Separate Home network, help required

[jimborae]

Hi all, looking for help. No1. son got his own laptop today for his 14th birthday which means I now have much less control on what he does and where he goes on it, thus I'm fully expecting it to get riddled with malware in the near future. I've imaged it so disinfecting it is no biggie but my concern is malware propogating through our home network and infecting other pcs or our home server. Therfore I think the best way to go is to somehow seperate the home network so he effectively is firewalled/on a seperate lan to the rest of the household. Sooooo looking for some good advice on how to acheive this. He wont need to access anything else on the network via his laptop except for the printer, the current home network is fairly basic with a main router (Asus RT-AC87u) feeding the rest of the house via wi-fi (mobile devices) and homeplugs (static devices). The home server & my pc's in the loft connect indirectly to the router via ethernet and a pro curve switch and not via home plugs.

Cheers

Jim

[shaithis]

There are really only 2 ways to segregate the traffic and both are reliant on your router supporting the functionality....

1. VLANs. You would want to create a new "unsecure" VLAN for your sons PC (and possibly the Wifi!) and then add a bridge to route traffic between the VLANs virtual interface and the WAN interface.

2. Separate subnets. Different IP ranges for different machines and then a route to allow the new subnet to talk out onto the internet. A clever user could reconfigure the network connection to bypass this though.


I do number 1 on a DD-WRT router but unsure if the Asus supports it.....you may need a new router.

[jimborae]

Cheers for the reply, yeah those are the options that I pretty much figured just wanted to check I wasn't missing anything else.

Option 1 is supported by my main router out of the box, and it currently runs Merlin firmware which is supposed to give even more functionality but I'll have to investigate how to set this up. Any tips or guides you can recommend?

Option 2 - From what I've been reading wont this require 2 other routers (which I have) connected via their wan ports to the main router??? Would be physically more difficult to do I reckon as I'll have to change a whole host of other settings and re set up a second router for the rest of the house hold to use. But it is doable and I have the kit to do it.

[malfunction]

Some routers offer a guest wifi feature as well - with various options for isolation and bandwidth control

[peterb]

Yes, subnet is probably the simplest way. You could get something like pfsense to form a somewhat more resilient firewall and put him behind that, but that may be overkill.

https://www.pfsense.org Or just download the software and install it on your own hardware.

Of course, the best defence is educating him about the risks, but 14 year old makes don't deal with risk very well, and of course it won't happen to him !

[jimborae]

......
Of course, the best defence is educating him about the risks, but 14 year old makes don't deal with risk very well, and of course it won't happen to him !

So true and education is not his forte, he's a very imature/young 14yr old.

[jimborae]

Some routers offer a guest wifi feature as well - with various options for isolation and bandwidth control

Yep mine has that, in fact I can set multiple guest wi-fi networks however I'm sure he'll end up plugging a cable in to it from the switch in his room at some point (TV & Xbox will connect to this as well).

[peterb]

Yep mine has that, in fact I can set multiple guest wi-fi networks however I'm sure he'll end up plugging a cable in to it from the switch in his room at some point (TV & Xbox will connect to this as well).

Ah yes "Oh Lord, please send me a teenager while they still know everything!"

You might want to look at smoothwall http://www.smoothwall.org. If that was hard wired to a cable in his room... Or probably put the rest of the family's system behind the firewall and just wait for the inevitable

[jimborae]

..........
You might want to look at smoothwall http://www.smoothwall.org. If that was hard wired to a cable in his room... Or probably put the rest of the family's system behind the firewall and just wait for the inevitable

Thanks will check it out.

[jimborae]

Looking into things further in the long run it maybe easier to drop ethernet down to his room from the Pro Curve and set up a vlan on that. Short term just do the guest wi-fi option till long term solution sorted.

[ik9000]

I think my router lets you assign access privileges to the LAN, WAN, etc based on Mac address - so if you log his network card mac address for the LAN you may be able to block/direct him to a subnet that way. My old one definitely did. Having just gone into the parental controls recently my new one seems to be far inferior to the old D-Link I used to have 6 years ago! I hope it's not the case for assigning subnets too...

out of interest how are you managing what he accesses? Do you use any parental control software or just an honesty system?

[jimborae]

I think my router lets you assign access privileges to the LAN, WAN, etc based on Mac address - so if you log his network card mac address for the LAN you may be able to block/direct him to a subnet that way. ...

out of interest how are you managing what he accesses? Do you use any parental control software or just an honesty system?

Access is currently on an honesty system, he knows I regularly check his browsing history etc and to be frank he's too naive to go to darker places intentionally....though I suspect that will change in the next 12-18 months so parental controls will have to be implemented at some point.

[Smudger]

If he's 14, he probably already knows about incognito mode...

[jimborae]

If he's 14, he probably already knows about incognito mode...

Nope he doesn't, as I said he's pretty naive and not IT literate yet.

[peterb]

If he's 14, he probably already knows about incognito mode...

Yes, it's down to key loggers and a proxy server logging all the sites...

[ik9000]

Yes, it's down to key loggers and a proxy server logging all the sites...

I'm fairly certain a determined individual can see adult content without needing to type anything more than " ". The rest is all mouse clicks. Key loggers are not necessarily the answer. And it depends how good the listing of the proxy server is at interpreting long search site strings such as all the hashing the sites like bing etc produce as to whether you can check what they were actually viewing...