[ale] networking confusion

Sun Jan 15 22:23:48 EST 2023

On 1/15/23 15:31, Narahari 'n' Savitha via Ale wrote:
> Thank you for that explanation.  Appreciate it.

If you seek mandatory rules for network security, you will be disappointed.  Only you know what is enough.  Only you know what's actually possible for your situation and knowledge.  Hopefully, those two sets overlap, but they don't have to, which would leave your LAN(s) exposed beyond your skill to secure them.

> 
> Subnetting is good enough for houses right.  Is VLAN an overkill
> (unless I can learn and practice with Mikrotik) ?

That's a matter of opinion.  Just remember that vlans are tagging and don't necessarily provide **any** security.

> I am assuming VLAN's are supported by Mikrotik.

Probably, but I don't know.

> I converted my old router to an AccessPoint and that router
> broadcasts 3 SSID's. I want to have one called "GUESTS_ONLY" and
> anyone visiting can join there.

Hopefully, you firewall all access for that subnet so they can only get to the internet.  The only way to be sure is to validate that is how it works.  Don't ask us.

> So I make a subnet for that SSID and it is available to guests on the
> 192.168.4.x network. How do I say any computers on 192.168.4.x should
> not be able to see 192.168.0.x computers ?

Don't assume anything. Check that it actually works that way.  I suspect it doesn't.

> Is that a sep step on the router or it is the default  at router
> level ?

I don't know any of your network equipment's defaults.  Assume the worst and check it yourself.

If your wifi isn't upstream from your main router, closer to the internet, I'd be highly suspicious it can access everywhere on your subnets until proven otherwise.  Learn to use nmap and scan all the networks.

> 
> -Narahari
> 
> On Sun, Jan 15, 2023 at 8:21 AM DJPfulio--- via Ale <ale at ale.org
> <mailto:ale at ale.org>> wrote:
> 
> I subnet based on security needs, not location.  Both methods are
> valid.  In a house, there's usually no need to subnet based on
> location.  The distances are small enough that a CAT5e cable easily
> connects everywhere and usually, devices on 1 floor are distrusted at
> the same level as other devices nearby, unless there is a family VPN
> server or other internet-facing servers running at home.
> 
> Times like this, I really miss the RateMyNetworkDiagram website.
> There, people would upload diagrams of their different networks for
> others to rate. It was a good place to see what professionals were
> doing and the learn.
> 
> Everything from tiny 1 computer + 1 modem "networks" to 20-site
> Enterprise WAN connectivity would be posted.  Sadly, the webmaster
> decided to hide all the networks behind a php DB lookup so the
> WaybackMachine couldn't cache any thing.
> 
> I think Narahari is running a Mikrotik router, so it can probably do
> most of the big boy subnetting with vlans.
> 
> On 1/14/23 23:36, Boris Borisov via Ale wrote:
>> If router allow that ... yes. I have simple routers that doesn't
>> have needed flexibility. Also have couple with dd-wrt firmware (
>> just for testing stuff ) which should be able to take the task.
>> 
>> On Sat, Jan 14, 2023 at 11:01 PM Narahari 'n' Savitha via Ale 
>> <ale at ale.org <mailto:ale at ale.org> <mailto:ale at ale.org
>> <mailto:ale at ale.org>>> wrote:
>> 
>> Friends:
>> 
>> I am learning about subnetting so I can set up one subnet for the 
>> basement, one for the main floor and one for upstairs.
>> 
>> So should I set the static ip and subnet mask for my laptop ?(and 
>> thereby devices on each floor for their respective subnets ?)
>> 
>> or
>> 
>> Is this something I can set up on the router  to say access point
>> in basement gets a specific subnet mask ?
>> 
>> If my questions are not making sense, please ignore.
>> 