Best solution for securing two subnets

Requirements: 2 groups of clients

TEAM will have clients that allow remote access through various technologies (zoom, ssh, sftp)
TEAM will have NAS
PRIVATE will have clients for personal work and allow no remote access
PRIVATE has to be safe from potential malware/disease infecting TEAM
PRIVATE has to be able to access NAS in TEAM group
PRIVATE has to be invisible to TEAM and inaccessible from TEAM

Choice 1: VLAN capable router. make 2 vlans. PRIVATE, TEAM.
assign static ips to all clients and separate them into appropriate VLAN
In this case how do I get a private client to access NAS on team VLAN?
(I am just a novice so please use little words)

Choice 2: 2 commodity routers with fewer features
OUTER router has 10.0.0.0 and a DMZ host set to 10.0.0.100… Assign NAS ip 10.0.0.1
Assign static ip of wan port of inner router, 10.0.0.100 and lan address range of 192.168.1.0
In this case, could i get to the NAS by typing ‘smb://10.0.0.1’ on a private client?

One quick comment. That NAS being accessible by both is a malware vector. The NAS itself will probably be safe, but it would be easy to upload a malware file.

This is where the anti-virus scanners that run on Linux come into play. But of course AV is not infallible.

And while I’m thinking about it you might want to put the NAS on a 3rd VLAN.

And you mentioned a router. With a few subnets, a router and firewall rules you may not need any VLAN at all.

I like to make big whiteboard network diagrams and right now I’m just pulling this out of my imagination so don’t take me too seriously.

Thank you for your off the cuff but honest reply. I really do not see the difference between two consumer grade routers and the other option of a router and a firewall. The firewall actually requires more brain cells on my part because now I have to think about ports and rules.

I know I have proposed a weird construct-putting a second router in the DMZ. Most people configure the DMZ to be the location of servers behind a firewall or other things that have to dip their noses into the dirty internet. The reason for using the DMZ is to prevent ‘double firewalling’ . There is still address translation but since the dmz is open, the internal router will not be hampered by rules on the outer router intended to govern the TEAM group.

pfsense appliance or properly isolated virtual machine would be ideal

consumer router won’t route very fast most likely, probably not at wire speed.

And yes, multi-homing a NAS is a bit of a silly idea. most of your internal malware will likely spread via SMB file drops or simply encrypting the whole share, so you really don’t want a NAS living with one leg in both networks.

If you can, virtualise two NAS instances on the single NAS, put dedicated NICs in for each virtual machine and split the networks with a firewall appliance.

that way you’ll avoid having to route your file serving traffic through your firewall all the time (less CPU use/better performance). if your clients in PRIVATE need access to the TEAM NAS, let them at it via connecting to the other VM via the firewall and state save on the connections (and do not allow the NAS itself to initiate connections back into your private network)

2c.

As soon as you multi-home something like a NAS across two networks, you may as well throw the firewall out imho.

As @thro said and I will restate here.

For requirements 4 & 5, you can only choose one, not both.
As for how to do it, I would recommend a pfSense router with both groups VLAN’d. You can set up firewall rules to isolate each other or have it so PRIVATE can access TEAM resources without TEAM being able to see PRIVATE (which sacrifices requirement 4)

thank you thro and novasty.

I do not understand this:
If you can, virtualise two NAS instances on the single NAS, put dedicated NICs in for each virtual machine and split the networks with a firewall appliance.

Sounds too complicated.

I realize that there is no way to be perfectly safe from malware but let me stratify risk into two types:
a) the risk of getting malware when I am not doing anything-for example, some finds a vuln and drops a bad file onto the NAS, someone finds a loophole in a complicated design, or the design is misconfigured
b) the risk of getting malware while I am doing something-I surf to a bad site, download a bad file, connect to a bad machine.

Type b risk control requires virus scanners, playpens, etc.
Type a risk control requires intelligence in not making setup mistakes-leaving ports open, making complicated designs with unintended points of failure. Making VLANS requires rules on the router. A single typo, bit flip, attack, etc renders both groups vulnerable to type b problems.
Having a separate router for PRIVATE keeps that group insulated from failures,compromises,etc on the outer router or clients that it serves.

I suppose NAS could be in a third VLAN but since TEAM will be frequently accessing it and PRIVATE only occasionally accessing it, I put it in the TEAM group. The idea of putting PRIVATE behind a firewall box instead of a router box occurred to me-then everyone would be in the same private address space and going from PRIVATE to any TEAM would be easier.

The design I initially proposed, (with TEAM in the 10.0.0.0 net and PRIVATE in the 192.168.1.0 net) is something I have never done. In fact I am so noob, that I wouldnt know where to start. A simpleton solution would be to make TEAM 192.168.1.0 with subnet mask 255.255.255.0 and to make PRIVATE 192.168.2.0 with subnet mask 255.255.0.0. But maybe that has flaws I cannot see.

FYI, my current ISP is gigabit and I get 800mbps transfer speeds through the standard verizon box. Model Name:Fios-G1100

It looks like this:

vz1306×922 117 KB

transfer speeds look like this:

network876×1450 218 KB

What I mean is host your nas via software on a pc with multiple network adapters and NAS software.

Or if your nas appliance supports it have two virtual instances bound to different network adapters.

This topic was automatically closed 273 days after the last reply. New replies are no longer allowed.