Due to circumstances I’m having to move into a shared property in the coming months. I feel that most if not all places will likely be using the ISP router given to them when they started their contract.
THE ISSUE
I have multiple PCs, consoles and a Jellyfin/NAS server that I would like to keep to myself and not have everyone else be able to see these devices on the network.
Is there anyway of isolating my devices from the network whist maintaining internet connection without changing routers and setting up a VLAN?
If you don’t mind double NAT (like if your NAS or jellyfin is only for local access and not internet accessible) you could simply install your own router on the incoming ethernet line you have from their router. Set up a rule that says drop all traffic from every private IP on their side of the network except their router’s IP.
This will be the first time remarkably I’ve actually had to think about buying a router so im gonna go with not at all capable (i.e. a POS ISP router).
For me, I use a VM on my NAS as my router, which connects to my house network.
I run a VPN, and all my traffic is routed through my NAS.
So didn’t actually need a separate router. (you might not too)
I incidentally already had a router, from a previous place, which I use as a wifi access point but also played with using a RPi as accesspoint, router, firewall etc.
The NAS is more featureful, but uses more electricity.
I also at one point played with using a USB WI-FI dongle to make another VM into an accesspoint, but the router does it better.
(and easier to configure)
…
So, I mean to say, you might already have most of the tools you need.
You have a jellyfin server, maybe get a PCIE NIC/ USB gigabit dongle to use as an external /RED /WAN / untrusted side device, and run something like PFSense, or some such in a vm on the machine?
Then maybe get a cheap-ish / free VPS as a VPN, and tunnel traffic?
Back when PI’s were not Crazy prices, I managed to pick up a couple and followed an old guide but there are a bunch of other ways to do it.
Much more capable than many BOM=$20, MSRP=($50, $150) branded routers, … pfSense, OPNsense, OpenWRT all run great like this… or you could just setup iptables/nftables firewall and do routing on your jellyfin box.
… but if you want a separate wifi (and I think you’ll probably want to) you’ll have to buy an access point, … and you’ll likely need some kind of switch.
really good wifi6/wifi6e access points are going for about 100-ish, let’s say 150 and up (Ubiquiti U6-… TP-Link Omada EAP6xxHD, Engenius EN377 … )
VPNs could let you use others networks (apt wifi, or even Starbucks), to access your network (jellyfin and what not), as if you were plugged into it directly, … and they’re much more convenient to use these days than they were a decade ago, … but for “within apartment” they’re still a hassle.
Your mini LAN, all machines connected with a switch, then connected to the central firewall, then your FW connected to the home network for internet access. In addition, if you want, you can send all your network traffic to the Internet through some commercial VPN.
Just treat everything in front of the Firewall as a foreign hostile environment, same as the entire internet.
As router/firewall software… OpenWrt, Pfsense, Opnsense, IPfire
Hardware… both x86 and ARM, depending on what you have or can afford to buy.
If 1Gb/s is enough for you, the costs will be marginal. Cheap router and switch if you need more eth ports. And then OpenWrt, or some mini x86 and then Pfsense, Opnsense, Ipfire.
Even something like this after installing OpenWrt for 1Gb/s is enough. Optionally some cheap unmanaged 1Gb switch(tplink…) if you need more ports than the router has. And that’s how you create your own little LAN that you can isolate from the outside world as needed.
No need to play with VLANs or buy expensive routers/firewalls.
You will have your own wifi and ethernet secured from the WAN side with a firewall + nat.
At least quickly and cheaply, I would do it if you do not have higher requirements and only want segment separation.
Unfortunately, you won’t be able to do without buying at least one device… if we want to keep KISS.
You can check if this model is supported by OpenWrt. If not, you will be left with the manufacturer’s software, and these often have few options in relation to owrt, and there is a risk that it may be a model that is no longer supported, which means that the software does not receive a security update.
But if it is hidden behind NAT on the router from the ISP, it should somehow be able to survive.
I think you might be able to do it with a basic Asus router. In the network services section of the firewall try setting an allow list, and set the source as their router IP and destination as your router IP, with ports as the entire port range, and traffic type is TCP All. Make another rule for UDP with the same settings.
Get an old system and use Pfsense, it will give you more control and features that a standard router. Getting older routers, etc you need to look at the security aspect as well.
. Installed merlin onto the router.