sub-network? - new premises. What would you do here?

[16k_zx81]

I am moving into an office next week with a shared internet connection.

Please help me with a sanity check on the following (networking is not my forte)

For the sake of customers privacy, and to protect other computers on the network, I am thinking a sub-network would be the best approach.

Q1. Do you see these concerns as relevant? (would you do this yourself if you were doing computer repairs as a member on a larger network?)

Q2: Is this the best approach in these circumstances?

Q3: What would be the easiest way to go about setting something like this up (or alternative?)?

[datagnostic]

Q1: Yes, you definitely want your "nontrusted" devices on an isolated network, shielded from your own (and co-renters') devices. For this you will need VLANs (virtual LANs).

Q2: Do you have access to the building's main router/switches etc? What kind of network infrastructure is already in place, and is someone managing it? If you're lucky there's already a Layer3 design in place, with VLANs and the likes. Whom ever set it should be able to help you then.
Alternative you can just isolate your subnets further down the line and split up your network as you like. You will have to create access control lists to restrict traffic to other networks though.

Q3: Depends ofcourse on what you need to buy. I'm a Cisco dude myself but you'll find alternatives (with a GUI etc :P) that support 802.1Q too. But if you want it set up right, I'd hire a Network Engineer. A job like this should only be a couple of hours work.

[rsarceno]

Assuming they give you one ethernet port. What I would do is buy a layer 3 switch and setup private vlan. I'm also a Cisco guy and don't know much about other switch but the same logic should apply. Here's the info for Cisco http://www.cisco.com/en/US/products/...8013565f.shtml

It's difficult to come up with the best solution without knowing the network layout. There might be a simple solution but private vlan will work regardless of the network infrastructure.

After reading datagnostic reply, I just realized we where talking the same thing.

[YeOldeStonecat]

Hopefully you're not stuck behind their own router that does NAT....without any control. Hopefully they're doing it right and have a biz grade account with the ISP where they can hand you your own public IP address to stick on the WAN interface of your own firewall?

If not..I'd get my own connection run in.....even if you just need 1x public IP. I couldn't do that...we use many different public IPs...we have 5x pub IP from our cable ISP and we have 5x pub IPs from our DSL ISP..and we use most of them...we have our Untangle firewall using them.

If you're stuck having to share a private IP from behind their own NAT router...you could get internet access by sticking your own routers WAN port in that uplink to their router...and you'll double NAT yourself. Stinks, double NAT creates a loss of performance for you, some web based apps hate it, you won't be able to port forward to get to services you host. It isolates your network from theirs, and you won't easily find their network...but technically something (like malware) can spread outside of your network to theirs so it's not technically secure.

If their router does port based VLANs (more biz grade routers do this...Linksys/Cisco RV series for example).....those are easy to setup secure segments and avoid double NAT'ing. You can even do that on cheap routers that support being flashed with DD-WRT firmware.

[KompuKare]

Ok far from a network expert, but if you're willing to lookup / learn, I'd say you can skip spending big sums on Cisco stuff and just get a decent router with DD-WRT.

Googling definitely comes with tons of hits (for instance https://www.google.co.uk/search?clie...hannel=suggest) but you may have to play with the exact search terms.

With a domestic router with a decent amount of flash and RAM you can get either dd-wrt, openwrt or tomato to use extras too (optware they call it) so it would be fairly versatile.

Of course with you moving, you probably don't have to time to investigate this stuff atm.

[NETWizz]

I concur. The people in the building should be put on their own VLAN, you should have your own VLAN, and the customer computers area should be setup to where each port is on its own VLAN..

ALL Customer computers would be isolated from everything and each other, you would have your own LAN, and the other company would have its own LAN... everyone could happily share the Internet.

[altrenda]

If you're not on your own vlan, and you have an available machine, take a look at putting together a pfsense box. Cheap, easy to use firewall /router will protect you.

[Long Time Tech]

At a minimum I would put everything behind a router on a different subnet and block all ports except 80 and 443.

[datagnostic]

Quote:

Originally Posted by Long Time Tech

At a minimum I would put everything behind a router on a different subnet and block all ports except 80 and 443.

Surely you will need DNS too?

[16k_zx81]

Ok. Got broadband. Im pretty annoyed as all the Owner has done is get a wireless router set up. The building is wired with RJ45's but he hasnt had them connected, so no wired network, just wireless.

What options do I have from here for a 'VLAN'?

Can I set up a repeater in my office and then run my own local network off the router's RJ45's?