Avatar of WORKS2011
WORKS2011
Flag for United States of America asked on

Ideas to separate different businesses on the same LAN.

COVID seems to have disrupted many office buildings security where we're finding a theme playing out over and over. A business center once full of business now sits half empty and ends up getting subleased. Three or four businesses move into the vacant spaces. Sadly, business landlords only hook a Spectrum cable modem up (or ISP equivalent) then connect it to the patch panel. This places the subleased businesses at risk for several reasons. Everyone shares the same LAN network, risk of a virus breakout is high, there isn't a business grade firewall, just the basic cheap Spectrum modem device. Wireless is weak too, everyone shares the same password. 


Some business landlords are easy to work with while some insist they are not involved and accountable, the network they've provided (mentioned above) comes as is. 


With all this said, what do other EErs recommend to protect a business subleasing in a situation like this? We're thinking of a router with routing capabilities placed in our clients office to route to a different LAN, another device to create a VLAN, where do awe get DNS/DHCP from. 

NetworkingSecurityHardware Firewalls

Avatar of undefined
Last Comment
WORKS2011

8/22/2022 - Mon
Wasif Ahmad

  1. Setup a firewall server with opnsense or pfsense
  2. Add multiple Network cards to the server machine.
  3. Use the additional Network cards as different LANs and set up as many as you require
  4. You can also use a different IP scheme for different local networks (but that doesn't matter)
ASKER CERTIFIED SOLUTION
David Johnson, CD

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
David Favor

Wow this sounds ugly...

I'd take David Johnson's approach, placing some piece of gear between your LAN + your WiFi connection.

If you use a Linux box as your DMZ gear/device, then you'll have some serious control over packet flow.

In most cases a more simple approach can be used...

From what you've described... my skin is crawling... might be best to DMZ off your business from all others.
David Favor

Aside: What you're describing will almost surely be dead slow too, so the other simple solution is don't use this setup at all.

Instead get an AT&T Wireless Hotspot (or similar), then run the AT&T Hotspot into a Linux machine to NAT all your other internal devices.

This will be at least as fast as what you've described... likely much faster... with far better security...
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Craig Beck

As Don said, use a firewall, but also a switch with VLANs configured. Make sure no routing is done at the switch - so a standard managed layer2 switch will be fine.

Each "Business" gets their own VLAN. The firewall has an interface (or subinterface) connected to each VLAN, and one to the internet. No rules allow traffic between business VLANs. Each VLAN is NATed at the firewall to the internet. The firewall can also be the DHCP server, but can allow clients to reach internet-based DNS servers.

The WiFi can also utilise this setup if the Access Points support multiple SSIDs and 802.1Q. Connect each AP to a port configured as a trunk (in Cisco speak) and allow the VLANs for each business on it. Configure an SSID per business and set the relevant VLAN. Give them each their own preshared key.
David Johnson, CD

I see 2 independent threads going here.

Thread #1 - at the network management level (landlord)
Thread #2 = at the end user level  (tenant)

Are you at the landlord or tenant level?
WORKS2011

ASKER
Wasif, sounds similar to Sophos in the sense it needs two NICS and is software based. Haven't used opnsense or pfsense before, researching now. 
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
WORKS2011

ASKER
David,
 add a router in between your WAN input port and your network. use your own DHCP and your own or public DNS
This isn't an option because the landlord doesn't allow individual subleased accounts (tenants) this type of access. Only option available is install a device at the data drop in the office. 
WORKS2011

ASKER
Don,
I use a firewall like a Cisco ASA.  Each business gets a separate "inside" port and no inter-inside traffic allowed.  Everyone can get outside but the different businesses are effectively isolated from each other.


Or you could use private VLAN's, but I think that's more complicated since it requires and switch and a firewall.  
Good advice but the landlord won't allow this, will only allow each tenant to protect their portion of their LAN from their individual office space.  
WORKS2011

ASKER
David,
Instead get an AT&T Wireless Hotspot (or similar), then run the AT&T Hotspot into a Linux machine to NAT all your other internal devices.
What do you think of EERO's wifi? Not a fan for medium size business that need DHCP, a decent switch, and firewall but in this case may work really well. 
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
WORKS2011

ASKER
David, we're the tenant. I spoke with the building IT and they really don't want to deal with any of this, they feel fine with everyone on the same LAN is enough on their end. 
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Wasif Ahmad

The solution I gave, you didn't get it. Just add a firewall after the WAN and then take out any number of LANs with any scheme. It's not rocket science if you understand what I am talking about. OPNsense on a server will act as a hardware firewall and will not the traffic to get mixed.
WORKS2011

ASKER
I'm more of a visual learner so I hope the pic clears up any confusion, which may just be on my end. Where I'm having a difficult time rapping any solution around is connecting a firewall to a LAN address. I have no access at all to item #1 in the image, the patch panel or switch that connects the LAN, item #2. The four computers are individual subleased businesses all on the same LAN, all viewable to one anther. My client is the red outlined subleased area #3. Only option I have is connecting a device at the RJ45 drop in this office, item #3. This is where I have access and am not clear how to configure a firewall to connect to a LAN, continue to receive Internet and have no issues with DNS.

