How can I set up my home LAN to prevent my employer sniffing all traffic?
Looking for hardware solutions. I don’t want to have a dedicated firewall. A lot of what I find in Google about switches seems to say they are all about performance, but I’ve also seen hints that they might help here.
Would this work?
Example setup: Work laptop connects over WiFi to dedicated Wifi router which is then plugged into one port of a switch that is plugged into any router, hub, or switch on my main LAN.
Or is there a simpler setup?
Looking for some there where I rely more on the hardware characteristics of the devices, rather than the detailed configuration settings in a router, which are more subject to changes and mistakes.
6 comments
[ 2.6 ms ] story [ 24.2 ms ] threadWorkLaptop -> NAT/WifiRouter1 plugged into NAT/WifiRouter2 plugged into ISP
Make sure DHCP ranges do not overlap, and this should lazily accomplish what you're looking for, as long as you don't port forward anything or enable UPnP on the one WorkLaptop connects to.
A switch does not help here.
I know what NAT is but are all routers not potentially NAT routers? Does this just mean any old router that happens to be configured for NAT? There we get into the (scary) configuration area I wanted to avoid but maybe if it’s just setting the address range I can handle that much.
Usually just set something like router2 = 192.168.2.0/24, router1 = 192.168.1.0/24, and you're fine. If you don't do this, you end up with conflicts/no route to host/no connectivity.
Do note that this is not a guarantee and a kind of side-effect. It may still be possible to sniff all traffic, look for ARP, etc. What you really want is a prosumer or enterprise device that can totally separate VLANs.
If you want to be assured of protection, you may need to rethink this requirement.
Network 'switches' provide some isolation, but unless you buy data-center level networking equipment, and configure them properly, there is no way to guarantee isolation (i.e., the isolation can be escaped when using a basic consumer grade switch).
My setup to avoid the same issue:
fios <---> Linux router (a PC running Linux) with four ethernet cards installed
first ethernet card connects to fios dmarc box
second ethernet card connects to my internal wired network
third ethernet card connects to an isolated wifi network
fourth ethernet card connects to cisco hardware VPN box (work provided), work laptop connects to this hardware VPN box
Linux firewall rules setup so that the work laptop and cicso VPN box connected to the fourth ethernet card has no access to any data on second or third ethernet cards and no knowledge even of the existence of those additional ethernet cards.
Work laptop does not run over wifi, ever.
This layout has the work laptop on a fully isolated, wired, network, where I have full control over what it can see (via those Linux firewall rules).