<div dir="ltr"><div>A good place to start is defining your requirements, time budget, and dollar budget. <br></div><div>Start with broad requirements, and then refine them with more details as you go. <br></div><div>1) Provide a guest wifi network</div><div>1a) Require a password. Rotate password automatically every X days</div><div>1b) etc<br></div><div>2) Prevent IoT devices from communicating with other devices on the LAN</div><div>3) Restrict outbound access to external services</div><div>3a) External services must be defined by URL</div><div>3b) etc<br></div><div>4) Limit the bandwidth available to a group of devices on the LAN</div><div>5) Learn more about networking and network security</div><div>6) etc<br></div><div><br></div><div>Then sketch out a time budget:</div><div>1) I need features 1-3 live in two weeks. Features 4-N can go live as needed, later.<br></div><div>3) I have 10hrs a week until it is live to research, test, and deploy<br></div><div>3) It cannot require more than 1hr of maintenance monthly to maintain 99.99% availability</div><div><br></div><div>And lastly a dollar budget:</div><div>1) The equipment I have on hand is a RTR Model X, Switch Model Q, AP Model D Qty 2</div><div>2) I have an additional $x dollars to spend on this project <br></div><div><br></div><div>The requirements will help you build a diagram of the solution, which in turn will allow you to build a list of actual gear & configuration to implement. Passing that through your time and dollar budget will refine what your options actually are for achieving your objectives. <br></div><div><br></div><div>As James mentioned, things like guest wifi are near enough 'checkbox implementations' on some home/soho/smb platforms. DJ's comments about testing after implementation is indeed important for validating that your implementation achieves the results. In the requirements, consider defining how you would test each one has been met. <br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jan 16, 2023 at 11:30 AM James Taylor via Ale <<a href="mailto:ale@ale.org">ale@ale.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> FWIW..<br>
I use Ubiquiti access points and I can set up a guest network isolated from my internal network pretty easily. <br>
The management service provides a simple set up. It uses a web page intercept that requires a predefined password.<br>
If all you need is a wifi guest network, it's a good solution.<br>
-jt<br>
<br>
<br>
James Taylor<br>
678-697-9420<br>
<a href="mailto:james.taylor@eastcobbgroup.com" target="_blank">james.taylor@eastcobbgroup.com</a><br>
<br>
<br>
<br>
>>> Boris Borisov via Ale <<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>> 1/15/2023 10:27 PM >>> <br>
Only way to really separate the subnets is to be on insulated ethernet<br>
ports. Microtik may have it but check specs.<br>
<br>
On Sun, Jan 15, 2023, 22:24 DJPfulio--- via Ale <<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>> wrote:<br>
<br>
><br>
> On 1/15/23 15:31, Narahari 'n' Savitha via Ale wrote:<br>
> > Thank you for that explanation. Appreciate it.<br>
><br>
> If you seek mandatory rules for network security, you will be<br>
> disappointed. Only you know what is enough. Only you know what's actually<br>
> possible for your situation and knowledge. Hopefully, those two sets<br>
> overlap, but they don't have to, which would leave your LAN(s) exposed<br>
> beyond your skill to secure them.<br>
><br>
> ><br>
> > Subnetting is good enough for houses right. Is VLAN an overkill<br>
> > (unless I can learn and practice with Mikrotik) ?<br>
><br>
> That's a matter of opinion. Just remember that vlans are tagging and<br>
> don't necessarily provide **any** security.<br>
><br>
> > I am assuming VLAN's are supported by Mikrotik.<br>
><br>
> Probably, but I don't know.<br>
><br>
> > I converted my old router to an AccessPoint and that router<br>
> > broadcasts 3 SSID's. I want to have one called "GUESTS_ONLY" and<br>
> > anyone visiting can join there.<br>
><br>
> Hopefully, you firewall all access for that subnet so they can only get to<br>
> the internet. The only way to be sure is to validate that is how it<br>
> works. Don't ask us.<br>
><br>
> > So I make a subnet for that SSID and it is available to guests on the<br>
> > 192.168.4.x network. How do I say any computers on 192.168.4.x should<br>
> > not be able to see 192.168.0.x computers ?<br>
><br>
> Don't assume anything. Check that it actually works that way. I suspect<br>
> it doesn't.<br>
><br>
> > Is that a sep step on the router or it is the default at router<br>
> > level ?<br>
><br>
> I don't know any of your network equipment's defaults. Assume the worst<br>
> and check it yourself.<br>
><br>
> If your wifi isn't upstream from your main router, closer to the internet,<br>
> I'd be highly suspicious it can access everywhere on your subnets until<br>
> proven otherwise. Learn to use nmap and scan all the networks.<br>
><br>
> ><br>
> > -Narahari<br>
> ><br>
> > On Sun, Jan 15, 2023 at 8:21 AM DJPfulio--- via Ale <<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a><br>
> > <mailto:<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>>> wrote:<br>
> ><br>
> > I subnet based on security needs, not location. Both methods are<br>
> > valid. In a house, there's usually no need to subnet based on<br>
> > location. The distances are small enough that a CAT5e cable easily<br>
> > connects everywhere and usually, devices on 1 floor are distrusted at<br>
> > the same level as other devices nearby, unless there is a family VPN<br>
> > server or other internet-facing servers running at home.<br>
> ><br>
> > Times like this, I really miss the RateMyNetworkDiagram website.<br>
> > There, people would upload diagrams of their different networks for<br>
> > others to rate. It was a good place to see what professionals were<br>
> > doing and the learn.<br>
> ><br>
> > Everything from tiny 1 computer + 1 modem "networks" to 20-site<br>
> > Enterprise WAN connectivity would be posted. Sadly, the webmaster<br>
> > decided to hide all the networks behind a php DB lookup so the<br>
> > WaybackMachine couldn't cache any thing.<br>
> ><br>
> > I think Narahari is running a Mikrotik router, so it can probably do<br>
> > most of the big boy subnetting with vlans.<br>
> ><br>
> > On 1/14/23 23:36, Boris Borisov via Ale wrote:<br>
> >> If router allow that ... yes. I have simple routers that doesn't<br>
> >> have needed flexibility. Also have couple with dd-wrt firmware (<br>
> >> just for testing stuff ) which should be able to take the task.<br>
> >><br>
> >> On Sat, Jan 14, 2023 at 11:01 PM Narahari 'n' Savitha via Ale<br>
> >> <<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a> <mailto:<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>> <mailto:<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a><br>
> >> <mailto:<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>>>> wrote:<br>
> >><br>
> >> Friends:<br>
> >><br>
> >> I am learning about subnetting so I can set up one subnet for the<br>
> >> basement, one for the main floor and one for upstairs.<br>
> >><br>
> >> So should I set the static ip and subnet mask for my laptop ?(and<br>
> >> thereby devices on each floor for their respective subnets ?)<br>
> >><br>
> >> or<br>
> >><br>
> >> Is this something I can set up on the router to say access point<br>
> >> in basement gets a specific subnet mask ?<br>
> >><br>
> >> If my questions are not making sense, please ignore.<br>
> >><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
> <a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>