Securing my devices on a shared house network

[Energize]

I'm currently living in a shared house and the private wifi network we have has had some shenanigans going on with it, with weird dns servers set on the router that have blocked some websites as well as an unknown ring device on the network even though we don't have a ring doorbell.

I'm treating it as a public network at the moment but would like to ensure a more robust protective measure for my own devices, I did consider getting a cisco integrated services router and putting all my devices on a different network, but the cheap house router supplied by the ISP doesn't support a point to point connection over the LAN as far as I can tell and there's no way to manually alter the routing table on it, so the default gateway 192.168.1.1 wouldn't know how to get to 10.0.0.1 if I set up my own network using that as the default gateway would it? It's been a while since I did my CCENT lol.

So is the best solution to buy a firewall with switching instead and put my own wifi access point and ethernet devices behind that? I know some support a VPN as well, though I would still like to be able to access some devices on the house network like the printer.

I'm pretty sure the router supports vlans and subnets, however the house router can't be trusted as other people have access to the administrative control panel and could change the settings. Currently I'm just running a CAT8 cable from the router to a cheap switch in my bedroom.

I've heard pfsense is pretty good but I've never used it before whereas I'm very familliar with Cisco's OS.

Any advice would be appreciated, thanks.

 

[Rainmaker]

You're likely overcomplicating this. Don't put a router behind a router (double NAT), and you don't need a 'firewall with switching' either. The theoretical 'issue' of the shared router (192.168.1.1) not knowing how to access devices behind 10.0.0.1 would in your case be a feature, not a bug - right? That's why you wanted to get your own router to begin with, to keep out untrusted devices from the shared LAN? The shared router would simply assign your router a WAN IP in the RFC1918 DHCP range, and NAT would handle the rest. As I said, though, that's a bad idea.

What device(s) are you actually connecting to the shared LAN? It sounds like software firewalls would be a better solution here. Just treat the network as untrusted/public like you said, and block all but essential communication (DHCP, ICMP, IPSEC) inbound. Set DNS on a per-device level to something you trust, or run your own. I'm on holiday atm but I'm sure someone else will be along to answer you more fully soon.

 

[Energize]

I think a bit of the overcomplication is wanting to have a bit of a project to do heh.

The reason I wanted a hardware firewall is because if malware got onto the PC somehow the software firewall on Windows could be compromised and the dns settings modified, furthermore with some devices like games consoles there is no ability to configure a software firewall.

Devices are basically all sorts, desktop PC, Laptops, Phones, games consoles, tv, smart scales etc.

Also having my own network means I can use 10Gb ethernet for file transfers etc. on my LAN.

 

[Rainmaker]

You already have a switch uplinking to the shared router, so if that's 10Gb you have the potential to transfer between your own devices at 10Gb regardless. Double NAT and an online games console won't mix, period. Mobiles are meant to connect to all sorts of public networks, that's how they work. You can tweak settings to further harden if necessary. Desktop PCs and laptops can, of course, run software firewalls. No modern Windows is going to fall to a worm or trojan just because you ran Windows Firewall instead of VyOS or whatever.

What's the situation with the actual shared router and connection? Possibility to get access to it, or install your own? Regardless, you asked for advice about adding a router behind your router, and I gave it: Don't! If you insist on tinkering and doing it anyway, have at it... But don't be surprised when it bites you on the backside at some point lol