Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
How to create an isolated home lab network?
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

How to create an isolated home lab network?

Hi all,
I want to create a second isolated network at home to serve as a LAB network that I will use to test things and repair some friend’s computers that many times arrives with virus and all kinds of malware.

So, I need a second isolated network 100% against virus spreading to my own personal network.

After reading the following page I got really confused:
https://security.stackexchange.com/questions/76547/is-double-nat-a-secure-way-to-create-a-public-wifi-network

Is any of the following scenarios correct? If yes, which? If not any advice? Thanks!

SCENARIO 1:
ISP Modem > WAN > Personal Router > DMZ Port > WAN > Lab Router

SCENARIO 2:
ISP Modem > WAN > Personal Router > VLAN Port > WAN > Lab Router

SCENARIO 3:
ISP Modem > WAN > Lab Router > DMZ Port > WAN > Personal Router

SCENARIO 4:
ISP Modem > WAN > Lab Router > VLAN Port > WAN > Personal Router

Comments

  • vForcevForce Member

    I think personal router and lab router should be parallel and so fully isolated.
    Maybe: ISP Modem > Core Router (WAN) > Personal Router / Lab Router.
    And you can setup core router to prevent access from lab subnet to personal subnet.

  • LTnigerLTniger Member

    Mikrotik and Google. There will be no network guru's which waste time with you. Sorry.

    Wordpress Hosting - Home made!

  • If you think malware easily spreads to other computers within the same LAN, you probably should not be repairing computers.

  • FHRFHR Member, Provider

    @florianb said:
    If you think malware easily spreads to other computers within the same LAN, you probably should not be repairing computers.

    A lot of nasty stuff actually spreads via SMB in LAN.

    Thanked by 1Aidan

    SkylonHost - affordable hourly-billed KVM VPS in Prague, CZ!
    Featuring own high performance network AS202297 | RIPE NCC member | Contact us for IPs/ASNs

  • @FHR said:

    @florianb said:
    If you think malware easily spreads to other computers within the same LAN, you probably should not be repairing computers.

    A lot of nasty stuff actually spreads via SMB in LAN.

    Ah, so every provider that puts customers into a shared vlan with MAC filtering for example is technically a compromised bunch of chunk then?

    It all depends on how you set it up, but I for example can't think of a single device in even my grandparent's LAN that would be able to distribute malware onto another device.

  • FHRFHR Member, Provider

    @florianb said:

    @FHR said:

    @florianb said:
    If you think malware easily spreads to other computers within the same LAN, you probably should not be repairing computers.

    A lot of nasty stuff actually spreads via SMB in LAN.

    Ah, so every provider that puts customers into a shared vlan with MAC filtering for example is technically a compromised bunch of chunk then?

    It all depends on how you set it up, but I for example can't think of a single device in even my grandparent's LAN that would be able to distribute malware onto another device.

    I said SMB. Most stuff at hosting providers is Linux, and the occasional Windows here and there is going to be firewalled anyway.

    Windows home and business network are generally wide open though.

    SkylonHost - affordable hourly-billed KVM VPS in Prague, CZ!
    Featuring own high performance network AS202297 | RIPE NCC member | Contact us for IPs/ASNs

  • @FHR said:

    @florianb said:

    @FHR said:

    @florianb said:
    If you think malware easily spreads to other computers within the same LAN, you probably should not be repairing computers.

    A lot of nasty stuff actually spreads via SMB in LAN.

    Ah, so every provider that puts customers into a shared vlan with MAC filtering for example is technically a compromised bunch of chunk then?

    It all depends on how you set it up, but I for example can't think of a single device in even my grandparent's LAN that would be able to distribute malware onto another device.

    I said SMB. Most stuff at hosting providers is Linux, and the occasional Windows here and there is going to be firewalled anyway.

    Windows home and business network are generally wide open though.

    The only way I can see CIFS/SMB being abused for distributing malware is when there's unfettered access from one machine to another, not requiring any form of authentication. That's hopefully not the case.

  • sureiamsureiam Member

    @LTniger said:
    Mikrotik and Google. There will be no network guru's which waste time with you. Sorry.

    It's more that if you believe you can repair systems and provide a service worth then you should be able to figure out this very simple issue. But you're essentially setting up a guest network, go based on that concept. You will need to isolate the second network from each other also.

  • nqservicesnqservices Member
    edited May 2018

    @LTniger said:
    Mikrotik and Google. There will be no network guru's which waste time with you. Sorry.

    Im not asking for a "network guru" to waste time with me. This is a forum with the objective of talk, discuss ideas and place questions. Im not asking for any special complex question.

    Also I think many users here on LET may have 2 networks so this post can help them as well. I currently have the "Scenario 2" that I think many others here on LET have also. After read that link I got confused. But I guess many others are in the same situation as I.

    @florianb said:
    If you think malware easily spreads to other computers within the same LAN, you probably should not be repairing computers.

    This is just a type of comment that is stupid, makes everyone waste time and does not help me, anyone or this forum in any way. As you can read on my first message I said repairing "friends computers" in a personal base. I'm not a network or IT expert so I don't pretend to be one.

    In terms of you saying that malware does not spread to other computers on the same LAN, I think you are tottaly wrong. Besides many ways, we always have zero-day exploits to deal with. I don't know any expert on this field that repairs computers on the same LAN where his personal or professinal computers are. Take as example the Spectre/Meltdown security issues on CPU's recent discovered. Do you think networks and routers can't have similar security issues that we still don't know yet?

    For me network and IT security is about probability. And I want to lower the probability of having issues by having 2 complete separated networks.

  • FHRFHR Member, Provider
    edited May 2018

    Get a Mikrotik router. Based on the speed of your internet connection, choose between models hAP Lite (Up to 100Mbps) or hAP AC2 (Up to gigabit).

    Configuration:

    • Two bridges. One for your "home" network, one for your "guest" network
    • Add ports to those bridges. You can have 1 port for guest, rest for home or vice versa (or 2+2, 3+1 in case of hAP AC2).
    • 1 port for WAN, Firewall: srcnat, out, masquerade
    • Assign an address to each of the bridge interfaces and create two address pools.
      For example, 192.168.1.0/24 and 192.168.200.0/24

    • Create DHCP servers, 1 server on each bridge.

    • Prevent communication between bridges.
      Firewall: Forward, In: bridge-guest, Out: !bridge-guest, ACTION: reject

    This should work. I would suggest you do the "Quick Set" first, which will configure half of the stuff for you, you will then just need to add the "guest" stuff.
    With a little bit more work, you could add a guest WiFi too.

    //EDIT:
    This will replace your current router:
    So your SCENARIO would be: ISP MODEM<--->Mikrotik
    You can then either throw out your current router, or connect it to one of the "home" ports on the Mikrotik.

    Thanked by 1nqservices

    SkylonHost - affordable hourly-billed KVM VPS in Prague, CZ!
    Featuring own high performance network AS202297 | RIPE NCC member | Contact us for IPs/ASNs

  • @FHR

    Thanks for the suggestion and explanation. But buying new routers is out of my budjet (at least for now). Both my 2 routers allow VLAN and DMZ. I always used the lab router "behind" the main router, but after reading that link I see I was wrong.

Sign In or Register to comment.