Replies: 1 comment
-
You can set up RaspAP to achieve the configuration you described, where
(Optional) add forwarding rules to allow the trusted network to access untrusted devices:
RaspAP installs Debian's
The above should be considered a rough outline only. Adjust as necessary. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Okay, so I'd like the LAN side to be handled by eth0 and the WAN side to be handled by wlan. So the LAN hosts all the untrusted devices and on are put into a network sandbox.
I have a secondary building that I don't want to run outdoor certified ethernet cable to. So, the connection from the main network to the building is via WiFi. The devices inside the building are all untrusted, meaning they are allowed to talk to each other but are not allowed to connect to the internet, by default. But some will be accessible from the WAN side through the RaspAP. Management of which devices can do what through the AP must be accomplished solely from the WAN side.
Can RaspAP be set up like this:
The eth0 interface manages the 'untrusted network' (the LAN side of the router).
Devices on the untrusted network will have their IP addresses managed through the DHCP service provided by RaspAP.
Devices on the untrusted network will not be able to open connections to any devices through the RaspAP.
Devices on the untrusted network will NOT be able to access the RaspAP SHH terminal or web-based management, even if they have the passwords.
Devices on the untrusted network will perceive the RaspAP to be like any ordinary router, except without an internet connection.
The wlan interface is on 'trusted network' (the WAN side of the router).
It will get its IP address from the trusted networks DHCP server just like a normal router would get its IP address from an ISP.
Devices on the trusted network will be able to access the RaspAP SHH terminal or web-based management.
Devices on the trusted network will be able to open connections to devices in the untrusted network through a routing table that exposes addresses and ports on the untrusted network. Like you would do when opening a server port for an internal device on a normal router.
So, the untrusted network is air gapped to the trusted network which can implement its own firewall. And no device connected to the untrusted network has any hope of 'escaping' to the internet through the RaspAP.
Of course, this all requires the host network WiFi be highly secure so that untrusted network devices that happen to have undisclosed or hidden WiFi chipsets and malware (possibly built into their firmware) can't escape through various spoofing techniques to bypass the RaspAP sandbox they were placed in.
Beta Was this translation helpful? Give feedback.
All reactions