Looking for an easy solution for client isolation over a wired network

[Low Roller]

Context: Small apartment complex where each unit has a wired ethernet connection. The layout goes something like this:

Modem -----> Untangled Firewall -----> unmanaged Office switch -----> GuestGate -----> unmanaged Residential switch -----> apartments & public AP's

Right now, we're using a Guestgate(wifi disabled) to isolate all the apartment and public AP connections. Its cheap and dead simple to use. Basically, plug it in and everything behind it has internet but is isolated. Boom. Done.

The problem? The built in switch on the GuesGate is only a 10/100 switch, and the company that makes it has no intention to upgrade their product with a gigabit switch.

I'm looking for a simple alternative to the GuestGate.

I really don't want want to go down the rabbit hole of managed switches, port-based vLANs, trunking...too time consuming and expensive.

Suggestions?

 

[BigJayDogg3]

Context: Small apartment complex where each unit has a wired ethernet connection. The layout goes something like this:

Modem -----> unmanaged Office switch -----> GuestGate -----> unmanaged Residential switch -----> apartments & public AP's

Right now, we're using a Guestgate(wifi disabled) to isolate all the apartment and public AP connections. Its cheap and dead simple to use. Basically, plug it in and everything behind it has internet but is isolated. Boom. Done.

The problem? The built in switch on the GuesGate is only a 10/100 switch, and the company that makes it has no intention to upgrade their product with a gigabit switch.

I'm looking for a simple alternative to the GuestGate.

I really don't want want to go down the rabbit hole of managed switches, port-based vLANs, trunking...too time consuming and expensive.

Suggestions?

This is doable with most SMB wired routers, but you'll still have to do some VLAN configuration. That equipment wouldn't be too expensive. (Example) You could then use unmanaged switches connected to the ports you configured.

 

[bloodypulp]

Get a gigabit capable router. Assign the appropriate port to DMZ. Anything on the DMZ port will be isolated from your other LAN.

 

[Low Roller]

Get a gigabit capable router. Assign the appropriate port to DMZ. Anything on the DMZ port will be isolated from your other LAN.

But in your scenario, clients on the DMZ could still communicate with one another, correct? That won't work for this application

 

[Low Roller]

This is doable with most SMB wired routers, but you'll still have to do some VLAN configuration. That equipment wouldn't be too expensive. (Example) You could then use unmanaged switches connected to the ports you configured.

The current router/firewall behind the modem is running Untangled .....

The price point of that Cisco unit is certainly attractive, but I've never used Cisco equipment and am unsure to configure that piece as a GuestGate replacement.

 

[SJConsultant]

Look into managed switches that are PVLAN capable.......

 

[Low Roller]

Look into managed switches that are PVLAN capable.......

Yeah that would work. But its more time and expense than I want to put into this. I want some simple and cheap like the GuestGate. Plug it in, boom done. Everything behind it gets internet but is individually isolated. No muss no fuss. And cheap.

Problem is the GuestGate is only a 10/100Mbs device bottlenecking an otherwise gigabit network

 

[cyclone3d]

Too time consuming and expensive?

If you don't mind getting an older Cisco switch, you can pick up a Cisco 48-port 3560E for $99.99 + shipping (about $25 for me) off of eBay.
http://www.ebay.com/itm/272559080330?_trksid=p2055119.m1438.l2649&ssPageName=STRK:MEBIDX:IT

And get some extra's for spares if you are worried about them having issues.

And if you really want to go cheap, you could pick up some old Nortel switches for $39.50 each shipped.
http://www.ebay.com/itm/Avaya-Norte...472311?hash=item3d324649f7:g:dEoAAOSwGtRX0Kx6

You could even go for some HP Procurve switches as they are pretty cheap on eBay as well.

 

[Low Roller]

Too time consuming and expensive?

If you don't mind getting an older Cisco switch, you can pick up a Cisco 48-port 3560E for $99.99 + shipping (about $25 for me) off of eBay.
http://www.ebay.com/itm/272559080330?_trksid=p2055119.m1438.l2649&ssPageName=STRK:MEBIDX:IT

And get some extra's for spares if you are worried about them having issues.

And if you really want to go cheap, you could pick up some old Nortel switches for $39.50 each shipped.
http://www.ebay.com/itm/Avaya-Norte...472311?hash=item3d324649f7:g:dEoAAOSwGtRX0Kx6

You could even go for some HP Procurve switches as they are pretty cheap on eBay as well.

