You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2015-06-07 18:52:49
- jernst
- Member
- From: Silicon Valley
- Registered: 2014-03-04
- Posts: 303
- Website
Semi-routable subnets
I'm attempting to isolate potentially crappy WiFi devices from my main WiFi network. E.g. if some webcam I have behind my firewall does things it really shouldn't be doing, it should not be able to use this to attack the rest of my network. The question is how to configure this.
My router has three interfaces, lets call them
eth-upstream: connection to the public internet
wifi-valuable: where the well-patched laptops etc connect
wifi-crappy: where the crappy webcams connect
My plan is to use systemd-networkd to make eth-upstream be a DHCP client, to assign two different subnets to the wifi subsets, e.g. 192.168.1.0/24 and 192.168.2.0/24, and to use dnsmasq to hand out DHCP addresses and manage DNS for the subnets.
Ideally I'd like to be able to use a laptop to look at the webcam feed, so 192.168.1.100 needs to be able to connect to 192.168.2.100, say.
But I'd like the webcam to be unable to connect to the laptop. All need to be able to reach the public internet.
How would I set this up?
Added: my router is a PC running Arch.
Last edited by jernst (2015-06-07 19:09:06)
Offline
#2 2015-06-07 19:01:46
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 20,351
Re: Semi-routable subnets
What make and model is your router and what OS is it running? If it is Linux based, iptables should do the trick. You might want to look into DD-WRT or OpenWRT.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
#3 2015-06-08 01:16:34
- branch
- Member
- Registered: 2014-03-16
- Posts: 209
Re: Semi-routable subnets
Presumably you already set up iptables rules for a stateful firewall protecting the internal subnets from incoming connections from the public internet. If so, you already know the answer to your question. The rules you already should have for access between 192.168.255.255 and eth-upstream are very similar to the rules you need to implement between the 192.168.1.255 and 192.168.2.255 subnets.
Offline
#4 2015-06-08 01:23:29
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,280
Re: Semi-routable subnets
If you want to isolate your webcams further, then prevent direct access to them and only allow connections through a proxying filter server.
Last edited by progandy (2015-06-08 01:23:47)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#5 2015-06-08 03:39:43
- jernst
- Member
- From: Silicon Valley
- Registered: 2014-03-04
- Posts: 303
- Website
Re: Semi-routable subnets
branch: duh, I should have thought of that. Thank you.
progandy: what "proxying filter server" did you have in mind, and how would I set that up?
Offline
#6 2015-06-08 04:44:21
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,280
Re: Semi-routable subnets
progandy: what "proxying filter server" did you have in mind, and how would I set that up?
I think squid would work to filter URLs. For POST data, you'll have to write some C code or use a different proxy for a different language (e.g. nodejs hoxy, pymiproxy, nginx with lua module, ...)
I think I'd go with nginx./lua
Last edited by progandy (2015-06-08 04:46:31)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#7 2015-06-08 18:47:04
- jernst
- Member
- From: Silicon Valley
- Registered: 2014-03-04
- Posts: 303
- Website
Re: Semi-routable subnets
progandy: I didn't want to go that far at this time :-)
Offline
Pages: 1