[ale] networking confusion
Jason Jessico
jjessico at gmail.com
Mon Jan 16 19:57:30 EST 2023
A good place to start is defining your requirements, time budget, and
dollar budget.
Start with broad requirements, and then refine them with more details as
you go.
1) Provide a guest wifi network
1a) Require a password. Rotate password automatically every X days
1b) etc
2) Prevent IoT devices from communicating with other devices on the LAN
3) Restrict outbound access to external services
3a) External services must be defined by URL
3b) etc
4) Limit the bandwidth available to a group of devices on the LAN
5) Learn more about networking and network security
6) etc
Then sketch out a time budget:
1) I need features 1-3 live in two weeks. Features 4-N can go live as
needed, later.
3) I have 10hrs a week until it is live to research, test, and deploy
3) It cannot require more than 1hr of maintenance monthly to maintain
99.99% availability
And lastly a dollar budget:
1) The equipment I have on hand is a RTR Model X, Switch Model Q, AP Model
D Qty 2
2) I have an additional $x dollars to spend on this project
The requirements will help you build a diagram of the solution, which in
turn will allow you to build a list of actual gear & configuration to
implement. Passing that through your time and dollar budget will refine
what your options actually are for achieving your objectives.
As James mentioned, things like guest wifi are near enough 'checkbox
implementations' on some home/soho/smb platforms. DJ's comments about
testing after implementation is indeed important for validating that your
implementation achieves the results. In the requirements, consider
defining how you would test each one has been met.
On Mon, Jan 16, 2023 at 11:30 AM James Taylor via Ale <ale at ale.org> wrote:
> FWIW..
> I use Ubiquiti access points and I can set up a guest network isolated
> from my internal network pretty easily.
> The management service provides a simple set up. It uses a web page
> intercept that requires a predefined password.
> If all you need is a wifi guest network, it's a good solution.
> -jt
>
>
> James Taylor
> 678-697-9420
> james.taylor at eastcobbgroup.com
>
>
>
> >>> Boris Borisov via Ale <ale at ale.org> 1/15/2023 10:27 PM >>>
> Only way to really separate the subnets is to be on insulated ethernet
> ports. Microtik may have it but check specs.
>
> On Sun, Jan 15, 2023, 22:24 DJPfulio--- via Ale <ale at ale.org> wrote:
>
> >
> > On 1/15/23 15:31, Narahari 'n' Savitha via Ale wrote:
> > > Thank you for that explanation. Appreciate it.
> >
> > If you seek mandatory rules for network security, you will be
> > disappointed. Only you know what is enough. Only you know what's
> actually
> > possible for your situation and knowledge. Hopefully, those two sets
> > overlap, but they don't have to, which would leave your LAN(s) exposed
> > beyond your skill to secure them.
> >
> > >
> > > Subnetting is good enough for houses right. Is VLAN an overkill
> > > (unless I can learn and practice with Mikrotik) ?
> >
> > That's a matter of opinion. Just remember that vlans are tagging and
> > don't necessarily provide **any** security.
> >
> > > I am assuming VLAN's are supported by Mikrotik.
> >
> > Probably, but I don't know.
> >
> > > I converted my old router to an AccessPoint and that router
> > > broadcasts 3 SSID's. I want to have one called "GUESTS_ONLY" and
> > > anyone visiting can join there.
> >
> > Hopefully, you firewall all access for that subnet so they can only get
> to
> > the internet. The only way to be sure is to validate that is how it
> > works. Don't ask us.
> >
> > > So I make a subnet for that SSID and it is available to guests on the
> > > 192.168.4.x network. How do I say any computers on 192.168.4.x should
> > > not be able to see 192.168.0.x computers ?
> >
> > Don't assume anything. Check that it actually works that way. I suspect
> > it doesn't.
> >
> > > Is that a sep step on the router or it is the default at router
> > > level ?
> >
> > I don't know any of your network equipment's defaults. Assume the worst
> > and check it yourself.
> >
> > If your wifi isn't upstream from your main router, closer to the
> internet,
> > I'd be highly suspicious it can access everywhere on your subnets until
> > proven otherwise. Learn to use nmap and scan all the networks.
> >
> > >
> > > -Narahari
> > >
> > > On Sun, Jan 15, 2023 at 8:21 AM DJPfulio--- via Ale <ale at ale.org
> > > <mailto:ale at ale.org>> wrote:
> > >
> > > I subnet based on security needs, not location. Both methods are
> > > valid. In a house, there's usually no need to subnet based on
> > > location. The distances are small enough that a CAT5e cable easily
> > > connects everywhere and usually, devices on 1 floor are distrusted at
> > > the same level as other devices nearby, unless there is a family VPN
> > > server or other internet-facing servers running at home.
> > >
> > > Times like this, I really miss the RateMyNetworkDiagram website.
> > > There, people would upload diagrams of their different networks for
> > > others to rate. It was a good place to see what professionals were
> > > doing and the learn.
> > >
> > > Everything from tiny 1 computer + 1 modem "networks" to 20-site
> > > Enterprise WAN connectivity would be posted. Sadly, the webmaster
> > > decided to hide all the networks behind a php DB lookup so the
> > > WaybackMachine couldn't cache any thing.
> > >
> > > I think Narahari is running a Mikrotik router, so it can probably do
> > > most of the big boy subnetting with vlans.
> > >
> > > On 1/14/23 23:36, Boris Borisov via Ale wrote:
> > >> If router allow that ... yes. I have simple routers that doesn't
> > >> have needed flexibility. Also have couple with dd-wrt firmware (
> > >> just for testing stuff ) which should be able to take the task.
> > >>
> > >> On Sat, Jan 14, 2023 at 11:01 PM Narahari 'n' Savitha via Ale
> > >> <ale at ale.org <mailto:ale at ale.org> <mailto:ale at ale.org
> > >> <mailto:ale at ale.org>>> wrote:
> > >>
> > >> Friends:
> > >>
> > >> I am learning about subnetting so I can set up one subnet for the
> > >> basement, one for the main floor and one for upstairs.
> > >>
> > >> So should I set the static ip and subnet mask for my laptop ?(and
> > >> thereby devices on each floor for their respective subnets ?)
> > >>
> > >> or
> > >>
> > >> Is this something I can set up on the router to say access point
> > >> in basement gets a specific subnet mask ?
> > >>
> > >> If my questions are not making sense, please ignore.
> > >>
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > https://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20230116/19ceb047/attachment.htm>
More information about the Ale
mailing list