On 2020-02-03, Denis <den...@mindall.org> wrote:
> Some hosts should be limited in internet access and/or local access or
> simply be restricted in some way because they are untrusted.
>
> I'm looking for a possibility to isolate untrusted inside LAN using any
> approach applicable. How do people isolate undesirable hosts in their
> networks?
Put hosts with different trust requirements into different networks
at the IP level, connected to a central gateway where you can easily
permit/deny traffic between them. Use VLANs to separate the IP
networks.
For example, my home network is split into three networks:
* Trusted hosts. These are allowed to initiate traffic to the
Internet and to the other networks.
* Untrusted hosts with outside access. These are allowed to initiate
traffic to the Internet at large, but not to the other networks.
This is mostly my wi-fi. Also a RIPE Atlas probe.
* Untrusted hosts without outside access. These cannot initiate
traffic to any destination outside their network. Includes my
printer and the SIP phone[1] for my "landline".
That's three vlan(4) interfaces on my gateway, which provides basic
DHCP/SLAAC, DNS, NTP services on all of them and has a small pf(4)
ruleset to enforce the restrictions above about who can start talking
to whom.
[1] A SIP phone that is not allowed to talk to the outside may seem
surprising, but it only needs to talk to siproxd on the gateway,
and siproxd is required for NAT traversal anyway.
--
Christian "naddy" Weisgerber na...@mips.inka.de
