Non-wireless NAT router/firewall

Then again

seems to fit the bill and is very cheap at just over £10.

So I would be very grateful for recommendations for two devices - NAT router/firewall with DMZ support (i.e. routes all incoming calls at the WAN port to a specified IP on the LAN) and a wireless cable router to hang off this which offers simultaneous dual band ac and Gigabit Ethernet ports.

TIA

Dave R

You don't need a wireless cable router to do that - just a wireless access point?

Sounds like what you actually need is a bog standard reasonable quality ADSL router and one or more WAPS.

I use a small low power unix system to do this.

It's all down to volume, and just about everyone expects WiFi, so the shipping volume of these products keeps their price low.

A non-WiFI router is going to be looking at the commercial market, with commercial pricing, but possibly more feature-rich.

Buy a home unit and disable the WiFi. (Check first it can be disabled, I've come across routers where it can't.)

I think we may be at cross purposes.

I want two things:

(1) A LAN firewalled from t'Internet but accepting incoming calls. This is obviously a risk because the door is at least partially open and ports are presented to t'Internet for bad people to attack. Let us call this the DMZ.

(2) A LAN firewalled from the DMZ with no incoming calls allowed. This hopefully prevents any bad people who have gained a toe hold in the DMZ from getting any further. Let us call this the Green LAN.

AFAIK a WAP is just a method of extending a virtual LAN across wired and wireless substrates and should be invisible in action. If I used this then I would not have a DMZ and a Green LAN, just a single LAN - much the same as if I just had one cable wireless router with a DMZ configuration.

I want to achieve physical and logical separation between the DMZ and the Green LAN. AFAICS this requires a firewall/router inside the DMZ to block any traffic from the DMZ to the Green LAN.

So:

a simple router/firewall connected to the cable 'modem' to provide the DMZ.

A much more sophisticated wireless router/firewall to provide a secure Green LAN inside the DMZ.

Cheers

Dave R

Ah. So its an emotional not a logical decision?

If you have an old PC lying about and 4 spare NICs, you can build your own firewall to integrate 4 sub nets, i.e. WAN (red) Wireless (blue/purple) DMZ (Yellow) and Intranet (green). All you need is IPCop or SmoothWall which i s free and downloadable from the net.

S.

Similar to what I do:

1. My own internal network.
2. A Wifi network, which I hardly use, but visitors do.
3. A network which runs a VoIP server (actually a Solaris zone)
4. The Internet.

All are firewalled from each other, with different rules depending on role. Four DMZ's if you like.

This requires a router with 4 separately configurable and firewallable networks. The cheapest way to build that is to use a server with an OS which is capable of doing this (just about any unix, and probably Linux, does this out of the box).

Yes. I think most of them can be configured as a router too.

Well, one man's logic is another man's emotion.

I do not want to rely on a single piece of equipment, however allegedly good, to provide all my security.

There is always the risk of a duff firmware update, a mis-configuration, or a new vulnerability.

Having two devices, preferably from different manufacturers running different software, can provide enhanced security.

My security background is in big corporate systems 10 years or more back so the rules may well have changed since, but back in the day physical separation between security functions was seen as a good thing.

Cheers

Dave R

As discussed down there with TNP one of my requirements is physical separation between the Internet DMZ firewall and the DMZ home (green) LAN firewall.

So a single PC, however good the software when properly configured and bug free, does not meet that requirement.

Also looking for (although not stated) small footprint low power device if possible.

Cheers

Dave R

The latter is likely to be more cost effective. Having said that what you have in mind sounds somewhat over the top for a home installation. Just curious what actual benefit this will give. They will all be connected by Ethernet that is not going to be at risk of being hacked.

Once I open up the firewall to incoming calls then the target system is at risk of being hacked.

If that is hacked then anything else on the same LAN is visible and open to attack.

So the idea is to keep potentially vulnerable systems separate from the rest of the network.

Cheers

Dave R

Look at the Juniper ns5gt, long since discontinued but readily available second-hand. I have one in my network performing a DMZ firewall role. It comes with a very steep learning curve, I have a Cisco background and it still confused the hell out of me, but it's a fabulous little device that will do everything you want plus a lot more.

Alternatively, I have a Smoothwall in between my router and my LAN. I've switched the wireless interface on the (Technicolor) router off, and I have a dumb wireless AP hanging off a dedicated network interface on the Smoothwall, which runs on a cheapo PC I bought on eBay for a tenner.

The only downside is the power consumption.

Not if its on a dfferent logcal network.

Should be no problem. It is becoming more and more common to see wireless support included by default in commodity routers, but it's still by no means ubiquitous.

A quick search of the usual suspects shows me quite a few ethernet routers with built-ion switches in the sub-£20 bracket.

I'm not sure that that's the best way to go -- the physical separation is largely illusory -- you'll still be on the same LAN, albeit on a different subnet -- and you'll have an additional device sitting there drawing power. I should have thought that it would be better to have just one -- good quality - router that supported the notion of a DMZ out of the box.

You can definitely do better than that!

Does (say) this:

do what you want? It's £8.50.

Cheers, Daniel.

Yes - updated my post soon after making it with Broadbandbuyer links to TP- Link firewall/routers.

With respect, only the 'green' router will be on the same LAN (i.e. the DMZ) but it will be a firewall/router designed to face t'Internet directly and only the WAN side will be on the DMZ.

All other devices will be on a completely different (green) LAN (not just a different sub-net).

So should the server sitting in the DMZ be compromised, it is still in the same position as an attacker on t'Internet trying to get into your home LAN (if you don't have a DMZ and don't have any incoming ports opened).

A compromised server in the DMZ can use your bandwidth to do bad things but it shouldn't be able to attack your other PCs/tablets etc.

I will attempt (but probably fail) ASCII art :-)

t'Internet

First Firewall/Router

|----DMZ with VPN/web/etc server

Second Firewall/Router

|-----Internal PCs etc.

So if this comes out O.K. you should be able to see the the 'green' firewall sits physically between the DMZ and the Green LAN so that the two share no common cabling (physical network).

If you are on a separate physical network then same/different subnet ceases to be a major issue as long as the firewall is doing its job.

Cheers

Dave R

I have an unused (ie new) Draytek 2820 (not the N version which has wireless) and can be configured as a cable router. Draytek have a good rep. for their firewalls. Going cheap. Interested?

Thanks :-)

At the moment I am being tempted by TP-Link firewall/routers at under £15 but have to find a way to check their effectiveness and facilities against other more expensive options.

So I am interested but still researching.

Kind of you to offer.

Cheers

Dave R