Hey all,
Internet ► Modem/Router ► Cat5e ► Wireless Router ► Cat5e ► ??? ► Computers and Console
How would I go about sharing internet via wired connections, and preventing the computers and console from communicating / pinging /etc. each other?
What hardware would be required where the "???" is on the map above, if any?
I have a rudimentary understanding of networking, but I am willing to learn how to approach the above scenario if it seems beyond my understanding, currently.
Thanks all!
I'm sure there's a way to do this in the router, by having every client on their own subnet. But I'm not sure how to set it up.
Otherwise the only thing I can think of is having a firewall on all your devices.
You might also be able to do this with a layer 3 switch, but I'm not sure about that and they can be pretty expensive.
The easy route. Turn on your windows firewall.
The hard route. Isolate your console from your network: You could get another router, and put them on their own network.
Then just route the traffic. You shouldn't need to NAT your consoles behind the second firewall... just add a firewall rule that blocks traffic from/to the new network.
INTERNET > Modem > CAT5E > Wireless Router > CAT5E > SECONDARY ROUTER > Consoles
Computers stay connected as they are.
UNLESS your wireless router can do VLANS in which case you can do it all on there. (unless your consoles are wireless)
VLANs. Or just put them on different subnets.
The ??? could be a L2 switch, but i'd advise you to put this before the wireless router so you can put the wireless clients in their own VLAN.
How are your consoles connected? wired or wireless?
And the wifi/router is also a router, or is it just a accespoint?
According to the op, it looks to me that you basicly have 2 routers.
A modem with router functionality, and a sepperate router with wifi.
This basicly means that you should be able to sepperate your machines from the consoles,
since you basicly have 2 sepperate subnets.
If your router has vlan support, you can do it all on that.
Thank you. I've been watching videos about subnetting, still trying ti digest it. I thought VLANs would do the trick for a while, but then I found out that since most cheaper (affordable, currently) switches are layer-2, that computerA could ping computerB through the router behind the switch. I've been researching this stuff pretty heavily in the last few days, kind of muddled, so could be mistaken :). Thank you for your suggestion!
I had considered just using Windows Firewall / Public Network (location) to disable Network Discovery. How effective / secure is this? I've been trying to find more details documentation on this approach, but haven't found much yet. Your approach with the second router seems more manageable, given my current rudimentary and eclectic understanding of networking...
Thank you for your suggestion and advice, though :).
This is something I hadn't considered, and something to look into :). Thank you!
The console is DESIGNED to be used wirelessly, but I am fetching a ethernet adapter for it. The router is a wireless router. Consumer-grade. The router does not have support for VLAN, but it does have wireless AP isolation.
It looks like the common thread with a lot of the responses here are subnetting, which I currently am lacking a practical understanding of, so I guess that might be my next step in my sporadic adventure into networking. I appreciate your response :). Thank you!
Sorry about the individual responses, haven't quite figured out how to respond to multiple posts in one response post, yet...
I'm going to be quite frank. Everyone who subnets their network without isolating their traffic, either by using VLANs or by getting a separate switch and routing their traffic, are doing what we in the biz call, "stupid"
Not only does it get you into bad practices, it also complicates your routing. As 192.168.2.123/24 cannot communicate with 192.168.1.1. It also congests traffic across the switch... but that's a discussion for another time.
Just because it works, doesn't mean you should do it.
same goes for making up some random color order to use in your patch cables.
< /rant>
Please, rant away! I by no means am qualified to disagree with what you've been saying, thus far :). This is all an opportunity to learn for me, so I'm not complaining!
The biggest limiting factory with the approach posited seems to be the monetary cost of the hardware involved, coupled with my own lack of understanding. Initially, I thought just getting a NetGear switch with port/tag-based VLANS and connecting it to the router would do the trick, but then someone mentioned that it would only isolate layer-2 traffic, and that a layer-3 managed switch would need to be involved. That jump in functionality seems disproportionate to the money required to purchase such hardware, though :(.
Regardless, I appreciate any information that can set me on the track to not being such a ignoramus! I'm fascinated by this stuff, it's a lot to digest, though!
Layer 3 switches exist in this magic space between routers and switches. It alone would do the trick, but it's not needed.
The OSI model is a stacked model meaning if you make two isolated layer 2 networks, (i.e. two switches with nothing connecting the two) Your layer 3-7 traffic will never meet.
SWITCH <--> ANET--ROUTER--BNET <--> SWITCH <---- you need a router to join the two networks together.
So in your case. If you are wiring your Console. You need to isolate the Layer 2 traffic (either by VLANs, or a separate switch) then segment your layer 3 network into two separate networks.
I make a point in saying you need to separate your layer 2 traffic for good reason.
One it's a security concern. While that concern may not be the most needed inside ones own home, I Believe in keeping up with best practice.
The only reason I suggested different subnets is because this isn't an enterprise network, the performance impact would be minimal and I'm sure that it would meet the needs of OP. However, my first suggestion was fro him to use VLANs and I agree with you, but once again this is only a home network.
Layer 3 switch is a router and will act as one, meaning - it will route traffic between the Layer 2 segments (VLANs)
Anything that does "routing" will route traffic regardless. The restrictive functionality is Layer 4 feature and can be done by most routers (and Layer 3 switches) by the means of Access Rules, in other words Firewall functionality.
There are only two ways to achieve what OP needs.
Private VLANs a.k.a. port isolation. Hosts are in one VLAN, but they are unable to communicate with each other. Requires expensive switch.
Configure the Firewall on the Wireless router.
But, as I see it, the easiest way is to wire the Console up to the Modem and use one of its ports and wire the computers to the Wireless router. That way:
Internet > Modem/Router > Cat 5e > WAN port of Wireless router > Cat 5e > Computers
Internet > Modem/Router > Cat 5e > Consoles
These are essentially two separate paths and the Console will not be able to contact the Computers and vice versa, as the Wireless router will perform NAT for the computers.
The Modem/Router should have a few LAN ports, so that's how I'd do it without the need of configuring Access Rules.
Different subnets in different VLANs will not prevent the computers in one to see the computers in the other IF they are connected to a single Router without the use of a Firewall functionality on the Router.
I'm not talking about different subnets in different VLANs, that would be completely redundant.
Ehm, different subnets in one VLAN requires the ability to add "secondary" IP address on the Router interface in order things to work and I doubt his Wireless Router has that capabilitiy, and even if it did, the communication between the two subnets will be allowed and existing, because the router will route between them.
Why have different subnets at all if you're separating the network with VLANs, as I said, it's redundant.
I also suggested he gets a L2 or a L3 switch. His router probably doesn't support VLANs at all.
Because if you use VLANs you need different subnets? :)
Also, the L3 switch will route between subnets anyway. So, that doesn't do him any good.
The L2 switch, connected to the router will not work either, because the Wireless Router does not understand 802.1q trunking. So, again, a dead end :)