Switch with VPN + VLAN + FIREWALL ... your suggestions.

[phenix29152]

Yes i am aware of the sticky post, but those are just for switchs.

here is the situation.

Group 1: 1 server + 2 PC's
Group 2: 1 PC

both groups need internet connection.

- Group 1 will have strict firewall rules. Ports open for some applications and Anti-Virus updates.

- Group 2 will have full internet. Group 1 and Group 2 cannot communicate with each other.

I know i can do this with VLAN's and an expensive switch. The thing is how can i implement this setup with not spending a whole lot of money on a switch.

i was thinking WRT54GL ---> DD-WRT.

NOTE: Only one line is coming in for internet. Cable modem.

suggestions?

 

[Grentz]

Best would be to do your own PC Firewall if you have an older PC laying around.

IPCop/Smoothwall, Endian, m0n0wall, and pfsense are all good lightweight distros you could look into.

With three network cards in the PC you could setup 2 separate LAN interfaces that would do as you listed above.

 

[stormy1]

2 routers is the most secure way.
Router 1 - connects to cable modem and the Wan of router2 and group2PC
Group1 connects to router2
Add rules to router2 to allow connections to router1 and internet only.
block access from router2 at the pc in group2 for added security in case the second router is hacked.
Which group does the vpn need to connect to?

 

[YeOldeStonecat]

If you have a wrt54g already, flash it with DD-WRT and setup port based VLANs.

Cascading 2x routers actually allows PCs behind router 2 to find and browse PCs behind router 1 via IP address. VLANs is more secure.

 

[stormy1]

If you have a wrt54g already, flash it with DD-WRT and setup port based VLANs.

Cascading 2x routers actually allows PCs behind router 2 to find and browse PCs behind router 1 via IP address. VLANs is more secure.

not if you block port 137/138

 

[YeOldeStonecat]

Then you still end up with double NAT ugliness. And it depends on the router..one with true firewall abilities...including outbound..yet, but traditional home grade NAT routers only block inbound untrusted. So in that case, you can still browse machines inside the first router but outside the second router, from behind the second router, via IP address.

 

[Vito_Corleone]

Just get a Cisco 800 series and set up two VLANs with the security you want. If you end up needing more ports you can just get some cheap switches and connect them to ports on the router (that are assigned to the appropriate VLAN).

 

[phenix29152]

Best would be to do your own PC Firewall if you have an older PC laying around.

IPCop/Smoothwall, Endian, m0n0wall, and pfsense are all good lightweight distros you could look into.

With three network cards in the PC you could setup 2 separate LAN interfaces that would do as you listed above.

Yea i thought of that, but i am not on site ever so i dont want problems. Maybe run the PC firewall (LINUX based) on a VMware ... bridge the NICs?
.

If you have a wrt54g already, flash it with DD-WRT and setup port based VLANs.

Cascading 2x routers actually allows PCs behind router 2 to find and browse PCs behind router 1 via IP address. VLANs is more secure.

This is what i was thinking... relatively inexpensive and can get the job done right? ... how effective is the firewall ... has anybody really configured them?

NOTE: VPN access to Group 1 is needed ONLY.

Just get a Cisco 800 series and set up two VLANs with the security you want. If you end up needing more ports you can just get some cheap switches and connect them to ports on the router (that are assigned to the appropriate VLAN).

Definitely do not want to spend that much.

 

[Wrench00]

ddwrt and vlan will work just fine..

 

[Valnar]

pfSense on a 3-port machine would also work. DD-WRT & VLAN's would be the cheapest option though.

Something like this is good for pfSense or m0n0wall: http://www.netgate.com/product_info.php?cPath=60_85&products_id=312

 

[Grentz]

Yea i thought of that, but i am not on site ever so i dont want problems. Maybe run the PC firewall (LINUX based) on a VMware ... bridge the NICs?
.

Honestly you would have more troubles running one of them in VMWare, they are better just installed on their own machine.

Also not much to worry about, once setup they are all really rock solid. I have some at clients that I have not touched for years, they even reset themselves up when there is a power cut.

 

[phenix29152]

so it seems like im going with the WRT54GL ... DD-WRT ... anybody got any other cost effective suggestions?

 

[Valnar]

so it seems like im going with the WRT54GL ... DD-WRT ... anybody got any other cost effective suggestions?

What's cheaper than a WRT54GL and a free OS?

 

[Grentz]

What's cheaper than a WRT54GL and a free OS?

A free old PC and a free OS