Hello all I am looking into securing my LAN given my LAN is on a single subnet. Motive: Security. I haven't been hacked yet, but its only a matter of time. Currently the only (i'll use the term loosly) security I have is that my router has the DMZ pointing to my ISPc server, so the firewall is it. My router doesn't support VPN/VLAN, but all my switches do support VLAN. How can/should I secure my network (LAN) from potential hacking from the interweb. I know that the ultimate security for all networks is to turn it off, but it doesn't make it very usable. So I'm up for suggestions as to how I should go about securing my LAN. Interweb-Modem-Router-switch-LAN LAN=single subnet (users, aplliances, IOT, Proxmox (with ISPc VM and many others). Router=Vodafone Ultrahub Modem=Media converter. I'm on fiber. Switches=L2 managed Regards Fred
Putting your server in dmz is not safe because you will have to rely only on your server firewall. Use portwarding to open only relevant ports and redirect them to your server. You should use different port rather than default whenever possible for example change ssh port 22 to other number that only you know.
Does your router have multiple physical ports? You might be able to use those to connect multiple vlans. Otherwise just replace your router, there are very capable ones available for not too much money.
or build your own router / firewall. if you have a small old pc, you can fit multiple ethernet cards, with multiple gigabit nics on each ethernet card. and install vyatta / vyOS opensource router/firewall/vpn software. configuration is a kind of 50/50 mix of standard linux configuration and cisco ios type configuration. or at least was the last time i looked at it, might have a gui configuration option by now. supports bgp ospf rip etc. fully supports vlans.
