I am worried that there is not really a benefit of doing that, just more noise and energy consumption.

  • Treczoks@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    4
    ·
    10 个月前

    But you don’t need several LANs for this. This can easily done with proper routing. A can access internet and internal network addresses. B can only access internet, and C can only reach internal addresses.

    • mea_rah@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      10 个月前

      I’m curious. How would you identify who’s guest and who’s not in this case?

      With multiple networks it’s pretty easy as they are on a different network.

      • Treczoks@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        10
        ·
        10 个月前

        That’s what MAC whitelists are for. Your DHCP server should be able to handle this.

        Identify your friendly devices and give them one setting with everything (full subnet and correct default GW). Identfy your IoT devices, and give them another (full, or specially limited subnet mask, and fake default GW, maybe a different nameserver, too). Anything else is guest and gets a very limited subnet mask and a working default GW.

        • BritishJ@lemmy.world
          link
          fedilink
          English
          arrow-up
          13
          ·
          10 个月前

          This is not the way to do it. The correct way would be multiple SSID’s with each tagged to their own VLAN.

          Each VLAN has its own subnet. You can then use a zone based firewall, to allow the zones(subnets) to access each other.

          You can also then apply QOS, to limit guest network speeds, prioritize LAN traffic etc.

          And zone based firewalls are stateful, you can do rules such as LAN can reach IOT, but not the other way. Or IOT can only reach the IOT server, on specific ports.

          • Treczoks@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            4
            ·
            10 个月前

            I know that this would be the most secure way. But I seriously doubt that this level is necessary in a normal home network.

            • Ajen@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              4
              ·
              10 个月前

              “Necessary” is a little ambiguous. You could argue that wifi is unnecessary for a normal home network.

              • Treczoks@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                10 个月前

                Well, I think it is necessary if you have mobile devices. Anything nailed down should be connected by wire, but if it is mobile, it should get the connection. Especially if the cell phone link is not that good inside the house.

                • Ajen@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  10 个月前

                  None of my mobile devices are “necessary,” though. Honestly, I could live just fine without an internet connection. Not that I’d enjoy it, but that’s not necessary.

            • BritishJ@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              10 个月前

              My solution is the correct way and easier way. You don’t need MAC address white-list. You just have a guest SSID with DHCP on, they get the IP from the subnet in that zone. No crazy subnet hacks etc.

              Can I join your guest network, sure. Let me just grab your mac address, login to the DHCP server, create a reservation with a limited subnet mask that can still see the default gateway.

              Or can I connect to you guest network, sure here is the code or scan that QR code. That’s it, they’re in the guest VLAN and subnet, zoned off on the firewall and have QOS applied to not saturate the network.

        • Fal@yiffit.net
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          1
          ·
          10 个月前

          For anyone reading this, please don’t follow this advice. It’s terrible and basically security through obscurity