Return to Level1Techs.com

Need to segregate an internet connection

Currently have gigabit fios to the home. With remote work taking over the home, I need to segregate work from home. home=5 wired clients(1 NAS, 2 pcs and 2 consoles) and 2 access points(a bunch of iPhones,tablets and iot devices)
Work will be 3 pcs which will need to provide an open port for remote ssh access.

Work pcs should not be able to access home pcs. However, a home pc should be able to access a work pc.

My initial idea is to get an edgerouter 4 to connect to the outside line.

The lan side of the edgerouter would connect to a switch which would serve the ‘business’. One to the switch ports would go to the internet port of the Verizon router. Then I would map a dmz port from the edge router to the Verizon router ip. The edge lan would be 10.0.0.0 and its DHCP server disabled. All business clients would have static ip addresses. The Verizon router lan would be 192.168.1.0 with DHCP enabled. The Verizon router ip would be 10.0.0.10.

The Verizon router also has a cable connection in addition to ethernet. Apparently, tv programming comes in over the cable. This is why the verizon router has to be the internal network. Somehow the cable programming is mapped to the verizon router ip and all the devices on the verizon lan can get to it.

Is this architecture double natted? The ‘inner’ network is mapped to a dmz port from the outer network so the verizon router should think it’s connected directly to the outside world.

Is this enough information for someone to give a good response? I do not know what advantage I would get from running pfSense on something like this:

instead of the edge router. And then of course other recommendations like a cisco 340 might be an option.

Most of the bandwidth will be consumed by the home pcs

So you want to firewall SMB port 135-139, 445 and remote desktop port 3389?

I want all ports to the inner net firewalled. but do you have any suggestion regarding my plan?

I believe with Iptables you can have both of those networks with a single DHCP range, but isolate them by interface on your router and have Home side of it accept only “Established” and “Related” packets. Basically, allow both sides to talk to each other but only if home side initiates it.

If it wasn’t for that Verizon cable you could just do double NAT with home network as the second NAT so it can see all devices from the work NAT.

Hi @skypickle, I may have a solution to your goals, but I need to ask a few questions to know for sure. The first question is the work computers are they fiscally locate at your home or are they at your company site? Why do you need a home computer to be able to access a work computer?

Don’t get an Edgerouter; get a Pfsense device instead. Edgerouters aren’t very much better than a home router. A Pfsense device or a Netgate appliance has a whole lot more Enterprise option built into it. Edgerouters use to be very popular, the reason easy set up of site to site OpenVPN’s. Ubiquiti has decided to remove this feature from its Edgerouters, so no more easily set up site-to-site OpenVPN’s. At least, that is what I have heard.

thank you shadow bane for taking the time to reply with thoughtful queries.

The work pcs will have ssh access open for the other people in the workgroup. I dont want them also cruising around the home net. The work pcs include 2 linux boxen and 1 windows box. Since we keep evrything off of big tech (no google, no ms, no dropbox,etc) we just share pcs for compute, storage and emulation. The ‘outer router’ needs to handle lots of bandwidth. I have a gigabit connection to the house so 1 gig throughput on the router would be minimum. We have talked about openVPN clients/servers but for our needs, ssh seems adequate- it is also encrypted and allows connection to individual machines. We might go to vpn tho so an openVPN capable router would be good. That’s why i thought of the ubiquiti appliance.

Other have suggested VLANs. I dont know how secure VLANs are. If I get a VLAN capable router then each vlan would have its own subnet-e.g. 192.168.1.0 and 192.168.2.0. If a work person connects to a work pc on VLAN 1, , what would prevent him from doing ‘arp -a’ or some other command to sniff out what else is on the network? I get nervous about the ‘outer router’ getting compromised by someone who gets into the work network. After all, once someone is connected to a work pc , he/she is on the LAN side of things. I dont have a security appliance monitoring this LAN (imagine if one of the work machines got malware and started spamming-the whole network would clog. Without something like untangle running on the LAN, I would have no 'inside security. )

Certainly there is trust between team members- but I’d rather not have to worry about misconfiguration issues or other points of failure if problems happen. With a second router to the home net, it does not matter what happens to the outer router. Since the outer router is ‘dmz mapped to the ip of the inner router’ I dont think i will have double natting problems, but i dont really know-never used dmz before. Dont even know why anyone would invent DMZ. Never double natted before either-so i dont really know what the impact of that will be.

The reason for being able to access the work pcs from the home net is for occasional file access. I might want to work on something in my den or kitchen and not have to go down to the basement where the work pcs are.

I guess the next step up from a ubiquiti device would be this

https://www.amazon.com/gp/cart/view.html?ref_=nav_cart

running opnsense.

I also looked at cisco 260rv but the max throughput is 800 mbs. people also criticize it for being an old design but I dont know what that really means. I dont want wireless on the outer router. I have a couple of access points in the house and the internet feed and work pcs are in the basement. People are raving about the ASUS ax88u and running merlin on it but i dont need to pay for fancy wifi that i dont need. Also putting the verizon router as the inner router allows me to get all the programming we pay for.

Hi @skypickle, sorry for the late reply; I have been swamped the last 2 days. Unforchantly the suggestion I was going to make on how to accomplish your goal won’t work. The problem lies with your programming from Verizon. The changes to your network I was going to suggest wouldn’t allow Verizon programming to reach its devices. I even made discrete inquires to Verizon. They basically said any changes to the default setting of their equipment would basically disable their programing. Sorry I wasn’t any help. I have reached the end of my skillset, so I am out of ideas. I wish you the best of luck.

thank you any way. i appreciate the time you took.