I have some new devices that I consider weak links for hacking / malware. It is what it is. IOT type of device.

I'd like to segregate it from my other devices, especially computers. I have two questions for which I could use some help.

If you have the ability to use VLANs, that would be my suggestion.

You probably want to look into a firewall instead of multiple routers. Pfsense is excellent and easy to set up. Netgate is their hardware line if you'd rather have a nearly turnkey setup.

quote:

Originally posted by mark123:
If you have the ability to use VLANs, that would be my suggestion.

Pfsense is excellent and easy to set up. Netgate is their hardware line if you'd rather have a nearly turnkey setup.

Thanks. I don't know what VLANs are. Quick lookup and conceptually seems like logical subnets coming off the same physical router. Can I do this using my any / current router? Or do I need to buy router models that specifically support VLAN topologies (specific VLAN router capability, perhaps with additional cost over other common routers)?

So the purpose is just to isolate some IoT devices ?
If so isolation from _____________?
What about access from one network to the next?
Do you have a block of public IP's on the Cable Modem or is it also a router as well?

quote:

Question: Can Devices 3-8/Printer and Devices 9 see each other?

1> Why router 3?
2> Define "seeing"?
3> Yes it is possible to communicate between but what is it you desire?

quote:

How do you get devices on subnet A to see/talk to devices on subnet B?

You do this with the routing tables in the routers.

Specifically, you install static routes on each router that point the desired subnets to the nearest IP of the connecting router. These have to be installed in "both directions" so that responses to connection requests go to the right place. Some thing that depend on LAN broadcasts won't work across subnets without a "helper" app on the router. These are mostly discovery protocols for services advertised by various devices. Most likely you might see this with printers.

Alternatively, if your routers are capable, it is possible to activate route discovery software on them and they will figure out the routes for themselves. These protocols have names like RIP (Router Information Protocol), OSPF (Open Shortest Path First), and several others that are either proprietary to a particular vendor, or less widely used. This is how the Internet works, ISP to ISP, in the "default-free zone" (that assemblage of routers that have no default route configured). Once an internet gets above a certain size it becomes too onerous to manually configure every router, this is what routing protocols were developed to achieve.

Thanks Architect - so it possible to have Device 1,2,9 access the Printer on a different router/subnet. I think I get the gist of what you said. I'll try to study the details more. Right now, it's not critical but the possibility opens up additional flexibility of where I connect devices.

I have various devices, mostly IoT type that I want to isolate from my computers. I don't consider these devices secure and a weak link into what I would want to be secure subnets inside the house.

I don't want these segregated IoT type devices (including some old computers running old OS that serve particular functions but likely don't have the latest in HW/SW/OS security protections).

I also want to segregate some of the IoT devices from each other (like Device 1,2 from Device 9) for various reasons. I don't want them communicating with each other, possibly allowing a hacked device to get information from the other devices.

what is the purpose of having three routers?

If you need to isolate some devices, is it from only your other devices or does that include the internet as well?

Isolate some devices (that I don't trust inherently nor as minimally secure from malicious SW) from others. Not that I really care much about those devices but don't want them as weak links to attach devices I do care about (my computers (data on them and traffic in/out of them)).

ETA: seems like my current router supports VLAN to some extent. Will try to learn more about it. Never knew what VLAN was or that it may be a feature on my current router.

What routers do you own?
Do you have any switches?
How is your cable modem configured specifically for network addressing?
Is it a requirement to only use the equipment you have?

Like mentioned above VLAN configuration is best suited for this task.
However, you will need a switch (smart switch,layer II or III, etc) then a router that understands and can route between networks if desired, then create access rules between the networks.
However, a physical LAN as originally described can be deployed too without VLANS.
The one big question is again the configuration of the cable modem.

Sounds like a firewall question to me. Many routers have some firewall functionality, so you may not need any new hardware, just to use some features of the existing hardware that you hadn’t learned about yet.

The very first thing to do in situations like this is to carefully consider what you want each device to have access to. This might be everything, nothing, or anything in between.

Many firewalls have the notion of established connections. You can use this to allow one way access. If you only allow packets related to an established connection *in from* the internet, but allow all packets *out to* the internet, then your PC (in a simple example) can connect to whatever website you like, but hackers cannot make a connection to your PC.

You could use the same concept to allow devices 3-8 to access device 9, but not allow device 9 to access devices 3-8. If you wanted device 9 to be able to access the printer, you could allow new connection traffic to only the printer.

I’d have cable modem <-> router/firewall <-> all other devices, split up into whatever physical or logical subnets best accomplished what I wanted.

