All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to create an isolated home lab network?
Hi all,
I want to create a second isolated network at home to serve as a LAB network that I will use to test things and repair some friend’s computers that many times arrives with virus and all kinds of malware.
So, I need a second isolated network 100% against virus spreading to my own personal network.
After reading the following page I got really confused:
https://security.stackexchange.com/questions/76547/is-double-nat-a-secure-way-to-create-a-public-wifi-network
Is any of the following scenarios correct? If yes, which? If not any advice? Thanks!
SCENARIO 1:
ISP Modem > WAN > Personal Router > DMZ Port > WAN > Lab Router
SCENARIO 2:
ISP Modem > WAN > Personal Router > VLAN Port > WAN > Lab Router
SCENARIO 3:
ISP Modem > WAN > Lab Router > DMZ Port > WAN > Personal Router
SCENARIO 4:
ISP Modem > WAN > Lab Router > VLAN Port > WAN > Personal Router
Comments
I think personal router and lab router should be parallel and so fully isolated.
Maybe: ISP Modem > Core Router (WAN) > Personal Router / Lab Router.
And you can setup core router to prevent access from lab subnet to personal subnet.
Mikrotik and Google. There will be no network guru's which waste time with you. Sorry.
If you think malware easily spreads to other computers within the same LAN, you probably should not be repairing computers.
A lot of nasty stuff actually spreads via SMB in LAN.
Ah, so every provider that puts customers into a shared vlan with MAC filtering for example is technically a compromised bunch of chunk then?
It all depends on how you set it up, but I for example can't think of a single device in even my grandparent's LAN that would be able to distribute malware onto another device.
I said SMB. Most stuff at hosting providers is Linux, and the occasional Windows here and there is going to be firewalled anyway.
Windows home and business network are generally wide open though.
The only way I can see CIFS/SMB being abused for distributing malware is when there's unfettered access from one machine to another, not requiring any form of authentication. That's hopefully not the case.
It's more that if you believe you can repair systems and provide a service worth then you should be able to figure out this very simple issue. But you're essentially setting up a guest network, go based on that concept. You will need to isolate the second network from each other also.
Im not asking for a "network guru" to waste time with me. This is a forum with the objective of talk, discuss ideas and place questions. Im not asking for any special complex question.
Also I think many users here on LET may have 2 networks so this post can help them as well. I currently have the "Scenario 2" that I think many others here on LET have also. After read that link I got confused. But I guess many others are in the same situation as I.
This is just a type of comment that is stupid, makes everyone waste time and does not help me, anyone or this forum in any way. As you can read on my first message I said repairing "friends computers" in a personal base. I'm not a network or IT expert so I don't pretend to be one.
In terms of you saying that malware does not spread to other computers on the same LAN, I think you are tottaly wrong. Besides many ways, we always have zero-day exploits to deal with. I don't know any expert on this field that repairs computers on the same LAN where his personal or professinal computers are. Take as example the Spectre/Meltdown security issues on CPU's recent discovered. Do you think networks and routers can't have similar security issues that we still don't know yet?
For me network and IT security is about probability. And I want to lower the probability of having issues by having 2 complete separated networks.
Get a Mikrotik router. Based on the speed of your internet connection, choose between models hAP Lite (Up to 100Mbps) or hAP AC2 (Up to gigabit).
Configuration:
Assign an address to each of the bridge interfaces and create two address pools.
For example, 192.168.1.0/24 and 192.168.200.0/24
Create DHCP servers, 1 server on each bridge.
Firewall: Forward, In: bridge-guest, Out: !bridge-guest, ACTION: reject
This should work. I would suggest you do the "Quick Set" first, which will configure half of the stuff for you, you will then just need to add the "guest" stuff.
With a little bit more work, you could add a guest WiFi too.
//EDIT:
This will replace your current router:
So your SCENARIO would be: ISP MODEM<--->Mikrotik
You can then either throw out your current router, or connect it to one of the "home" ports on the Mikrotik.
@FHR
Thanks for the suggestion and explanation. But buying new routers is out of my budjet (at least for now). Both my 2 routers allow VLAN and DMZ. I always used the lab router "behind" the main router, but after reading that link I see I was wrong.