Link to home
Start Free TrialLog in
Avatar of WORKS2011
WORKS2011Flag for United States of America

asked on

Ideas to separate different businesses on the same LAN.

COVID seems to have disrupted many office buildings security where we're finding a theme playing out over and over. A business center once full of business now sits half empty and ends up getting subleased. Three or four businesses move into the vacant spaces. Sadly, business landlords only hook a Spectrum cable modem up (or ISP equivalent) then connect it to the patch panel. This places the subleased businesses at risk for several reasons. Everyone shares the same LAN network, risk of a virus breakout is high, there isn't a business grade firewall, just the basic cheap Spectrum modem device. Wireless is weak too, everyone shares the same password. 


Some business landlords are easy to work with while some insist they are not involved and accountable, the network they've provided (mentioned above) comes as is. 


With all this said, what do other EErs recommend to protect a business subleasing in a situation like this? We're thinking of a router with routing capabilities placed in our clients office to route to a different LAN, another device to create a VLAN, where do awe get DNS/DHCP from. 

Avatar of Wasif Ahmad
Wasif Ahmad
Flag of Pakistan image

  1. Setup a firewall server with opnsense or pfsense
  2. Add multiple Network cards to the server machine.
  3. Use the additional Network cards as different LANs and set up as many as you require
  4. You can also use a different IP scheme for different local networks (but that doesn't matter)
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Wow this sounds ugly...

I'd take David Johnson's approach, placing some piece of gear between your LAN + your WiFi connection.

If you use a Linux box as your DMZ gear/device, then you'll have some serious control over packet flow.

In most cases a more simple approach can be used...

From what you've described... my skin is crawling... might be best to DMZ off your business from all others.
Aside: What you're describing will almost surely be dead slow too, so the other simple solution is don't use this setup at all.

Instead get an AT&T Wireless Hotspot (or similar), then run the AT&T Hotspot into a Linux machine to NAT all your other internal devices.

This will be at least as fast as what you've described... likely much faster... with far better security...
As Don said, use a firewall, but also a switch with VLANs configured. Make sure no routing is done at the switch - so a standard managed layer2 switch will be fine.

Each "Business" gets their own VLAN. The firewall has an interface (or subinterface) connected to each VLAN, and one to the internet. No rules allow traffic between business VLANs. Each VLAN is NATed at the firewall to the internet. The firewall can also be the DHCP server, but can allow clients to reach internet-based DNS servers.

The WiFi can also utilise this setup if the Access Points support multiple SSIDs and 802.1Q. Connect each AP to a port configured as a trunk (in Cisco speak) and allow the VLANs for each business on it. Configure an SSID per business and set the relevant VLAN. Give them each their own preshared key.
I see 2 independent threads going here.

Thread #1 - at the network management level (landlord)
Thread #2 = at the end user level  (tenant)

Are you at the landlord or tenant level?
Avatar of WORKS2011

ASKER

Wasif, sounds similar to Sophos in the sense it needs two NICS and is software based. Haven't used opnsense or pfsense before, researching now. 
David,
 add a router in between your WAN input port and your network. use your own DHCP and your own or public DNS
This isn't an option because the landlord doesn't allow individual subleased accounts (tenants) this type of access. Only option available is install a device at the data drop in the office. 
Don,
I use a firewall like a Cisco ASA.  Each business gets a separate "inside" port and no inter-inside traffic allowed.  Everyone can get outside but the different businesses are effectively isolated from each other.


Or you could use private VLAN's, but I think that's more complicated since it requires and switch and a firewall.  
Good advice but the landlord won't allow this, will only allow each tenant to protect their portion of their LAN from their individual office space.  
David,
Instead get an AT&T Wireless Hotspot (or similar), then run the AT&T Hotspot into a Linux machine to NAT all your other internal devices.
What do you think of EERO's wifi? Not a fan for medium size business that need DHCP, a decent switch, and firewall but in this case may work really well. 
David, we're the tenant. I spoke with the building IT and they really don't want to deal with any of this, they feel fine with everyone on the same LAN is enough on their end. 
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The solution I gave, you didn't get it. Just add a firewall after the WAN and then take out any number of LANs with any scheme. It's not rocket science if you understand what I am talking about. OPNsense on a server will act as a hardware firewall and will not the traffic to get mixed.
User generated imageI'm more of a visual learner so I hope the pic clears up any confusion, which may just be on my end. Where I'm having a difficult time rapping any solution around is connecting a firewall to a LAN address. I have no access at all to item #1 in the image, the patch panel or switch that connects the LAN, item #2. The four computers are individual subleased businesses all on the same LAN, all viewable to one anther. My client is the red outlined subleased area #3. Only option I have is connecting a device at the RJ45 drop in this office, item #3. This is where I have access and am not clear how to configure a firewall to connect to a LAN, continue to receive Internet and have no issues with DNS.

