I would like to separate my computers and the other devices in the network. So that my computers are better protected if another device (e.g. a smart TV) is attacked and taken over.
I have an IB3 in operation with WLAN and guest WLAN and a 24-port managed switch from D-Link (DGS-1224). (No fibre optic connection is possible at my Stao, therefore no change to IB5).
What is the easiest way to manage this?
The easiest way (but with some manual configuration work and brainpower) with your devices: put everything you donāt trust on the guest network. For example, your smart TV.
Problem: the VLAN for the guest network is only implemented with WLAN. With a VLAN-capable switch, however, you can also move a LAN connection to the guest network. Your existing switch should be VLAN-capable, according to the data sheet. You can find the correct numbers for the VLAN here:
https://community.swisscom.ch/d/653937-suche-die-vlan-settings
A little more complex (because it involves a new purchase, but much easier to configure), but with (very) many more options: put a suitable router into operation, e.g. cascaded behind the IB3. There are some good devices that can do this. I use devices from Unifi (routers and switches).
Dr-No either you put certain devices in a VLAN. If certain devices do not support VLAN you can support it with a port based VLAN on the switch. SC-TV box and router do not support VLAN. Your switch supports VLAN.
My question is does this make any sense for you? I see this more in SME environments than in private ones.
Something else to consider with the guest WLAN of the Internet boxes:
It only works in the 2.4 GHz band, which is normally not a problem for IoT devices, but a Swisscom TV box, for example, which only connects via the 5 GHz WLAN, cannot be operated on the guest WLAN of the Swisscom Internet boxes.
However, if you really want to fully implement the concept of isolating individual device groups, you need a separate cascaded network downstream of the Internet box with its own additional hardware and more powerful router firmware, as already mentioned.
Hobby-Nerd ohne wirtschaftliche AbhƤngigkeiten zur Swisscom
kaetho thanks for your reply. I have also looked at devices from Unifi, e.g. the UDR7. But I would have to replace the IB3 with that. And if the UDR7 was compressed, my entire network would be jeopardised. Perhaps it would be better to use a device downstream of the IB3, such as the Unifi Express 7, and then switch off the WLAN on the IB3?
You donāt have to replace the IB3, because you can simply cascade the UniFi router behind it (connect its WAN interface to a LAN port of the IB3) and as a result you will have two networks (LAN and WLAN respectively)
Which client devices you then operate in which network is of course a question of concept.
The simplest solution is to leave all IoT devices in the network of the IB3 access router (which is then conceptually regarded as an āuntrusted environmentā without complete control) and move all more confidential things to your own isolated additional core network.
Additional VLAN constructs can then also be used in your own home network, which a UniFi router would certainly make possible.
Hobby-Nerd ohne wirtschaftliche AbhƤngigkeiten zur Swisscom
Dr-No Based on your answer, it would be desirable for SC to offer a firewall device with integrated wifi in addition to wifi boxes. What do you mean?
The whole world market is open to you and there is no provider dependency for any of the devices in question, so there is no need to ābuy meat from the bakeryā.
However, you must be aware that if you operate your own home network, you must also be prepared to deal with it a little, as there is no remote maintenance via a provider hotline.
However, with a little reading and understanding of the connections, you can actually manage it yourself.
Hobby-Nerd ohne wirtschaftliche AbhƤngigkeiten zur Swisscom
Werner thank you for your answer. That sounds very tempting š That would mean: the IB3 with its (remaining) LAN connections and its WLAN would be intended for untrusted devices and the downstream device (e.g. a UDR7 with LAN connections and other WLAN) for the trusted devices. The additional two WLAN boxes that I now use on each floor would have to be operated somehow (via VLAN?) in the UDR7 network. Trusted devices could connect via the normal WLAN of the WLAN boxes and untrusted devices via the guest WLAN.
from personal experience: If you immerse yourself in the Unifi world, you will quickly become addicted to it š.
But forget the idea of using WLAN boxes in the Unifi network again very quickly. Theyāre great, inexpensive and do exactly what theyāre supposed to do in the Swisscom universe (most of the time, anyway). In the Unifi universe, you are quite limited with these WLAN boxes. No VLAN, no clean topology mapping, no optimisation of the WLAN via the Unifi interfaceā¦
The Unifi stuff is only really fun if you use routers, switches and APs from Unifi.
Put the Unifi router behind the Internet box, or in the DMZ if you want to connect everything directly to the Unifi network from outside, and then use Unifi switches and APs behind it.
The IB then runs the landline telephony (if you still need it) and any DDNS service if you need it.
I also have the IoT devices in the Unifi network, nicely separated with VLAN and isolated with firewall rules, so that I can access the IoT devices from the normal home network, for example, but they cannot access the home network and the gateways independently and unsolicited.
