Recently the company my wife works for closed their local office and converted everyone to work from home. They sent her a VPN router and a phone. When her boss was setup, the corporate IT guy in another State mentioned he could see her entire home network. He has not said that about our home network, but I haven't asked and I want to err on the side of caution.

We currently have a DSL modem/router from our ISP which feeds our wired home network. The VPN router connects to our DSL modem/router through a wired connection and uses our home internet service.

At the moment, the VPN router is not working correctly. They will fix it when they get around to it, in the meantime she's using a software VPN.

What is the best way to secure everything within my home so the company cannot see or access our devices, and more specifically, my new to me Synology NAS?

Previous to this I did not have someone else's hardware in my home connecting out of State.

Any advice as to what you would do to secure things in this situation would be greatly appreciated.

I trust the members here, and I sincerely appreciate your help.

Easy way, but kind of kludgy & requires extra hardware - Have the DSL Modem/Router as your entry point. Connect the WAN of VPN router to LAN of DSLrouter. Connect another 'home' router to it as well (DSLrouter LAN to home WAN). Connect any device that you don't want the VPNrouter to see to the home router (wired or wireless). That will make a psudo-DMZ where your home network is behind the firewall of the 'home' router. Port forwarding will probably be a pain in the ass, if you are using that for anything. I'd disable wifi on the DLSrouter, or make it 'guest' and an easy password. It will keep any guests off your home network.

A more elegant solution, with less hardware will probably require a managed switch & virtual networks (VLANs) within. Probably more $$ than you want to spend & more time than you want to devote.

Software VPN on corporate devices is probably a better solution, but if there's downsizing going on, the IT guys are probably looking for ways to keep their jobs - dicking around with router within a router on home networks is probably a good way to keep busy.

quote:

Originally posted by snidera:
Easy way, but kind of kludgy & requires extra hardware - Have the DSL Modem/Router as your entry point. Connect the WAN of VPN router to LAN of DSLrouter. Connect another 'home' router to it as well (DSLrouter LAN to home WAN). Connect any device that you don't want the VPNrouter to see to the home router (wired or wireless). That will make a psudo-DMZ where your home network is behind the firewall of the 'home' router.

Our DSL Modem/router feeds into an unmanaged switch which connects to patch panels which feed the wall outlets in the house. One of those outlets has the VPN router attached to it and a switch with all of the company's equipment. Our devices are attached to other wall outlets out of the same unmanaged switch that feeds the VPN router.

Are you saying to put another router after the DSL modem/router that would feed a dedicated switch which feeds all of the wall outlets except for the one the company is using?

If a managed switch would fix this, I'm open to it. Whatever would work best.

Can you provide the model of it, it would help us determine what you have to work with.

Depending on many ethernet ports does the DSL Modem/Router, it could make things easier to work with.

quote:

Originally posted by cyanide357:
Can you provide the model of it, it would help us determine what you have to work with.

Depending on many ethernet ports does the DSL Modem/Router, it could make things easier to work with.

The device sent which I am told is used for the VPN router is a Mikrotik RB2011L-IN. The DSL modem/router has 4 ports and a LAN/WAN port. The main reason for the VPN router is to allow for a phone extension. The phone and VPN router were setup and shipped here, but they are not yet working together.

Unless you want to have some crazy wild double-NAT stuff happening.... the best bet would be to request her company setup the microtik for 2 individual networks.
You'll need to get your modem changed over to "bridge" mode so that it merely acts as a simple mechanism to convert IP traffic into the analog stuff that DSL can handle.
Once that is done, the microtik can be "the" router for your home.
The RB has 5 ethernet ports on it.
Presumably your wife only needs 1 or 2 ports for her work stuff - and honestly if more is required.. a simple dumb switch can handle that.

If you ask nicely... her IT folks should be able to totally segregate her work network off from your home network.
The microtik software is 100% capable of doing all of that (I have past experience with them) - they may need to setup some VLANs but any network guy worth a damn should be able to knock that out fairly easily.
The downside of this... The IT folks for her company would have full control over your network - so you'd need to be able to trust them to do it right... and to keep hands off and stay out of your business once it's done.

quote:

Originally posted by deepocean:
Are you saying to put another router after the DSL modem/router that would feed a dedicated switch which feeds all of the wall outlets except for the one the company is using?

Yes. get 'your' network behind another firewall (router) so that the VPNrouter can't see it.
sounds like moving 2 LAN cables + another router in your setup. DSL LAN to VPN WAN, DSL LAN to HOME WAN, then HOME LAN to switch, then feed anything else. Re-connect your wifi devices to HOME, then either disable DSLrouter wifi or make it a 'guest' SSID. If you have home-wifi devices still connected to the DSL router, they won't be able to see any other devices connected to HOME (wired or wifi) because they will be outside the firewall.

