September 29, 2013 To build on what Mike Robertson said and expand into what Steve Gibson has suggested, do the three router solution or a variation of that. Use one to connect to your internet connection, then on the lan side of that router, plug two more routers in. Use one of the secondary routers for your network and the other to create a completely separate network for the parents. In this way, no traffic can possibly move from one secondary network to the other. Link to comment Share on other sites More sharing options...
G+_Bradley Brown Posted September 30, 2013 Share Posted September 30, 2013 Multiple layered routers is going to introduce double NATing. I would get a small managed switch and a router capable of handling VLANs. With this setup, you can also set the guest VLANs at a lower QoS, giving your traffic priority over theirs. That will prove useful if the guests use BitTorrent or streaming, and would otherwise saturate your upload bandwidth so that you can't even get out a DNS request. Link to comment Share on other sites More sharing options...
G+_Tim Harder Posted September 30, 2013 Share Posted September 30, 2013 Double NATing is not a problem. I've done it exactly as I've mentioned as per Steve Gibson's suggestion. Of course, it's not the only way to do it. The nice thing about the three router solution is there is absolutely no way for traffic to move from one secondary network to the other besides going out to the internet first. As far as each secondary lan is concerned, the intermediate lan between the three routers is effectively the internet. Each of the secondary routers will absolutely behave as a firewall, preventing unsolicited traffic from moving between the two secondary networks. There is no way for traffic to move between the two secondary networks through the intermediate lan. Any traffic between them MUST go out to the internet and back, just as if they were on different continents. Link to comment Share on other sites More sharing options...
G+_Bradley Brown Posted September 30, 2013 Share Posted September 30, 2013 It won't be a problem if the primary is in bridge mode and the ISP provides multiple WAN IPs. Otherwise, double NAT will break online gaming and file sharing. Link to comment Share on other sites More sharing options...
G+_Tim Harder Posted September 30, 2013 Share Posted September 30, 2013 Bradley Brown Are you sure? I can't say I've tried those particular applications on double NAT. On the other hand, ISP's are beginning to do NAT at the ISP level and only hand out private IP address to customers. If end customers were installing routers and doing NAT themselves, then they'd also be doing double NAT. Link to comment Share on other sites More sharing options...
G+_Bradley Brown Posted September 30, 2013 Share Posted September 30, 2013 I'm positive. I've had XBox and Steam games fail to connect to online servers until the modem is put into bridge mode. I also work for a VoIP provider, and the phones cannot make a direct RTP connection to the remote party, until the modem is put into bridge mode. Double NATs are well known to cause issues. Basic browsing will likely work fine. It's when you need to make that direct connection to a remote device or server when it breaks. Many ISPs are providing routers instead of straight up modems, unless asked for, which is fine unless a customer wants to use their own router. Typically, only business class customers are provided more than one WAN address. Link to comment Share on other sites More sharing options...
Recommended Posts