Network Isolation router or managed switch?
-
Hi Quick newb question: Have one internet connection but two PCs, I want a firewall to protect them.
I want to isolate the two PCs from one another, no talking, but for them to both have access to the internet. I also want to have a Netgate hardware firewall.
Can I do this with just a single Netgate box alone, or do I need the Netgate box and a managed switch to accomplish this or perhaps multiple Netgate boxes?
Also what kind of switch, unmanaged, managed, fully managed, smart, payer 3 I am quite frankly overwhelmed, please let me also know what kind of switch or necessary features the switch would need.
Please let me know. Thx.
-
@srytryagn You can set up two interfaces for two separate subnets (10.1.1.0/24 and 10.2.2.0/24), and not create firewall rules to allow them to talk to each other.
Some Netgate appliances have a switch where multiple ports are on LAN but you can make one port behave like a separate interface. Or the 3100 for instance has an OPT1 interface so that's not necessary.
-
You only have the 2 PCs? No wifi?
If all you have is 2 devices, and you can plug them both into where your going to put your pfsense. Then yes you could firewall them as long as pfsense has enough interfaces, be discrete interfaces or switch ports interfaces doesn't matter.
Something like the sg1100 would work for this amount of machines, since it has 2 interfaces that can be used for the lan side. (lan and opt)..
If you then want to add more devices. Any smart switch that can do vlans would be the min required.. But could also be done via dumb switches. Plug one into lan, and another into opt and anything plugged into those switches would be on those specific networks and you can firewall between those networks.
A smart switch prob be better option because it would allow you to add more networks via vlans. Then if you want to add wifi at some time, then you would just need a access point that supports vlans. Any of the unifi wifi AP would work here.. Or even some old wifi router, that you could put 3rd party firmware on to add vlan support.
-
@srytryagn generally speaking the entry level netgate 1100 is all you would need to share internet between your 2 computers. Just plug in your 2 computers into any of the ports at the back of the router (not the WAN port) and away you go.
But it depends on how secure you want the 2 PCs to "not be able to talk to each other". I assume you are using windows 10 on your PCs. By default Windows 10 will not allow connections from the other computer unless you specifically configure it to allow connections. This would be sufficient for general security. This doesn't mean however if the first PC gets infected with malware that it will not try to hack into your second PC. Some malware can exploit security bugs in Windows and gain administrative privileges whether or not you explicitly enabled sharing of services between the 2 computers. The best defense against this would be to always keep your windows PCs up to date but even then that is not always enough. If you want to further isolate the 2 computers you could configure them on different VLANs which is possible with both Windows 10 and the Netgate 1100 but requires a little extra configuration.
-
@papdee said in Network Isolation router or managed switch?:
but requires a little extra configuration.
little being the verb here ;) Windows 10 wouldn't require anything other then plugging it into the interface on the 1100
On the 1100, yes you would have to bring up the opt interface on a different network.. But it wouldn't have to be tagged or anything as a vlan. Out of the box opt is different interface in the switch. It would require effort in the switching config if you wanted them to be on the same network actually.
Most of the config would just be allowing or blocking these networks from talking to each other. Since out of the box the lan rules would allow talking to your opt network. But opt would have zero rules on it.
-
@srytryagn oh... and just so you completely understand the 1100 doesn't come with any WiFi access points. It's a wired device.