Creslin mentioned double-NAT, which is the professional way of saying 'pain in the ass port forwarding'. If you don't know what either means, you probably don't have to worry about it.

Also mentioned, that mikrotic could do everything you need, but RouterOS has a fairly steep learning curve. If you didn't have the modem/router, I'd say to use the VPN router as the 'main' router, then attach your home router to 1 of the LAN ports & make the IT guy set up a VLAN separate from the VPN. I was using a similar model until it got zapped in a storm, but I was just beginning to use it's capabilities. I got to the bottom of some pretty deep rabbit holes trying to set up QOS & VLANs. It croaked while I was in china, so I had the wife plug in the old router that 'just worked' and never really went back to the mikrotic (POE port got blown and I'm using more wifi than LAN so it checks fewer 'needs' than it did when I bought it).

I don't think I'd want an IT guy that sent you crap that doesn't work to be in charge of my access to sigforum.

Could I use an ASUS 1900 as the additional firewall? We get splotchy coverage using the DSL modem/router because of the HVAC plenum above it.

My main purpose here is security. I cannot discuss it online, but there are many reasons for me to be worried about our security if the VPN router can see/access our HOME devices.

quote:

When her boss was setup, the corporate IT guy in another State mentioned he could see her entire home network.

Not necessarily, keep your other personal computers off the subnet and independent of the VPN.
You might want a separate computer to connect to the office.

quote:

in the meantime she's using a software VPN

It's not exactly a software VPN but using VPN connection software on the client machine is quite adequate.
I don't know why it is necessary to have both complete networks linked unless you are in an office or something similar?

quote:

What is the best way to secure everything within my home so the company cannot see or access our devices, and more specifically, my new to me Synology NAS?

Keep the networks independent.
Traditionally even when you connect with VPN "software" it locks out the local network in many cases and can be configured as such.

You could also make the company just provide a different connection such as ATT vs Comcast - keep separate.
or a block of public IP's > one for your network - one for the work.

This is a very common remote access activity and there are a lot of ways to do it.

Good Luck

quote:

Originally posted by smschulz:

It's not exactly a software VPN but using VPN connection software on the client machine is quite adequate.
I don't know why it is necessary to have both complete networks linked unless you are in an office or something similar?

Keep the networks independent.
Traditionally even when you connect with VPN "software" it locks out the local network in many cases and can be configured as such.

You could also make the company just provide a different connection such as ATT vs Comcast - keep separate.
or a block of public IP's > one for your network - one for the work.

This is a very common remote access activity and there are a lot of ways to do it.

Good Luck

I want to keep the networks independent. Her notebook and all of the devices she uses for work are only used for work. She has worked from home for years, the only reason for the VPN router was for her to have a VOIP extension (which currently doesn't work as they configured it).

It has taken three months and lots of their things are not working correctly. I want everything we have absolutely separated from anything related to their hardware and their network.

They aren't going to provide a separate internet connection, and I will need to buy whatever hardware is needed to separate/secure my home network from their network.

quote:

Originally posted by deepocean:
I want to keep the networks independent. Her notebook and all of the devices she uses for work are only used for work. She has worked from home for years, the only reason for the VPN router was for her to have a VOIP extension (which currently doesn't work as they configured it).

They aren't going to provide a separate internet connection, and I will need to buy whatever hardware is needed to separate/secure my home network from their network.

You really don't need separate connections.

My wife's company has the same thing (VPN device w/ the office VOIP).

It is just connected to my primary router then they use their own subnet.

My local networks are on a different subnet and mine and hers don't see each other, neither would her company.

So basically the VPN network is double NAT with the outside IP being on the local network but the inside of the VPN is a whole new subnet.

Then the personal local network is on a different subnet (also physically isolated) with complete independence.

Should not be a problem for you.

quote:

Originally posted by smschulz:

You really don't need separate connections.

My wife's company has the same thing (VPN device w/ the office VOIP).

It is just connected to my primary router then they use their own subnet.

My local networks are on a different subnet and mine and hers don't see each other, neither would her company.

So basically the VPN network is double NAT with the outside IP being on the local network but the inside of the VPN is a whole new subnet.

Then the personal local network is on a different subnet (also physically isolated) with complete independence.

Should not be a problem for you.

Sorry if this is obvious, but I'm not sure how to check to see if this is how things are setup already, or what I might need to make sure this is done if our personal local network is not on a different subnet.

I would ask their IT person, but they seem unable to get anything of their own to work.

I could diagram it out for you but that might take me a little time but basically:

Connect VPN to your existing router with a different subnet (to be configured on the VPN router) then connect the office machine directly to the LAN ports of this device.

Use your other devices the same as your are.

Different subnet examples:

192.168.1.1~254 subnet mask 255.255.255.0

10.0.0.1~254 subnet mask 255.255.255.0

quote:

Originally posted by smschulz:
I could diagram it out for you but that might take me a little time but basically:

Connect VPN to your existing router with a different subnet (to be configured on the VPN router) then connect the office machine directly to the LAN ports of this device.