I do have the option to configure a VLAN on the Cisco Router I'm installing and believe this is likely the best route to go.

@Wasif, implementing OPNsense is not an option because I'm not familiar with it.
Just add a firewall after the WAN and then take out any number of LANs with any scheme.
Add the firewall where after the LAN, what section, as I mentioned areas #1 and #2 I do not have access to. If you meant the RJ45 drop in my clients office please confirm you're saying this solution will connect back to the WAN/ISP router, internet will work fine, no DNS issues, and no bandwidth degradation.

Add a firewall (or consumer grade router i.e. Linksys, D-Link, etc.) where the computer is currently connected. Then plug in the businesses computers into the LAN ports. 
you put a router / firewall in between your computers and the network drop #3  which has its own dhcp server which will be setup to use a different local address range than provided by the network drop.
Don and David, thank you. Ha, feel like I'm the only person that doesn't realize I can connect a firewall in this configuration. We just tested in our test environment and it worked fine, found the DNS info, etc.

Learn something new every day. Appreciate everyone discussing this, will configure the firewall tomorrow and let everyone know. Still not convinced with a firewall downstream that I don't have control over that this setup won't create problems one way or another. Hope I'm wrong and will keep you posted. Thanks everyone again. 
Double NAT (two firewalls or routers) is not a problem.  The only time it becomes an issue is when you need to allow inbound traffic (i.e. if you had a web server inside). It can still be done, just more work. 
So what an issue. Create Item#3 as a route to your multiple new LANs and use it as a WAN. There are several software that can help you manage it. i.e. if you are good with windows OS, you can with Windows Server and TMG Forefront or any other software firewall. I am a Linux lover so I always for for Linux environment. I have firewall installed at several locations in my office and using several LAN points as a separate WAN and created multiple DHCP schemes for every LAN out of every WAN.
Don, what do you recommend between these two routers/firewalls. This is a very small office, one room with not much growth in terms ever needing a server, IIS / website, etc. Majority of work is PDF, word documents, email is on 365, data is in the cloud. Will likely have a backup server at some point or this may be offsite. It's possible future devices may require a port to be opened at some point. I like the idea of buying a professional firewall so the Cisco RV160W is my first choice, likely can configure better than the automated portion of the AC1900. However I feel it may be overkill.

AC1900 WiFi Router (R7000)

Cisco RV160W Wireless-AC Gigabit VPN Router


Wasif I started Kali Linux classes to increase my knowledge with pen testing and dive into the Linux world. Started using powershell more in the Windows world. The GUI is nice when you're a visual learner. I have to say though, Linux is amazing and I look forward to continuing my knowledge about it.  
From a capability standpoint, either one will do what you need.  I've got one of the Netgear routers (I think a 1700) in my house.  Although I'm only using it as an access point.  Nice box with decent functionality.  
@WORKS2011
OPNsense and PFsense, both come up with great GUI. I would suggest trying OPNsense and you'll thank me later. Just get a server up with at least two network cards. One network card will act as WAN (which is actually point #3 as shown in your diagram) and the other network card will be LAN. You can use multiple network cards for multiple LANs. Just try it and play with it, you'll learn how things would work.
Thank you everyone for the feedback. I placed a router inline and everything is working out fine.

Wasif I started using OPNSense on other projects and love it, thanks for the info.  
Great to know @WORKS2011!

Thanks
Just something to remember about OPNSense is that it is updated more regularly than pfSense, and with that there are sometimes issues that arise. I find pfSense a little more stable than OPNSense, so if you need stability it might be something you want to consider.
Appreciate it Craig. Getting more into open source and Linux myself. Currently getting pen-testing certs and diving into cyber security deeper.