Setting up dedicated network for infected machines - who does this?

MobileTechie said:
So what does your vlan solution look like exacty, so that the vlans can still access the net but not each other?
Click to expand...

In my case, I just setup port-based VLAN's on my switch (Netgear GS108T - ~$100 @ Newegg):

Connections:

Port 1 -> Router
Port 8 -> Isolated VLAN

Port Membership:

Ports 1-7 VLAN 1
Ports 1,8 VLAN 2

Whatever is plugged into port 8 (VLAN 2), whether it's a single PC or another network switch, is able to access the Internet (port 1), but nothing else.

Also, this setup doesn't require a separate subnet as the router hands out DHCP addresses to both VLAN's. If you have a VLAN capable router, you could setup a separate subnet for the VLAN's if desired.

-Randy
 
I flashed an old WRT-54GL with dd-wrt to try this out.

I must say the documentation for dd-wrt is pretty awful. I can't find a document actually describing the user interface accurately and usefully. You have to pick your way through various tutorials trying to work out what is actually being done and why.

I've not managed to get it working as desired.
 
ProTech-MN said:
In my case, I just setup port-based VLAN's on my switch (Netgear GS108T - ~$100 @ Newegg):

Connections:

Port 1 -> Router
Port 8 -> Isolated VLAN

Port Membership:

Ports 1-7 VLAN 1
Ports 1,8 VLAN 2

Whatever is plugged into port 8 (VLAN 2), whether it's a single PC or another network switch, is able to access the Internet (port 1), but nothing else.

Also, this setup doesn't require a separate subnet as the router hands out DHCP addresses to both VLAN's. If you have a VLAN capable router, you could setup a separate subnet for the VLAN's if desired.

-Randy
Click to expand...

Hey Randy,

Do you have 'Tagging' enabled to achieve this?

Thanks

TLE
 
We have an ASTARO gateway box working as a router to our "infected" network. Takes a bit of configuring but its well worth it. Works really well
 
Ok, this just isn't going to work for me unless I am missing a key point here.

I suspect those of you using the vlans in this way, use your router as your DHCP server and as your gateway. I don't, as my SBS acts as the DHCP server, and the router as the gateway. I don't want to have to add the SBS to the secure VLAN in order that that they receive IP addresses....or am I missing something here.
 
I don't have that switch having opted for a dd-wrt router, but that is set up so that SBS's dhcp serves my office/workshop devices on one vlan whilst the router's own dhcp issues addresses on a different subnet to the other vlan.
 
What model of router do you have MT? I did look at dd-wrt but it doesn't support the DIR-655 that I have.
 
TLE said:
Ok, this just isn't going to work for me unless I am missing a key point here.

I suspect those of you using the vlans in this way, use your router as your DHCP server and as your gateway. I don't, as my SBS acts as the DHCP server, and the router as the gateway. I don't want to have to add the SBS to the secure VLAN in order that that they receive IP addresses....or am I missing something here.
Click to expand...

Hmmm... OK, I think that in order to have the SBS server act as the DHCP server for multiple VLAN's, you either need to have a separate NIC in each VLAN, or I think you need a layer 3 switch... you need to be able to relay DHCP requests across the VLAN's...

-Randy
 
I use IPCOP and have a dedicated network with specific outbound rules allowing certain ports out and negating access to any other "green" networks. It is just a fancy DMZ, but keeps any nasty worms away from my main machines or servers.
 
MT you can also try the linux option, IPCOP ,PFsense ,and others. These are quite effective and wont cost you a dime, just need a small form factor pc or any old pc lying around. With only 3 or 4 NICs you can have a nice secure network with traffic shaping, security rules, and the whole thing is very easy to setup.
 
ProTech-MN said:
In my case, I just setup port-based VLAN's on my switch (Netgear GS108T - ~$100 @ Newegg):

Connections:

Port 1 -> Router
Port 8 -> Isolated VLAN

Port Membership:

Ports 1-7 VLAN 1
Ports 1,8 VLAN 2

Whatever is plugged into port 8 (VLAN 2), whether it's a single PC or another network switch, is able to access the Internet (port 1), but nothing else.

Also, this setup doesn't require a separate subnet as the router hands out DHCP addresses to both VLAN's. If you have a VLAN capable router, you could setup a separate subnet for the VLAN's if desired.

-Randy
Click to expand...
I have a VLAN 109 with ports 1 and 9 and a VLAN 110 with ports 1 and 10.
I have forbidden ports 9 and 10 from VLAN 1.
The router is connected to port 1.
This seems similar to your setup.

Ports 9 and 10 cannot seem to access the Internet and am trying to troubleshoot.
Do you have port 1 as general, trunk, etc?
Same question for ports 9 & 10 which have the PCs attached.

Do you have any recommendations for troubleshooting?

Thank you in advance.
 
allanc said:
I have a VLAN 109 with ports 1 and 9 and a VLAN 110 with ports 1 and 10.
I have forbidden ports 9 and 10 from VLAN 1.
The router is connected to port 1.
This seems similar to your setup.

Ports 9 and 10 cannot seem to access the Internet and am trying to troubleshoot.
Do you have port 1 as general, trunk, etc?
Same question for ports 9 & 10 which have the PCs attached.

Do you have any recommendations for troubleshooting?

Thank you in advance.
Click to expand...

You mention 3 VLAN's above - 1, 109, and 110... you only need 2.

Which ports are for your business network and which are supposed to be isolated?

-Randy
 
ProTech-MN said:
You mention 3 VLAN's above - 1, 109, and 110... you only need 2.

Which ports are for your business network and which are supposed to be isolated?

-Randy
Click to expand...
I wanted to separate the business lan from the clients' lan.
I also wanted each of the clients' computers to be separate from each other.
I assume that I needed one VLAN for each of the client's computers.

Port 1 would be connected to the router.
Ports 2-8 would be for the business.
Ports 9-16 would be for the clients.
 
allanc said:
I wanted to separate the business lan from the clients' lan.
I also wanted each of the clients' computers to be separate from each other.
I assume that I needed one VLAN for each of the client's computers.

Port 1 would be connected to the router.
Ports 2-8 would be for the business.
Ports 9-16 would be for the clients.
Click to expand...

So the default VLAN1 includes ports 1 - 8 (excludes ports 9- 16)

If you want each client PC to be seperate, you need to place each one in a vlan.

So VLAN 1009 includes ports 1(tagged),9
VLAN 1010 includes ports 1(tagged), 10

Port 9 would have PVID set to 1009
Port 10 would have PVID set to 1010

Thats basically how mine is set up off the top of my head.
What router do you have?
 
TLE said:
So the default VLAN1 includes ports 1 - 8 (excludes ports 9- 16)

If you want each client PC to be seperate, you need to place each one in a vlan.

So VLAN 1009 includes ports 1(tagged),9
VLAN 1010 includes ports 1(tagged), 10

Port 9 would have PVID set to 1009
Port 10 would have PVID set to 1010

Thats basically how mine is set up off the top of my head.
What router do you have?
Click to expand...
Very basic router LinkSys WRT54G2.
 
You must log in or register to reply here.

Similar threads

K
Anyone currently using MeshCentral?
Replies
1
Views
568
Sky-Knight
Sky-Knight
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
2K
trevm999
trevm999
GTP
No going back!
2 3 4
Replies
60
Views
3K
Sky-Knight
Sky-Knight
callthatgirl
Does Classic Outlook and New Outlook share any data files?
Replies
0
Views
293
callthatgirl
callthatgirl
HCHTech
Comcast Business Service - What am I looking at?
Replies
4
Views
805
Markverhyden
Markverhyden
Back
Top