Yeah that big Cisco switch is affordable, and I could put each apartment on its own port based private vlan, and the office on its own Vlan.

But I've never set anything like that up, and I'm unclear on what I'd need to do to configure the Untangled firewall to work with all of that I just see a lot of time and effort be required for me to learn to set something like that up. Or, very expensive to hire someone do it for me.

I just want something simple and cheap, plug and play like the Guestgate. There has got be a simple plug and play device that isolates clients behind it on a wired LAN.

 

[bman212121]

I think I might have found a solution for you:

D-Link DGS-1024D
https://www.amazon.com/D-Link-24-Port-Rackmountable-Gigabit-DGS-1024D/dp/B0002TPFTA

Apparently the latest revision has some hardware DIP switches on the front of it. (Has to be at least Rev. G) You can set it up so that the "port isolation" switch when you enable that, it should make it so that ports 1-23 can't talk to each other, but all of them can talk to port 24. This sounds like it's very close to what your Guestgate is doing. I'm 99% sure I had the original DGS-1024D model that I bought in 2007. I got 8 years out of mine before the power supply on it failed. One day I will actually figure out why the little converter board isn't converting 120VAC to 12VDC and can probably make it start working again. I never once recall needing to reboot that switch, it just worked up until it died. If one of these switches works for you just buy a spare in case you plan using it for more than 5 years as configured.

 

[Low Roller]

I will look into that thank you for the reply! We are currently using these D-Link switches, hopefully can inexpensively upgrade to newest version.

 

[cyclone3d]

Yeah that big Cisco switch is affordable, and I could put each apartment on its own port based private vlan, and the office on its own Vlan.

But I've never set anything like that up, and I'm unclear on what I'd need to do to configure the Untangled firewall to work with all of that I just see a lot of time and effort be required for me to learn to set something like that up. Or, very expensive to hire someone do it for me.

I just want something simple and cheap, plug and play like the Guestgate. There has got be a simple plug and play device that isolates clients behind it on a wired LAN.

The Cisco Network Assistant software should be able to configure the VLAN for each port.

See here:
https://community.spiceworks.com/topic/948663-gui-for-cisco-catalyst-switches

I'm just partial to nice Cisco equipment as it usually holds up very well and once you learn it, most of the configuration stuff stays the same throughout the different generations of equipment.

 

[Low Roller]

The Cisco Network Assistant software should be able to configure the VLAN for each port.

See here:
https://community.spiceworks.com/topic/948663-gui-for-cisco-catalyst-switches

I'm just partial to nice Cisco equipment as it usually holds up very well and once you learn it, most of the configuration stuff stays the same throughout the different generations of equipment.

Thank you that is good to know. I'd still have to learn how to configure the Untangled firewall to work with the VLANS, but thats just one more piece of the puzzle I guess.

I know Cisco is good stuff and industry standard. Although our 24 port D-Link unmanaged switches have been in service since 2012 and we've never had an issue with them.

 

[Low Roller]

I think I might have found a solution for you:

D-Link DGS-1024D
https://www.amazon.com/D-Link-24-Port-Rackmountable-Gigabit-DGS-1024D/dp/B0002TPFTA

Apparently the latest revision has some hardware DIP switches on the front of it. (Has to be at least Rev. G) You can set it up so that the "port isolation" switch when you enable that, it should make it so that ports 1-23 can't talk to each other, but all of them can talk to port 24. This sounds like it's very close to what your Guestgate is doing. I'm 99% sure I had the original DGS-1024D model that I bought in 2007. I got 8 years out of mine before the power supply on it failed. One day I will actually figure out why the little converter board isn't converting 120VAC to 12VDC and can probably make it start working again. I never once recall needing to reboot that switch, it just worked up until it died. If one of these switches works for you just buy a spare in case you plan using it for more than 5 years as configured.

Thinking about going this rout. I could install another NIC in our 1U Untangled firewall. I should be able to assign a second DHCP server to that NIC within on a different subnet. I know I can do this in DD-WRT so I'd be surprised if I couldn't with Untangled.

Then connect the the office switch to one of the NICs on the firewall and leave it alone. For the residential switch, I enable port isolation via the dip switch on the DGS-1024D and plug the apartments and AP's into ports 1-23, and enable client isolation on all the AP's. Its not quite as elegant as the GuestGate, but its something I can wrap my head around