Firewalls have gotten incredibly powerful and some of them have gotten incredibly complex. There is a whole lot of capability there…

quote:

Originally posted by smschulz:
What routers do you own?
Do you have any switches?
How is your cable modem configured specifically for network addressing?
Is it a requirement to only use the equipment you have?

Like mentioned above VLAN configuration is best suited for this task.
However, you will need a switch (smart switch,layer II or III, etc) then a router that understands and can route between networks if desired, then create access rules between the networks.
However, a physical LAN as originally described can be deployed too without VLANS.
The one big question is again the configuration of the cable modem.

Why does one need a switch?
Why does the cable modem configuration matter?

One could use a router or firewall between the cable modem and everything else. Many routers and most all firewalls support Network Address Translation (NAT). As far as the cable modem (and the rest of the Internet) is concerned, there is only one device behind the cable modem.

One can then build whatever they want using private (non-routable, think 10.x.x.x, 172.16.x.x, 192.168.x.x) addresses behind the router or firewall. Properly configured, your stuff can get out, but nobody can get in.

Where it gets more complicated is if you need to have a publicly visible IP address and allow some connections *into* your network.

quote:

Originally posted by slosig:
Why does one need a switch?

Because dedicated network switches are usually faster. Most "switches" built into "NAIO" (Network All-In-One) devices (I just made that up) are software-driven. Most dedicated network switches use dedicated ASICs (Application-Specific Integrated Circuits) to perform their task.

quote:

Originally posted by slosig:
One could use a router or firewall between the cable modem and everything else. Many routers and most all firewalls support Network Address Translation (NAT). [remainder snipped]

You're telling a networking professional how networking stuff works

Btw: If I were trying to do what konata88 is trying to do, I'd have a single router (probably an Ubiquiti EdgeRouter 4) and network switches, as-needed, on each port.

For switches: Probably an EnGenius EWS2910P for Devices 3-8... and a NetGear GS105Ev2 for Devices 1 & 2. (Don't really prefer NetGear these days, but they're the best "capable" maker of small network switches, IMO.)

quote:

Originally posted by slosig:

quote:

Originally posted by smschulz:
What routers do you own?
Do you have any switches?
How is your cable modem configured specifically for network addressing?
Is it a requirement to only use the equipment you have?

Why does one need a switch?
Why does the cable modem configuration matter?

Thankyou slosig for the the networking primer.

One thing I have learned in my business is to acquire as much information as possible before making decisions.

The vast majority of time most people not in the IT business refer interchangeably to: router - wi-fi - firewalls - cable modems - even switches.
They are have distinct functions independently of each other but may affect each other.
They may or may not reside in a particular device but in many case they will.

So I was trying to get clarification of the existing devices.

I don't recall seeing any true cable modems (only) with more than one ethernet interface.
Not that there aren't any - if there is more than one then is would appear to me that it is doing a routing function with NAT.
The OP diagram has two internal ethernet ports on the cable modem which would mean that it was also doing NAT.
There are other configurations and possibilities but trying to keep it simple.

So when I said they need a switch - it was for optimal VLAN configuration scenario.

Yes there are multiple ways to configure what the OP desires and I am not judging his reasons or validity of what he wants - only exploring the options to achieve.

Once all the data is in - only then would I feel fully confident on any recommendations.

One more thing, if the diagram was filled in with actual IP addressing then that would be useful as well.
It could assist in the OP objectives.


.02

Thanks guys. You're all smarter than I am. I need to some time to catch up - I need to look up a lot of things / terms you guys are mentioning for which I'm unfamiliar. It's all going over my head at the moment.

But I do believe I can differentiate between router, switch, hub, wifi, cable modem. But just at the basic level - these smart routers and switches with vlan capabilities and such are all new to me. And of course the ideal topology of these various devices to serve my objectives.

The basic objective is to separate (physically and/or logically on the home network; I guess the convergence point will at least be the cable modem) devices (IoT type) that are security / privacy weak links that may expose risk to my computers used for 'valuable' purposes (banking, private data, etc).

quote:

Originally posted by konata88:
Thanks guys. You're all smarter than I am. I need to some time to catch up - I need to look up a lot of things / terms you guys are mentioning for which I'm unfamiliar. It's all going over my head at the moment.

Maybe the other guys are, but not me. Just a little more experienced with some of this stuff, though it was a while ago, so my knowledge is definitely dated.

quote:

But I do believe I can differentiate between router, switch, hub, wifi, cable modem. But just at the basic level - these smart routers and switches with vlan capabilities and such are all new to me. And of course the ideal topology of these various devices to serve my objectives.

The basic objective is to separate (physically and/or logically on the home network; I guess the convergence point will at least be the cable modem) devices (IoT type) that are security / privacy weak links that may expose risk to my computers used for 'valuable' purposes (banking, private data, etc).

