Isolate internet facing machine on basic home network
Hi, Apologies in advance if what I'm about to ask is very basic (I've a feeling it is).
I've a basic home network. I have one machine that will be outward facing to the internet on ports 80 and 443. Obviously I'm aware that this could potentially compromise my home network without additional measures.
So, after much reading, I purchased a 1200GS switch. It is setup as above. Note that:
Port 1 = management laptop
Port 3 = outward facing machine
Port 5 - ISP's router
I've left all other settings pretty much as per default.
Right enough, when one machine is connected to the vlan 1 and another to vlan 2 they are unable to ping each other even though they are both in the same network 'segment' (192.168.0.x).
Interestingly when I disconnect the laptop from Port 1 and switch back to my WAN I can ping the machine on Port 3, but it cannot ping the laptop back (it does not have a wifi card).
Any comments or insights from those in the community who have far more experience than myself would be very much appreciated.
Accepted Solution
-
Peter, Fair enough. I did look at the one you mentioned but it's beyond the depth of my pocket I'm afraid.
Many thanks for your help. It's been invaluable in pointing me in the right direction and I can see a way forward, albeit with a learning curve that is pretty (very) steep.
Although that's where the fun is.
Best Regards
David
0
All Replies
-
Hello @Dave_T
Welcome to Zyxel Community.
Based on your scenario, it seems you want to use the GS1200 switch to isolate an internet-exposed machine (on port 3) while still maintaining internet access for all devices. For this, confirm that your ISP router supports VLAN interface and is set up for VLAN 2.
On your switch, set the PVID on port 5 to PVID 1, make VLAN 1 on port 5 untagged, and tag VLAN 2 on port 5.
Next, establish a Security Policy on your router to deny communication between VLAN 1 and VLAN 2.
If you don't need devices behind the switch to communicate with each other, you can use Port Isolation instead of VLAN. When configuring Port Isolation, only the uplink port (port 5) can communicate with other ports, while the other ports can't reach each other.
Regarding your concerns:
- When a machine is connected to VLAN 1 and another to VLAN 2, they can't ping each other even if they're on the same network segment (192.168.0.x). This is expected behavior because devices on different VLANs can't communicate directly at Layer 2.
- If you disconnect the laptop from Port 1 and switch back to your WAN, and it can ping the machine on port 3, but not vice versa, check if your laptop's Windows Firewall is blocking ICMP packets.
Please kindly note the VLAN concept as following:
- PVID is linked to the Ingress rule, which adds the specified PVID to incoming untagged packets.
- The tag/untagged setting is related to the Egress rule, which determines if outgoing frames should carry VLAN tags.
Let us know if you have further questions.
Engage in the Community, become an MVP, and win exclusive prizes!
Nami
0 -
Hi Nami, Thanks you so much for responding to my query. Your summary of my objective is spot on.
The router supplied by my ISP is not vlan aware. Given this specific configuration I'm thinking that my objective is not achievable?
0 -
No plan survives first contact with the enemy....So no you can't do what you was hoping for.
Their are some ways to do what you want to do like get a port based VLAN switch but this means WiFi on simple router is not protected unless you ACL traffic to block LAN subnet on ingress from a server getting to a LAN IP.
GS1920-24
Or get a VLAN router
FLEX 200
0 -
Peter, Many thanks for responding.
So basically the most elegant and efficient solution would be to put my ISP's router (Virgin Media Hub 3) into modem mode and attach a vlan aware router that uses tags?
Correctly configured this would completely isolate the internet facing machine from my home network? Note that all other machines would be connecting exclusively via Wi-Fi.
If I'm correct in this understanding, one final question. Whilst I understand now that a vlan aware router is necessary to achieve my objective, is it sufficient i.e. a vlan switch would not be required?
Thanks again
Dave
0 -
A VLAN router does require a VLAN switch if you use VLAN's but a high end router does more then that because you have subnets per given ports like LAN 1 192.168.1.0/24 DMZ 192.168.4.0/24 and PC's on each can be setup to not allow go between the subnets without a VLAN switch.
0 -
Peter, Thanks again.
Just to confirm the physical layout. I would need to connect the vlan aware router (DrayTek Vigor 2762AC) to the vlan switch and then connect the outward facing machine to the the switch.
Dave
0 -
Can't help you with the DrayTek
0 -
Peter, Fair enough. I did look at the one you mentioned but it's beyond the depth of my pocket I'm afraid.
Many thanks for your help. It's been invaluable in pointing me in the right direction and I can see a way forward, albeit with a learning curve that is pretty (very) steep.
Although that's where the fun is.
Best Regards
David
0
Zyxel Employee
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
