cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
518 Views
Message 1 of 11

isolating a part of the local network (The other kind of DMZ?)

Hi,

Short version:

Is it possible to set up a network, probably just one machine, that is isolated from the home network but can access the internet? This would be based around a BT Smart Hub but I can add other routers or hardware if necessary.

 

Long version:

I'm going to be starting a new job in the new year and there may be some working from home which I'd expect to involve a company issued laptop and a VPN. For a variety of reasons I want to make certain, or as certain as possible, that the company laptop and my home devices are as separated as possible. I thought it would be possible to set up a DMZ and add the company laptop to that but it seems there are different understandings of the term DMZ and I was thinking of the other one.

Perhaps something similar to connecting the company laptop to the EE Wifi wireless network, but I'd rather not enter any personal information, such as BT login details, to company property and it seems the wrong thing to do.

I've read a few topics and posts here and elsewhere but not found a clear equivalent. I was planning to experiment with another router (I have some old ones) and using that to create a branch with a different subnet:

Smart Hub (DHCP server using 192.168.1.x range) -> SH LAN port -> second router LAN port ->

second router (DHCP server using 192.168.2.x range) -> company laptop

Oh, interpretation of DMZ is based on various sources but most recently Wikipedia:

https://en.wikipedia.org/wiki/DMZ_(computing)

 

(I apologise if I don't respond to any replies quickly - I don't seem to get notification emails from the BT Community forum)

0 Ratings
Reply
10 REPLIES 10
513 Views
Message 2 of 11

Re: isolating a part of the local network (The other kind of DMZ?)

If you are using a company supplied VPN, then normally when that is in operation, access to your local LAN is normally blocked for security reasons, often using additional firewall software.

 

 

0 Ratings
Reply
502 Views
Message 3 of 11

Re: isolating a part of the local network (The other kind of DMZ?)

If you are using a company supplied VPN, then normally when that is in operation, access to your local LAN is normally blocked for security reasons, often using additional firewall software.

I'm thinking of trafffic other than through the VPN, maybe when the VPN is not in operation.

I don't want any traffic between my home devices and the company laptop. Since all home devices are set up as if they are on a private network and discoverable, etc..

Maybe modern VPNs are automatic - the last time I used one it had to be manually activated and connected.

0 Ratings
Reply
490 Views
Message 4 of 11

Re: isolating a part of the local network (The other kind of DMZ?)

You should consider a 3rd party router, which would replace your Smarthub, that has the ability to set up a "guest" network which would be separate network from your house network. 

477 Views
Message 5 of 11

Re: isolating a part of the local network (The other kind of DMZ?)

If all devices are Ethernet connected, then using a managed network switch, and configuring two separate VLANs, would give isolation.

439 Views
Message 6 of 11

Re: isolating a part of the local network (The other kind of DMZ?)

@gg30340  wrote:

You should consider a 3rd party router, which would replace your Smarthub, that has the ability to set up a "guest" network which would be separate network from your house network.

I will definitely consider that. I didn't realise there were such things. Do you have any suggestions? I have had a quick look and found some TP-Link products that sound suitable but if you have any other recommendations I will happily consider those.

And I guess I can plug the Smart Hub in to the home side of that. Just in case the digital voice aspect comes about in future.

Thank you for the suggestion.

(Editted to add the specific thank you).

0 Ratings
Reply
435 Views
Message 7 of 11

Re: isolating a part of the local network (The other kind of DMZ?)

@Keith_Beddoe  wrote:

If all devices are Ethernet connected, then using a managed network switch, and configuring two separate VLANs, would give isolation.

Sounds viable but I shall have to do some research. I've never used a managed switch but am happy to (try to) learn. At the moment I don't know if the company laptop would be connected by Ethernet or wireless. Whilst I generally favour wired connections I'll have to learn about the managed switch side of things to understand if that would work with the layout I have. The desk I'd use is located away from the router and currently all wired LAN traffic to and from that desk is via powerline. It looks like managed switch(es) could put both home and work traffic over the same powerline. And I'll need to understand how to connect to the DSL router. I'll do some research.

Thanks for the suggestion.

0 Ratings
Reply
286 Views
Message 8 of 11

Re: isolating a part of the local network (The other kind of DMZ?)

I've been having a think about this and would be interested to hear any opinions.

Managed switches VLAN

I found a pretty clear explanation, for a novice, of how this would work at:

https://stevessmarthomeguide.com/vlans-home-networks/

However I think my use of powerline adapters means this would be more complicated. The physical area I'd like to position my work from home desk is currently served by a powerline connection so I think it would need a managed switch both at the router and at the remote end. However the powerline network is used elsewhere so I think it would need managed switches at those points also. Or a separate Powerline network, or lay in some ethernet cables.

If I've misunderstood something or someone can see another solution then please let me know.

Different router with guest wifi

I've looked on Amazon and found a couple of routers with guest wifi from TP-Link or from Netgear. However they don't seem to include modems. Since I expect Digital Voice to appear at some point in the future I was thinking of keeping the Smart Hub (or rather getting a Smart Hub 2 or newer) as the modem. But that would mean an ethernet connection between the Smart Hub and the new router. I don't know if that's sensible or if it invalidates the idea of a guest network. If I connect a Smart Hub LAN port to router WAN port does that keep it separate? But would I be able to access the Smart Hub web interface?

Netgear also do an access point that offers guest wifi which seems, to me, to provide the same idea in this application. One of the lower spec TP-Link routers is currently available at quite a reasonable price and so it is tempting to get that and try it but one of the reasons for wanting an isolated network is to avoid disrupting other people in the house and me fiddling with the network causes them enough trouble already. If anyone has any suggestions then I'd appreciate them.

Examples of routers

  • TP-Link Archer C80 AC1900
  • TP-Link WiFi 6 OneMesh Router, AX3000
  • NETGEAR Wifi 6 Router (RAX10) AX1800
  • NETGEAR Nighthawk X6 Smart Wifi Router (R8000) - AC3200

Access point

  • NETGEAR Wireless Access Point WAX210


I appreciate the help that I've received so far and if I'm asking too much then please don't worry about it.

0 Ratings
Reply
278 Views
Message 9 of 11

Re: isolating a part of the local network (The other kind of DMZ?)

As far as power line adapters are concerned, you can only utilise one set of adapters on a network. I.e one primary connected to the router feeding multiple secondary adapters.

If you wish to avail yourself of Digital Voice, the BT Smart Hub2 must be the first device connected to line. However, you could then connect a third party router WAN port to a hub LAN port to create a second subnet.

0 Ratings
Reply
269 Views
Message 10 of 11

Re: isolating a part of the local network (The other kind of DMZ?)

If you have FTTC (Fibre to the Cabinet) there are many VDSL Modem/routers with guest network that you could use, just carry out an Internet search, but as pointed out if you are getting BT's Digital Voice you will still need to use the Smarthub 2.

You could of course do away with BT's Digital voice and get a BT Broadband only contract and then get a stand alone  VOIP phone service which would do away with the need to use the Smarthub2.