How can we separate devices from each other in the network?
Say we have devices like a server, *nix and windows desktops / laptops, Linux and android smartphones & tablets, IoT devices like TVs and sockets, networking devices like routers. Some devices we consider trusted and some untrusted.
Now I want at least to separate the untrusted devices from the trusted. Ideally even more: separating all untrusted devices from each other.
We could put the untrusted devices into an extra IP subnet, but AFAICS an untrusted device could simply register IP addresses for other IP subnets and so could access that subnets where it shouldn’t have access to. So I guess we need some kind firewalling.
Which we probably need anyway because we also some untrusted devices shoud have full internet access and others only partially and the rest none internet access at all.
What approaches do we have? Consumer market routers are usually limited. Sometimes a DMZ can be defines which would be a first step, but think none of my routers can manage multiple zones. I’m not sure if one of them has a DHCP server able to handle to give many devices an IP in an extra subnet. What they have is a function to manually define routes. I tried that once without success. I am not sure how far we could go with this.
At that point I would say to consumer users: welcome to professional level networking.
- Do we need networking equipment capable of managing virtual networks and Ethernet port security?
- Or should we run pfsense in a VM on the server and route all traffic through it? Would maybe set the server under risk if it is not dedicated for this purpose alone.
- Or can this be achieved by dhcpd and nftables (successor over iptables) alone?
- Any other approaches ?