
How can I set up my home LAN to prevent my employer sniffing all traffic? - natch
Looking for hardware solutions. I don’t want to have a dedicated firewall. A lot of what I find in Google about switches seems to say they are all about performance, but I’ve also seen hints that they might help here.<p>Would this work?<p>Example setup: Work laptop connects over WiFi to dedicated Wifi router which is then plugged into one port of a switch that is plugged into any router, hub, or switch on my main LAN.<p>Or is there a simpler setup?<p>Looking for some there where I rely more on the hardware characteristics of the devices, rather than the detailed configuration settings in a router, which are more subject to changes and mistakes.
======
dylz
Plug another NAT router into your NAT router. Ensure it's not bridging.

WorkLaptop -> NAT/WifiRouter1 plugged into NAT/WifiRouter2 plugged into ISP

Make sure DHCP ranges do not overlap, and this should lazily accomplish what
you're looking for, as long as you don't port forward anything or enable UPnP
on the one WorkLaptop connects to.

A switch does not help here.

~~~
natch
Hmm, thanks. I don’t get everything here so I would invite others, even if
they have the same solution, to explain it in other words. But this helps.
Good to have the switch question tentatively cleared up.

I know what NAT is but are all routers not potentially NAT routers? Does this
just mean any old router that happens to be configured for NAT? There we get
into the (scary) configuration area I wanted to avoid but maybe if it’s just
setting the address range I can handle that much.

~~~
dylz
Most (99%+) consumer stuff will default to NATing. You can turn it off.

Usually just set something like router2 = 192.168.2.0/24, router1 =
192.168.1.0/24, and you're fine. If you don't do this, you end up with
conflicts/no route to host/no connectivity.

Do note that this is not a guarantee and a kind of side-effect. It may still
be possible to sniff all traffic, look for ARP, etc. What you really want is a
prosumer or enterprise device that can totally separate VLANs.

~~~
natch
Have any examples of any such devices on the prosumer (affordable-ish) side?
To say my “adversary” here is very sophisticated would not be overstating
things.

~~~
dylz
Sorry, didn't notice this. Cheap consumer devices - see OpenWRT's site for
compatible ones you can flash firmware onto, otherwise <$100
Edgerouter/Edgemax from UI is common.

------
pwg
> I don’t want to have a dedicated firewall.

If you want to be assured of protection, you may need to rethink this
requirement.

Network 'switches' provide some isolation, but unless you buy data-center
level networking equipment, and configure them properly, there is no way to
guarantee isolation (i.e., the isolation can be escaped when using a basic
consumer grade switch).

My setup to avoid the same issue:

fios <\---> Linux router (a PC running Linux) with four ethernet cards
installed

first ethernet card connects to fios dmarc box

second ethernet card connects to my internal wired network

third ethernet card connects to an isolated wifi network

fourth ethernet card connects to cisco hardware VPN box (work provided), work
laptop connects to this hardware VPN box

Linux firewall rules setup so that the work laptop and cicso VPN box connected
to the fourth ethernet card has no access to any data on second or third
ethernet cards and no knowledge even of the existence of those additional
ethernet cards.

Work laptop _does not_ run over wifi, ever.

This layout has the work laptop on a fully isolated, wired, network, where I
have full control over what it can see (via those Linux firewall rules).