Depending on what “networking stuff” you have (or are willing to buy), there are all kinds of options to achieve the separation, be it logical, physical, or both.

I don’t know anything about your cable modem or its capabilities. In general, I tend to just treat the access point from the ISP as a simple pipe, put a firewall between the ISP access point and my network, and do control / filtering there.

It is entirely possible that your cable modem has the capacity to do what you want to do and you just need to learn how to set it up. Of course, if you change your ISP and the new ISP uses a different cable modem (or other access device), you need to figure out how to do your desired config with the new ISP’s gear. If you have all your filtering in your own firewall (or router, or switch), then the configuration change when switching your ISP is much simpler.

quote:

Originally posted by ensigmatic:

quote:

Originally posted by slosig:
Why does one need a switch?

Because dedicated network switches are usually faster. Most "switches" built into "NAIO" (Network All-In-One) devices (I just made that up) are software-driven. Most dedicated network switches use dedicated ASICs (Application-Specific Integrated Circuits) to perform their task.

Got it. I thought it was a need thing rather than an optimal speed thing and didn’t understand why.

quote:

You're telling a networking professional how networking stuff works

Whoops, my apologies.

quote:

Btw: If I were trying to do what konata88 is trying to do, I'd have a single router (probably an Ubiquiti EdgeRouter 4) and network switches, as-needed, on each port.

For switches: Probably an EnGenius EWS2910P for Devices 3-8... and a NetGear GS105Ev2 for Devices 1 & 2. (Don't really prefer NetGear these days, but they're the best "capable" maker of small network switches, IMO.)

Okay, for my continuing education, a couple questions:

By sticking a switch in front of each port on the router you avoid the delay of CDMA and exponential back off, right? So basically, the switch only hands the router one packet at a time and cuts down delays?

Why the different switches for different devices? Is one cheaper and the other more capable, or is there some other reason?

I don’t know that I’d ever have claimed to be a networking professional, but I did write router software for one of the largest router (now router, switch, just about everything else) companies for five and a half years back in the early nineties after spending 13 month doing phone and e-mail customer support for them. (I dunno what I did in a prior life to end up in that support slot, but it must have been really bad. That said, I learned a heck of a lot about how the customers used the products that was really valuable. It often wasn’t anything at all like the folks writing the code expected.)

quote:

Originally posted by smschulz:
Thankyou slosig for the the networking primer.

One thing I have learned in my business is to acquire as much information as possible before making decisions.

Sorry, I was not trying to step on any toes, just trying to understand. Your information gathering approach is clearly the right path.

I'm an amateur at this stuff but I think something like this Netgate 1100 and a couple cheap dumb switches would separate IoT from the computers with banking info on them and still allow printing from anywhere required.

I built a low powered server to run pfsense. Lan1 is my business computer and the wife's bill paying computer. Lan2 is my NAS accessible only from the Lan1. Lan3 is IoT (TVs, garage door opener, cameras, etc). Lan4 is the guest network.

Lan3 and Lan4 can't access any of the other Lans. As a bonus, I get network wide ad blocking.

This message has been edited. Last edited by: mark123,

Netgate was raised above; I'm looking at them but still have to learn about some things before I understand what their products are.

Question: what does your topology look like, roughly? Modem to Netgate to Switches? Are you referring to LAN1,2,3 as ports of the switch? If so, that doesn't seem like separate LANs to me - seems like they would all be on the same subnet. Unless this pfsense thing is doing something to with the Netgate device to logically (physically?) create the different LANs.

Sounds like your set up is what I'm basically trying to do. Just not sure how Netgate and pfsense fit into this / enables this. Still lots of reading / learning to do.

Network wide ad blocking sounds nice.

quote:

Originally posted by konata88:
Netgate was raised above; I'm looking at them but still have to learn about some things before I understand what their products are.

Question: what does your topology look like, roughly? Modem to Netgate to Switches? Are you referring to LAN1,2,3 as ports of the switch? If so, that doesn't seem like separate LANs to me - seems like they would all be on the same subnet. Unless this pfsense thing is doing something to with the Netgate device to logically (physically?) create the different LANs.

Sounds like your set up is what I'm basically trying to do. Just not sure how Netgate and pfsense fit into this / enables this. Still lots of reading / learning to do.

Network wide ad blocking sounds nice.

Modem-> netgate -> switch -> WAP

Each LAN is its own network.

In my case
LAN1 is 192.168.13.x
LAN2 is 192.168.66.x
LAN3 is 192.168.77.x
LAN4 is 192.168.88.x

The firewall rules dictate which has access into it out of any of them.

Tom at Lawrence Systems on YouTube has step by step setup guides for pfsense.