Use your other devices the same as your are.

Different subnet examples:

192.168.1.1~254 subnet mask 255.255.255.0

10.0.0.1~254 subnet mask 255.255.255.0

I think this is how he did it. All company devices are connected through their switch which is connected to a specific port on their VPN router. I will have my wife ask him about the subnets.

It may be all is OK. Not being in IT, I would rather say I do not know and make sure something does not happen which might have been prevented if I had asked the right questions.

I am sure the VPN (internal) and your LAN would be on different subnets, it would have all kinds of problems if they were the same.
Additionally, you might have to configure some port forwarding of VPN ports from the main router to the VPN unit.
Otherwise should work just fine.

quote:

Originally posted by smschulz:
I am sure the VPN (internal) and your LAN would be on different subnets, it would have all kinds of problems if they were the same.
Additionally, you might have to configure some port forwarding of VPN ports from the main router to the VPN unit.
Otherwise should work just fine.

He said this should be true. There is an unanswered question of how, if their network cannot see our network, she printed by accident to our network printer (which is not connected to their VPN) using their VPN router.

Think of these as out-loud musings, only written down and I never said any of this out loud.

Bridge mode on the DSL modem, connected to WAN port on a router (Main) which creates two VLANs, one for Home network (192.168.1.0), another for VPN network (172.16.1.0). (Unless this is all possible on one DSL modem/router).

Router 'Home' connects to a LAN port on 'Main'. 'VPN' does the same. The interfaces are set to different VLANs and there is an ACL statement denying all traffic originating from VPN subnet that is destined for the Home subnet. Home router has a default route pointing it to Main router.

VPN for the entire home and work subnets that is automatically launched on WAN connection and disconnects all traffic if the tunnel drops may be possible also. The Tomato firmware I'm running on my Asus RT-N66U certainly suggests it, but I'm not yet familiar with all of it and there's another build I want to look at.

Anyways, I'd say define your end goals first. If you already have and I've missed it, I apologize: I should have been asleep 3 hours and a considerable amount of bourbon ago.

Fewest devices? Ultimate firewall between your home network and the work network? Etc. I'd start there. Figure out what you have to work with (including what the IT department can work with you on regarding hardware and configuration), then define your objectives. Feasibility can be worked from there. Best guess, there's a solution that's not a gigantic pain.

Gonna go pass out now. Looking forward to being schooled by people more knowledegable -- and sober -- than me. Will check in later.

Oh yeah, a list of what devices are required for work and whether they can be plugged into the PC and used over a software-based VPN solution would be cool too.

quote:

Originally posted by Jumper:
Oh yeah, a list of what devices are required for work and whether they can be plugged into the PC and used over a software-based VPN solution would be cool too.

Scanner/printer, voip phone, backup printer, and company notebook are all she needs. The hardware vpn router was needed just for the voip extension. Currently the phone is not working correctly.

Crap, sorry for forgetting to reply.

I'm wondering if I'm overthinking this. Someone else chime in and let me know what you think.


1) DSL modem/router -- if it has the functionality -- creates two subnets: one for home network, one for the VPN router. Create a pretty simple access control list inbound on the home network interface that denies all traffic from the VPN network to your home network, and another on the VPN interface that denies all traffic sourced from the home network.

Not sure if home DSL routers have that level of control, though. Like smschulz said, different subnets and port forwarding should get things functioning, but what you said about them printing to *your* printer makes me want the ability to create ACLs even though I'm also puzzled.


2) DSL modem/router is put into bridged mode, meaning it simply passes the traffic, and you connect a new router configured to do the same subnetting and ACLs as I mentioned above. I like this from the functionality aspect, plus the router would be entirely yours to do with what you like.


There's always the option of getting your own router and attaching it to the DSL modem/router, but you don't want this getting too complicated.

WRT the VoIP phone. Many VoIP handsets have the ability to connect to a VPN included in their capabilities. Configure the VPN on the phone (as a client) rather than on the router (as site-to-site). This is a very common setup in the business.

Whether the handset provided by your wife's employer has the right kind of VPN capabilities is a question. Of course, any VoIP handset should work, some are fairly inexpensive. It is also possible to have the handset connect directly to their VoIP provider (or another VoIP provider), this would give it a "line/phone number," but not an "extension." The details are everything here, who is their VoIP provider? What VPN technology are they using? What is the make and model of the VoIP handset? Do they have their own VoIP PBX or are they using their provider's virtual PBX (if the latter, an extension is probably possible even without a VPN).

Sounds like your wife's employer might want to engage a network professional who understands VoIP and VPNs. Or on the other hand...I have seen employers, who prefer their staff not work from home, fake technical problems to discourage the practice. If this is the case, the "network support" folks will never get this working.