I do have the option to configure a VLAN on the Cisco Router I'm installing and believe this is likely the best route to go.

@Wasif, implementing OPNsense is not an option because I'm not familiar with it.
Just add a firewall after the WAN and then take out any number of LANs with any scheme.
Add the firewall where after the LAN, what section, as I mentioned areas #1 and #2 I do not have access to. If you meant the RJ45 drop in my clients office please confirm you're saying this solution will connect back to the WAN/ISP router, internet will work fine, no DNS issues, and no bandwidth degradation.

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Don Johnston

Add a firewall (or consumer grade router i.e. Linksys, D-Link, etc.) where the computer is currently connected. Then plug in the businesses computers into the LAN ports. 
David Johnson, CD

you put a router / firewall in between your computers and the network drop #3  which has its own dhcp server which will be setup to use a different local address range than provided by the network drop.
WORKS2011

ASKER
Don and David, thank you. Ha, feel like I'm the only person that doesn't realize I can connect a firewall in this configuration. We just tested in our test environment and it worked fine, found the DNS info, etc.

Learn something new every day. Appreciate everyone discussing this, will configure the firewall tomorrow and let everyone know. Still not convinced with a firewall downstream that I don't have control over that this setup won't create problems one way or another. Hope I'm wrong and will keep you posted. Thanks everyone again. 
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Don Johnston

Double NAT (two firewalls or routers) is not a problem.  The only time it becomes an issue is when you need to allow inbound traffic (i.e. if you had a web server inside). It can still be done, just more work. 
Wasif Ahmad

So what an issue. Create Item#3 as a route to your multiple new LANs and use it as a WAN. There are several software that can help you manage it. i.e. if you are good with windows OS, you can with Windows Server and TMG Forefront or any other software firewall. I am a Linux lover so I always for for Linux environment. I have firewall installed at several locations in my office and using several LAN points as a separate WAN and created multiple DHCP schemes for every LAN out of every WAN.
WORKS2011

ASKER
Don, what do you recommend between these two routers/firewalls. This is a very small office, one room with not much growth in terms ever needing a server, IIS / website, etc. Majority of work is PDF, word documents, email is on 365, data is in the cloud. Will likely have a backup server at some point or this may be offsite. It's possible future devices may require a port to be opened at some point. I like the idea of buying a professional firewall so the Cisco RV160W is my first choice, likely can configure better than the automated portion of the AC1900. However I feel it may be overkill.

AC1900 WiFi Router (R7000)

Cisco RV160W Wireless-AC Gigabit VPN Router


Wasif I started Kali Linux classes to increase my knowledge with pen testing and dive into the Linux world. Started using powershell more in the Windows world. The GUI is nice when you're a visual learner. I have to say though, Linux is amazing and I look forward to continuing my knowledge about it.  
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Don Johnston

From a capability standpoint, either one will do what you need.  I've got one of the Netgear routers (I think a 1700) in my house.  Although I'm only using it as an access point.  Nice box with decent functionality.  
Wasif Ahmad

@WORKS2011
OPNsense and PFsense, both come up with great GUI. I would suggest trying OPNsense and you'll thank me later. Just get a server up with at least two network cards. One network card will act as WAN (which is actually point #3 as shown in your diagram) and the other network card will be LAN. You can use multiple network cards for multiple LANs. Just try it and play with it, you'll learn how things would work.
WORKS2011

ASKER
Thank you everyone for the feedback. I placed a router inline and everything is working out fine.

Wasif I started using OPNSense on other projects and love it, thanks for the info.  
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Wasif Ahmad

Great to know @WORKS2011!

Thanks
Craig Beck

Just something to remember about OPNSense is that it is updated more regularly than pfSense, and with that there are sometimes issues that arise. I find pfSense a little more stable than OPNSense, so if you need stability it might be something you want to consider.
WORKS2011

ASKER
Appreciate it Craig. Getting more into open source and Linux myself. Currently getting pen-testing certs and diving into cyber security deeper. 
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.