What kind of switch do I need to do this?

Tom B · 26 Jun 2023 at 15:28

This may be really simple but before I buy anything here's an overview of my network setup:

images upload

I have a single cat6a ethernet cable from the ISP router to my server which acts as a firewall, nas and VPN.

The idea was that everything would go through this. Unfortunately, I had FTTP installed and they couldn't practically install box on the wall on the side of the house I wanted them to which means I have this setup. It's fine but PC1 connects directly through the ISP router to access the internet, it's not behind the firewall and I don't want to open my NAS up to connections from the ISP router end. I'd run another cable but unfortunately I've just had the floors redone as I thought I'd got all the network infrastructure sorted.

Is it possible to have the equivalent of two cables so that the traffic for PC1 follows the orange arrow in this diagram?

I obviously need some additional hardware here. Can I do this with a cheap gigabit switch or do I need something more fancy? I want to be able to block all connections from the ISP router to the server and outbound connections from PC1 should go via the VPN running on the server. Using WiFI on PC1 would solve the problem but I'd rather not do that as it's a tiny HTPC and would need an external adapter.

Thanks for any advice!

skyripper · 26 Jun 2023 at 15:36

Your ISP router is a firewall [caveat: unless it's running in Modem-only mode].
You then have another firewall / router behind that.
Which is typically Double-NAT and asking for issues.

Your network switches are to connect things at the physical layer. They make a network.
Your routers are to push packets around from one network to another.

Tom B · 26 Jun 2023 at 15:40

it is, but I only want it to act as internet in. The server has two network cards, one which connects to the ISP router and one to the switch/WAP. The server is acting as the router here for most of the network, it gets an IP From the ISP router but is the DHCP server for all the devices on the network apart from PC1.

skyripper · 26 Jun 2023 at 16:34

I get what you're trying to do, but your network layout is "wrong".

You want to be ISP router <--> your router/dmz/whatever <--> your network
In the world of DSL and ADSL, you'd put the ISP router in modem-mode, and simplify that way.
No idea if you can do that with your ISP kit, especially if its new fangled FTTP. Someone more knowledgeable will probably come along and comment, if you can tell em who your ISP is or what box they gave you.

And depending on what those switches are on your diagram its possible you could do what you're trying to do with VLANs, separating your network into a 'inside' and an 'going to the internet' but thats dependent on what they are and your technical abilities.

skyripper · 26 Jun 2023 at 16:36

The path of least resistance, could you connect PC1 over wifi?

skyripper · 26 Jun 2023 at 16:58

Or bonkers suggestion. Leave it as it is, hardcode an IP on PC1, take off the default gateway from your PC1 settings, leaving it only able to talk to your ISP router and your nas/router/firewall, and fire up a vpn client on PC1 to connect to your internal VPN.

This is all based on the theory your orange colour network and white colour network go into different network cards on your server.

It's not pretty but means no cable or kit moving.

Tom B · 26 Jun 2023 at 19:47

Thanks for the suggestions!

> I get what you're trying to do, but your network layout is "wrong".

Yeah, that was my original plan. I had intended FTTP to be installed so that I could plug the connection straight into the server, then the cable connecting PC1 would go to the switch. Unfortunately I hadn't realised that the extension I wanted them to install it onto wasn't tall enough for the wire from the telegraph pole so they had to put it on the other side of the house

> The path of least resistance, could you connect PC1 over wifi?

Yeah, that would solve it. Not ideal as it's a HTPC used to stream from my nas so wanted the speed of ethernet ideally and the cable is there so frustrating not to use it if it's possible.

> This is all based on the theory your orange colour network and white colour network go into different network cards on your server.

The server has 3 network ports so should be fine. The current layout is I have adapter for the switch and one for the ISP router and the server bridges the connections, puts them in firewall zones, runs a VPN client for the whole network, and provides DHCP to the devices on the switch. Works fine except for the location of PC1.

My current switch is a cheap 5 port unmanaged one so can't do vlans or anything but looking that up might be the best option. In theory I should just be able get a cheapish managed switch that supports vlan and configure the same vlans on my server (running centos), right? Everything else looks like it can stay the same. Or do I need a pair of switches that support vlans then plug two cables into the server?

The ISP router is a TUF-AX3000 V2 so not completely terrible but it doesn't look like it can do vlan, and to install custom firmware on it I'd need to somehow extract the username/password for the connection (I tried connecting up another old router I had lying around, it asks for the username and password).

Silicon Si · 26 Jun 2023 at 21:10

Put your firewall on a micro pc with a 4 port nic, I use a dell wyse 5070 extended with a Intel 4 port Nic then you can use vlans etc