Securing my devices on a shared house network

[Energize]

I'm currently living in a shared house and the private wifi network we have has had some shenanigans going on with it, with weird dns servers set on the router that have blocked some websites as well as an unknown ring device on the network even though we don't have a ring doorbell.

I'm treating it as a public network at the moment but would like to ensure a more robust protective measure for my own devices, I did consider getting a cisco integrated services router and putting all my devices on a different network, but the cheap house router supplied by the ISP doesn't support a point to point connection over the LAN as far as I can tell and there's no way to manually alter the routing table on it, so the default gateway 192.168.1.1 wouldn't know how to get to 10.0.0.1 if I set up my own network using that as the default gateway would it? It's been a while since I did my CCENT lol.

So is the best solution to buy a firewall with switching instead and put my own wifi access point and ethernet devices behind that? I know some support a VPN as well, though I would still like to be able to access some devices on the house network like the printer.

I'm pretty sure the router supports vlans and subnets, however the house router can't be trusted as other people have access to the administrative control panel and could change the settings. Currently I'm just running a CAT8 cable from the router to a cheap switch in my bedroom.

I've heard pfsense is pretty good but I've never used it before whereas I'm very familliar with Cisco's OS.

Any advice would be appreciated, thanks.

 

[Rainmaker]

You're likely overcomplicating this. Don't put a router behind a router (double NAT), and you don't need a 'firewall with switching' either. The theoretical 'issue' of the shared router (192.168.1.1) not knowing how to access devices behind 10.0.0.1 would in your case be a feature, not a bug - right? That's why you wanted to get your own router to begin with, to keep out untrusted devices from the shared LAN? The shared router would simply assign your router a WAN IP in the RFC1918 DHCP range, and NAT would handle the rest. As I said, though, that's a bad idea.

What device(s) are you actually connecting to the shared LAN? It sounds like software firewalls would be a better solution here. Just treat the network as untrusted/public like you said, and block all but essential communication (DHCP, ICMP, IPSEC) inbound. Set DNS on a per-device level to something you trust, or run your own. I'm on holiday atm but I'm sure someone else will be along to answer you more fully soon.

 

[Energize]

I think a bit of the overcomplication is wanting to have a bit of a project to do heh.

The reason I wanted a hardware firewall is because if malware got onto the PC somehow the software firewall on Windows could be compromised and the dns settings modified, furthermore with some devices like games consoles there is no ability to configure a software firewall.

Devices are basically all sorts, desktop PC, Laptops, Phones, games consoles, tv, smart scales etc.

Also having my own network means I can use 10Gb ethernet for file transfers etc. on my LAN.

 

[Rainmaker]

You already have a switch uplinking to the shared router, so if that's 10Gb you have the potential to transfer between your own devices at 10Gb regardless. Double NAT and an online games console won't mix, period. Mobiles are meant to connect to all sorts of public networks, that's how they work. You can tweak settings to further harden if necessary. Desktop PCs and laptops can, of course, run software firewalls. No modern Windows is going to fall to a worm or trojan just because you ran Windows Firewall instead of VyOS or whatever.

What's the situation with the actual shared router and connection? Possibility to get access to it, or install your own? Regardless, you asked for advice about adding a router behind your router, and I gave it: Don't! If you insist on tinkering and doing it anyway, have at it... But don't be surprised when it bites you on the backside at some point lol

 

[Energize]

I have physical access to the router so could put that in bridge mode and connect my gigabit ubiquity router to that I suppose that could handle the NAT, also have access an extra public ip address I think, but just have to double check that.

 

[NetMan]

I have physical access to the router so could put that in bridge mode and connect my gigabit ubiquity router to that I suppose that could handle the NAT, also have access an extra public ip address I think, but just have to double check that.

Just no, its not your internet connection and its not your name on the bill.

the house router can't be trusted as other people have access to the administrative control pane

So you want to replace the ISP router and lock your house mates out of the settings because you don't trust them, why should they trust you?
What if they don't like what you are doing and decide to unplug your router and buy their own...

weird dns servers

It should be easy to lookup, what IP is it using?

blocked some websites

Errr you know that all the main ISPs will block adult sites, gambling etc.. by default when a new connection is installed unless the bill payer asks them not to?

ISP filters aren't very good so it wouldn't surprise me if the landlord is also using something like open dns family shield, cloudflares malware and adult content blocking DNS servers etc. hence the "weird" dns servers.

The landlord probably doesn't want a knock on his door if tenants start torrenting pirated movies etc... because at the end of the day it's his name on the bill.

unknown ring device

So ask the landlord where it is?

Its probably a cam, flood light / cam combo covering the front door / driveway but Ring also have security sensors / alarm systems.

One of the other tenants could also have an indoor Ring cam in their room because they think someone is going to nick their stuff, or have one pointing out of a window to catch people messing with their car on the driveway.

Unless you've got a peeping tom landlord thats hidden a cam somewhere its a non issue.






Ruckus access points have a client isolation feature which when enabled on a ssid prevent any local devices communicating with each other something like that would probably be ideal in a shared house but it would also stop your devices connecting to each other and I doubt your landlord is going to buy a new WiFi system.


If you are not happy sharing the house broadband then use a VPN or buy a 4G/5G router and a data sim.