[TriLUG] Network configuration help?

Aaron Joyner via TriLUG trilug at trilug.org
Fri Apr 30 10:53:27 EDT 2021 

If you connect the ZyXEL router's WAN port to your internal ethernet
network, clients who connect to the ZyXEL's WiFi network will have access
to the internal ethernet network.  With the ZyXEL acting as a router they
won't be in the same broadcast domain, so they won't see eg. printers via
mdns, and they might not have the same DNS server, but that's only security
through obscurity.  It only makes discovery slightly harder, it does not
hamper the ability to connect.  You'll be able to ping hosts on the wired
subnet, connect to its webservers or fileservers, etc.

As Wes mentioned while I'm typing this, if you can separate that ZyXEL
router's WAN port at the switch layer, by placing it in a separate VLAN,
you might be able to provide some actual segmentation.  If you can
accomplish that, you can probably simplify things and just plug the ZyXEL's
LAN port into the VLAN'd port, turn off its DHCP functionality, and just
use it as an over glorified access point.  It'll happily bridge traffic
between the wired and wireless interfaces, and you can lean on the switch
to provide L2 segmentation, and the upstream router to provide services
such as DHCP and DNS.  My intuition is that you probably don't have a
managed L2 network with VLANs, or a router that would comfortably handle
multiple subnets on separate VLANs, though...

Aaron S. Joyner

On Fri, Apr 30, 2021 at 10:41 AM Brian McCullough via TriLUG <
trilug at trilug.org> wrote:

> On Fri, Apr 30, 2021 at 10:13:03AM -0400, Triangle Linux Users Group
> discussion list wrote:
> > What's your objective for the guest network, Brian?  Do you want it to be
> > segmented from the internal network?  Have a bandwidth limit?  Have open
> > access, or a more-frequently rotated password?  Some or all of those?
>
> Primarily the isolation -- give it access only to the Internet.  No
> communication with the wired network, except through external addresses.
>
>
> Thank you both.
>
>
> > On Fri, Apr 30, 2021 at 10:05 AM Wes Garrison via TriLUG <
> trilug at trilug.org>
> > wrote:
> >
> > > Some routers won't accept a private IP on their WAN interface.
> > >
> > > See if there's a setting for blocking "bogon" networks or private
> networks,
> > > possibly on the firewall tab.
>
> I think that I saw that, yes.  Didn't think of it.
>
> I will try and see what I can see.
>
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> https://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> Welcome to TriLUG: https://trilug.org/welcome

More information about the TriLUG mailing list