I have posted this because there are so many options available on so many devices within my network and I seek some guidance please.
At present my NAS with data and media server has a lan connection to my private subnet. I can access the NAS in order to upload backups and new multimedia data. At present I use Rsync with the Luckybackup gui. I use these data with various renderers, normally using a phone app control point.
I now wish to share these data with colleagues who do not have access to my private network. The intention is that these colleagues can “read” the data but not edit or delete it. These colleagues already have access, using wifi, to another subnet which is hidden but available to colleagues so I want to put the NAS on their sub-net .
My thinking is that I have one home on the colleagues sub-net on the NAS and the second home on my private sub-net. I can then configure explicit rules between the two hosts to control the traffic between the hosts.
If I’m reading you correctly, your colleagues are reasonably local – not physically located on the other side of the planet …
These colleagues already have access, using wifi, to another subnet
Consider setting up the WiFi access to the other subnet to use a MAC address filter – only known devices (MAC adresses) are allowed to access it {with the correct SSID and password}.
Mirror the data you want to share to a server in that subnet.
If you happen to extend the list of colleagues to people located on the other side of the planet, check if, your ISP offers a Cloud service for small amounts of data.
Which is why, one uses a list of trusted MAC addresses – with “normal” WiFi “secrets” – a sensible, complicated enough, password …
Even if, somehow, a stranger has got their hands on the WiFi password, they’re still not allowed to access that WLAN because, their MAC address ain’t on the list …
Yes, yes, if they manage to spoof a valid MAC address then, they can access that WLAN but, that’s effort and, probably means that, they’ve “coerced
” at least one of your colleagues – regularly inspect your colleagues for signs of mistreatment, torture and other signs of coercion …
I am missing something here. All “guests” must be given the wifi pw in order to be able to gain internet access through our portal. At present the traffic from “guests” is routed more or less directly to the WAN. I want the guest to be able to benefit from a service which is shared from my private subnet but not be able to interfere with that service or look behind it into my subnet.
Then, you’ll have to setup a firewall demilitarised zone, attach the WLAN to the firewall DMZ and, setup a mirror server within the DMZ for the service you want to share from your private subnet.
That is what I had imagined but I cannot remember how this was done. I just remember using a two homed host and wrestling with a stack of rules but this was going back nearly 20 years and when I was using OS/2. I now have many more choices to play with from the UTM firewall router and several switches below . I just thought using two NICs might be neat and keep everything within the one system. Trouble is I am more forgetful these days and not sure where to start. Are there any wikis I could start from?
Hi dcurtisfra,
Many thanks for the links and reading matter. Slightly overwhelmed but exactly on point.
My network has a UTM as firewall router supporting 7 subnets and connecting several L2+ managed switches (Netgear and older HP devices) but no true L3 devices and I am also short of physical ports at some locations. I do however have two ports on my server machine and only one is being used, so the second port could be plugged to the “guest” subnet. It is how I then work the magic within my box to arrange the connection. Could that be a plan and can you help, using my openSUSE Leap 15.3 system?
I shall meanwhile read more about the Netgear devices I have to see what options are available from within the switch.
Many thanks again,
Budge.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network.
Only selected incoming connections are accepted.
I am trying to develop my plan using the resources I have available where possible. The suggestion from dcurtisfra appears to the right way forward for me but am extending this discussion here in the hope that I can sort out the details and my errors will be identified.
I already have the multidata on a Leap 15.3 machine which is on my private subnet. This is backed up to a NAS which is also on my private subnet and has, in the past, hosted a mediaserver.
All the wifi APs, through which guests connect to the WAN are on another dedicated subnet. At present the APs are configured for privacy and with L2 isolation of lan.
It seems to me that from my position on the private network, the guests subnet looks like a DMZ so if I put a server mirror on the guest subnet it would provide the most of what is required to the guests. I would not need to get involved in the complexity of a dual homed host or similar. All I would need to do with this plan is to to configure the connections between the subnet to ensure the data mirroring is secure.