Home Network Security

Good Day,

I want to open up ports to my home network to run internal services but would like to put a filter so that only certain TCP-IP or Domains can use.

My router is a new ASUS and allows limited IP filtering but would like something better.

Does anyone know of a free/cheap solution to this? I run Linux and Windows systems and also a small VM server.
Julian HainesSenior IT AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
so that only certain TCP-IP or Domains can use

Limit the IP addresses that will be accepted --  that's certainly possible and not difficult.  Limit the domains that will be accepted -- that's nearly impossible because it's not easy to go backward from an IP address (which is all you have on an incoming connection) to a domain name -- some IP addresses at hosting companies have several hundred domains sitting on them.

A cheap way to do this is to buy a used WRT54G off fleabay, install DD-WRT on it, then set up port forwarding on the WRT54G as desired.  Put the cable modem in bridge mode, install the WRT54G between the network modem and the LAN.
nociSoftware EngineerCommented:
The TCP/IP (or rather IP) network, only works with IP addresses, domain names are completely irrelevant.
The Domain names are a bolted on solution to help Humans to cope better with accessing servers. (We are better in using name tags for everything, then numbering them, possibly with the exception of Kurt Godel).

So filtering on names would be prohibitive (and to easy to defeat anyway) to many connections, from f.e. shared hosting services to outside services.

From previous advise: the WRT54G, only can do 100Mbps so if your internet connection is faster you need something different. look on the DD-WRT / LEDE website for a compatible router to your connection.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bbaoIT ConsultantCommented:
>  domain names are completely irrelevant.

agree with noci, though i guess it might be something like typo by the author.

nowadays, outgoing domain filtering is very common for home routers, but here the requirement is actually for incoming domain filtering which is very rare for home routers even for enterprise routers because it need reverse DNS looking up and sometimes the result might be inaccurate.

in reality, most common incoming domain filtering is for email services, such as SMTP Reverse Lookup and SPF.

your way of forwarding to internal services may work well but it does expose number of ports to the Internet, hence any host on the Internet can run a port scanner and discover the ports and even identify the services behind the ports. if could be a security risk if you do have valuable asset (e.g. banking documents) and sensitive private info (e.g. personal video footage) behind the services. more ports opened to the Internet, more chances at risk.

a common practice is to reduce the attach surface to the minimum level. Enabling VPN is one of the best practices as it only expose one or a few ports to the Internet and it also enforces peer-to-peer encryption so no one on the Internet can see your traffic content.

of course, you do need a VPN server enabled router for this. IPSec VPN is recommended.

hope it helps,
bbao
Dr. KlahnPrincipal Software EngineerCommented:
No further input from requester.  Points assigned to contributing experts in perceived order of magnitude of contribution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.