DMZ & Secure zones in home LAN

[Odyssey]

I have the following groups of devices on my LAN:

1) WiFi router, TIVO, Aluratek Internet Radio

2) 1 Linux and 2 Windows XP computers

3) Apple Mac Mini (used solely for photos and online banking)

I want Group 1 to be in a DMZ, isolated from Groups 2 & 3, and want to be able to use the Apple as the only device online when doing banking.

I am thinking of this setup:

Switch #1 to the WAN and connected to:

- Router #1 for Group 1 (this is the wireless router)
- Router @2 for Groups 2 & 3 (this router wired only)

Behind Router #2:

- using one port for Switch #2 for all of the Group 2 devices
- using one port for the Apple Mac Mini

The plan is that Group 1 should not have access to Groups 2 & 3 at any time, AND any time banking is to be done:

- Router #1 is unplugged from Switch #1 AND
- Switch #2 is unplugged from Router #2

leaving only the Apple online and only requiring unplugging of two ethernet cables.

This may seem like equipment overkill, but I have all the switches and routers that are needed, most of which are unused at the moment.

I don't understand enough about switches and routers to know whether one port of either device is effectively isolated from the other ports of the same device. So my question is how to improve/simplify the setup without compromising the objectives, or is this perhaps the minimum configuration to meet the objectives?

 

[DelJo63]

A router *MUST* be the first device attached to the modem; a switch or router can then be attached to the first router.

A DMZ is an "open" system which sees everything, and therefore is only protected by its firewall.
For the normal home user, the DMZ is not the first (or best) choice.

modem====[B]router#1[/B] ==== r[B]outer#2 [/B]- - - up to four wired devices
             |           | 
             |           + ----- wifi connections :: group 1 devices -- up to ten connections
          group 2
          -----+-----
         +          +
           (you can place 3 devices here w/o a switch)

the router#1 connection to the modem will have a public IP provided by your ISP.
You set the LAN side ip address for the router (suggest 192.168.1.1)
and the DHCP range for all the systems that attach to it (eg: 2-9)

router#2 will have its own ip address
suggest 192.168.2.1 (notice the 3rd digit is the sequence of devices from the modem
which clarifies the layout.

the WAN connection on router#2 can be static and must be at least +1 to the DHCP range
(eg 192.168.1.20)
You manage the WAN side configurage manually;
set the gateway = router#1 address (192.168.1.1)
set the mask 255.255.255.0
set the DNS addresses to the same (192.168.1.1)

the DHCP range for router#2 can be large, but suggest not;
restrict the DHCP range to one more than you have devices AND
use the MAC filtering to ensure that ONLY your devices can make a connection
(this is another control and encryption is yet another).

Let router#2 manage the LAN side.

As an extra step, set all firewalls to deny access from all 192.168.2.0/24

Conditions from the above:
all devices can have Internet Access
group#2 devices can not see or share resources from group#1

no wiring or power-off conditions are required to isolate one group from the other.

 

[DelJo63]

oops; I got it backwards it should be

modem====[B]router#1[/B] ==== [B]router#2 [/B]
           |                 |
           |                 +---- group 2--- wired connections
           |
           + ----- wifi connections :: group 1 devices -- up to ten connections

Not only can you avoid fooling with the firewalls in the systems, but systems in group1
can not even ping systems on group2; there's not routing unless you force one.
Each router has a default route causing traffic from the LAN side to move to the WAN side,
and thus a system on 192.168.1.x can NEVER access 192.168.2.x

The isolated systems are always on the last router in the chain :wave: