3

I'm trying to setup a network in which each computer must not be able to see the others on the network, only the router. The people involved don't necessarily know each other and don't necessarily know much about configuring a network. The problem we're trying to solve is that sometimes people connect their own wireless router, but inadvertently connect the LAN-port to the main switch, thus creating a conflict between it's DHCP server and the one on the main router.

I'm figuring that VLANS would solve the problem. As I can't count on the equipment being connected supporting tagged VLANs, I must rely on the switch being in untagged mode for all of the clients and then the switch should support VLAN trunking, thus allowing all clients to see it and be able to access the internet.

So anyone have any suggestions for a router that can support this? Something with a GUI would be nice, as I'm too lazy for command-line stuff. The router that is in place is a Linksys WRT160N, so maybe it can be used with OpenWrt or the like.

What do you think?

EDIT: I've looked at how to do it in DD-WRT, but the directions given here http://www.dd-wrt.com/wiki/index.php/VLAN_Detached_Networks_(Separate_Networks_With_Internet) don't explain how to do this if you want more than 4 vlans. I'm guessing I can create a greater number of vlans and separate them all?

user23815
  • 93
  • 1
  • 7

5 Answers5

2

If your only real problem is that some people connect a DHCP device to the network - set up DHCP filtering on the switch, or if you don't have one, get one. If you can't - set something up to monitor and alert you to the unwanted behaviour.

You could go further - a decent switch will let you set up filtering of mac addresses as well - you could prevent unauthorized devices from working on the network period.

gabbelduck
  • 329
  • 1
  • 3
1

Hey guys, thanks for all of your great answers, I'm looking into aquiring a Dell Switch (54xx series) that will let me block rogue DHCP servers. It looks pretty simple to set up - I don't think (hope) that I need very advanced troubleshooting tools.

DHCP snooping is apparently the term one would look for, for this kind of functionality.

I'll post a reply when I get it working.

user23815
  • 93
  • 1
  • 7
  • DHCP snooping is, in fact, what you want. You could also do this with a switch that supports OpenFlow, but it would require a bit more backend infrastructure. In terms of routers, if you want software (and free) that comes as close to what you'd get from Cisco, Juniper, etc., Vyatta is hands-down the only way to go. – Jason Antman Sep 16 '10 at 03:09
  • Also... if you wanted to go with a less expensive switch, and had hardware for the router that could handle it (you'd need a full x86 server), you could just make each port its own VLAN and then trunk them all to the router, and have the router handle DHCP policy in firewall. – Jason Antman Sep 16 '10 at 03:11
0

I think what you really want is Private VLAN support. This is more a question of the switch than the router. I'm not sure about GUI based options. I know Cisco does this really well (surprise!). Here's a list of their supported switches:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

Jason Berg
  • 19,084
  • 6
  • 40
  • 55
  • Hi Jason, thanks for your answer. I'm currently looking at a Dell PowerConnect 5424 which looks super simple. – user23815 Sep 02 '10 at 10:18
0

If you want powerful router, I would recommend Mikrotik (http://www.mikrotik.com). It's not that easy to setup, since you have to know how subnetting, firewall and other related stuff works. But it will allow much better debugging of network in comparsion to DD-WRT (personal opinion!). And it fits to your use case, if providing of internet connection to bunch of flats in building is what you want to accomplish.

I would every user (ethernet port) assign VLAN id - on switch port define PVID, which is default VLAN assigned to packet with no VLAN id. Port to router will be trunk of all VLANs and so the port on router. In router allow only connection between vlan and internet interface, so communication between users will be droped. And if some users would like to communicate between themselves (gaming, warezing) there is no problem to add rules to firewall.

Last note about "two users communicates": You can merge them to one VLAN, so data will flow only thru switch, thus saving router upload bandwidth, OR they can stay in different VLANs and you will enable desired communication on firewall. Second approach allows better control, but consumes lot of router bandwidth, thus you should think about QoS.

mkudlacek
  • 1,677
  • 1
  • 11
  • 15
0

If the problem is just rogue DHCP servers, simply configure your switches to only permit authorized DHCP servers (depends on switch, for example [ProCurve 28xx][1]). Or (if they don't support something like this), just block DHCP offers (but not requests) coming from client machines/unauthorized ports.

Private VLANs have some issues where they block things you may not want to block, such as UPnP/Bonjour services between clients and are probably overkill for your needs.

Ingmar Hupp
  • 606
  • 1
  • 6
  • 13
  • Thanks, this is what I'm looking into. Good point about UPnP, etc. although it probably won't be a problem here. – user23815 Sep 02 '10 at 10:19