Home LAN isolate machine
Discussion
Hi folks.
I'm a bit of an IT tinkerer, I am making a small machine to be a media server. I will expose it to the Internet.
I'd like to have it so that the machine is isolated on my home network, but still has Internet access. I dont want it to be able to access anything else on the LAN or vice versa but i do want it wired ideally. What is the easiest way to do this please?
I have a tp link archer ax50. The easiest solution I can see is to put it on the guest WiFi along with the iot stuff i have and set so that devices cannot access each other.
The thing is I'd want this to be wired and the router doesn't offer that. I guess in an ideal world I could create a vlan (my networking basic knowledge is there but that's about it) but the router and seemingly most home routers don't offer that. There are switches out there affordable that offer vlan support but I think... the router has to do it? There seem to be pro and prosumer routers or options like pfsense if I wanted to make my own router but I don't fancy the fuss or expense at the moment.
Am I best off with the guest network or is there something I am missing?
Many thanks!
I'm a bit of an IT tinkerer, I am making a small machine to be a media server. I will expose it to the Internet.
I'd like to have it so that the machine is isolated on my home network, but still has Internet access. I dont want it to be able to access anything else on the LAN or vice versa but i do want it wired ideally. What is the easiest way to do this please?
I have a tp link archer ax50. The easiest solution I can see is to put it on the guest WiFi along with the iot stuff i have and set so that devices cannot access each other.
The thing is I'd want this to be wired and the router doesn't offer that. I guess in an ideal world I could create a vlan (my networking basic knowledge is there but that's about it) but the router and seemingly most home routers don't offer that. There are switches out there affordable that offer vlan support but I think... the router has to do it? There seem to be pro and prosumer routers or options like pfsense if I wanted to make my own router but I don't fancy the fuss or expense at the moment.
Am I best off with the guest network or is there something I am missing?
Many thanks!
Is your router capable of creating a DMZ?
ETA or you can use port forwarding:
https://www.tp-link.com/us/user-guides/archer-ax50...
ETA or you can use port forwarding:
https://www.tp-link.com/us/user-guides/archer-ax50...
Yes VLANs are what you want, and some firewall rules. You'll need a better router. I have a similar set-up at home, I run a server that is exposed to the internet, I use a Ubiquiti Edgerouter. Or look at Draytek. Will be a step up on the learning curve but there are plenty of tutorials on Youtube.
Edited by megaphone on Thursday 2nd November 08:00
White-Noise said:
Thanks a lot guys, so to be able to create vlans, what is the way to go about it? Home routers don't seem to very often offer this to my surprise from what I can see? Any examples of products that can offer it at a reasonable price?
I use a Ubiquiti Edgerouter. Or look at Draytek. Will be a step up on the learning curve but there are plenty of tutorials on Youtube. Or you could go down the Ubiquiti Unifi route which has a more user friendly interface. A Dream Router will work, but you'd need to check if it can do the isolated VLANS, pretty sure it can.
White-Noise said:
Thanks a lot guys, so to be able to create vlans, what is the way to go about it? Home routers don't seem to very often offer this to my surprise from what I can see? Any examples of products that can offer it at a reasonable price?
Ubiquiti Edgerouter X is probably the cheapest and is what I've been using for a number of years. That said, the Edgerouter line is more or less not being developed by Ubiquiti any more, so it's somewhat of a dead-end, if that concerns you. outnumbered said:
Ubiquiti Edgerouter X is probably the cheapest and is what I've been using for a number of years. That said, the Edgerouter line is more or less not being developed by Ubiquiti any more, so it's somewhat of a dead-end, if that concerns you.
By coincidence v3.0.0rc has just been released. EmailAddress said:
Wax1234 said:
Why exactly do you want to expose it?
If it’s for watching content from it when outside of the house, wouldn’t something like Plex be a much easier way to achieve this.
Plex will be on the same network no?If it’s for watching content from it when outside of the house, wouldn’t something like Plex be a much easier way to achieve this.
Presume the OP is looking for less exposure.
Thanks for the feedback folks so far. Some good feedback and the ubiquiti suggestion is interesting.
I’ve just acquired an old Sophos SG105 firewall on eBay and put pfsense on it. For less than £50 it is a very powerful device.
Something similar would do the trick here. Then just turn the existing router into a wireless access point and switch for the default LAN and connect the server to an option port on the pfsense, configured as a separate LAN. Then a simple firewall rule can be done to block the server LAN making connections to other private ranges, while still allowing you to reach it from the main LAN. Port forward as needed and job done. Still some fuss but little expense and it leaves the door open for more advance stuff should you wish to tinker more in future.
Something similar would do the trick here. Then just turn the existing router into a wireless access point and switch for the default LAN and connect the server to an option port on the pfsense, configured as a separate LAN. Then a simple firewall rule can be done to block the server LAN making connections to other private ranges, while still allowing you to reach it from the main LAN. Port forward as needed and job done. Still some fuss but little expense and it leaves the door open for more advance stuff should you wish to tinker more in future.
colin79666 said:
I’ve just acquired an old Sophos SG105 firewall on eBay and put pfsense on it. For less than £50 it is a very powerful device.
Something similar would do the trick here. Then just turn the existing router into a wireless access point and switch for the default LAN and connect the server to an option port on the pfsense, configured as a separate LAN. Then a simple firewall rule can be done to block the server LAN making connections to other private ranges, while still allowing you to reach it from the main LAN. Port forward as needed and job done. Still some fuss but little expense and it leaves the door open for more advance stuff should you wish to tinker more in future.
Thanks Colin I really like the idea of this. Got the alert set up. I presume it's pretty straightforward to put pfense on to it, did you know how to do this or was there a guide you referred to?Something similar would do the trick here. Then just turn the existing router into a wireless access point and switch for the default LAN and connect the server to an option port on the pfsense, configured as a separate LAN. Then a simple firewall rule can be done to block the server LAN making connections to other private ranges, while still allowing you to reach it from the main LAN. Port forward as needed and job done. Still some fuss but little expense and it leaves the door open for more advance stuff should you wish to tinker more in future.
White-Noise said:
Thanks Colin I really like the idea of this. Got the alert set up. I presume it's pretty straightforward to put pfense on to it, did you know how to do this or was there a guide you referred to?
Pretty simple. Download the vga amd64 image of pfsense community edition. Decompress and write the .img file to a usb stick using balena etcher (or another imaging utility). In the bios of the device turn off 64/60 option and set the usb to higher than ssd in the boot order. Boot the usb stick and it is self explanatory there on in. Tom Lawrence is a good channel on YouTube to follow. Has a playlist with guides on how to do stuff with pfsense. There is also good documentation: https://docs.netgate.com/pfsense/en/latest/
Opnsense is another option and plenty debates online about which is better which I won’t go into here.
Note I went with a Sophos Sg105 rev 2. The rev 1 is too old and doesn’t have intel Nics, which aren’t so great with BSD (pfsense if based on freebsd). There are loads of options but do your research. A sg105 is fine for my needs but if you have a fast connection and want to do more than routing and a few firewall rules you will need a more powerful device.
outnumbered said:
megaphone said:
By coincidence v3.0.0rc has just been released.
Blimey, did anyone see that coming ?Having said that, I can't see any reference to it on the Ubiquiti site, do you have a pointer ?
Edited by outnumbered on Sunday 5th November 14:30
https://community.ui.com/releases/EdgeRouter-3-0-0...
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff