D-Link Forums

The Graveyard - Products No Longer Supported => Routers / COVR => DIR-655 => Topic started by: dopeselecta on October 07, 2010, 02:22:48 PM

Title: Two DIR-655 to segment and isolate lan from renters
Post by: dopeselecta on October 07, 2010, 02:22:48 PM

Aloha,
I'm trying to set up a home network with two DIR-655 routers.  Because of renters, I'd like to segment the network so that the renters cannot see the computers on my lan.  They just need to get internet.  The "guest" access is okay for wireless, but I have switches with structured wiring to provide physical connectivity.  The layout is as such:

[Cable Modem]-->#1[DIR-655](192.168.1.1)-->[My Switch]-->#2[DIR-655](xxx.xxx.x.x)-->[renters switch]

Can I configure the second DIR-655 with DHCP server to block access to my lan but still provide internet? Can I wire [My switch] to the WAN port of second DIR-655?  I'd really appreciate any input from those with more experience.

Title: Re: Two DIR-655 to segment and isolate lan from renters
Post by: jimsander on October 10, 2010, 02:54:55 PM

Caveat - it's been a while since I've done any "real" networking, so I'm rusty. Also, you're not saying precisely where the devices hook in there, whether they're wired or wireless, etc. But I'm assuming this...

[Cable Modem] --> #1[DIR-655] -> [My Switch]       ==>   #2[DIR-655] --> [Renters' Switch]
                                   |                     |                                |                      |
                              Your WiFi          Your Enet                    Renter Wifi         Renter Enet
                                                     (IPs from #1)                                      (IPs from #2)

I've indicated '==>' where I think you want the network segmented.

If it turns out you need the devices on [Renters' Switch] to also access *your* LAN, then I think what you want is nearly impossible without hooking [Renters' Switch] directly to [My Switch] (that probably means running two cables)

Now, assuming you do NOT need that... you'll still possibly run into issues with "double NAT." But with some "fiddling" I think it would work, at least for casual protection. It won't stop a determined attacker who, for instance, might unplug the #2 DIR-655 and replace it with their laptop - and spoofs its MAC. Even if you glue the connector in they might cut the cable and crimp their own RJ-45 on. ;)

Really, I think the ideal way to solve this robustly would be if [My Switch] supported port-based access controls. (VLANs, or whatever) But unless things have changed, I wouldn't expect that in consumer-level switches.

Other opinions might differ, and YMMV. But hope this helps some.