DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2860 Two LANs

  • footsore
  • Topic Author
  • User
  • User
More
01 Nov 2016 15:05 #1 by footsore
2860 Two LANs was created by footsore
Hi,

We are a small holiday complex and have a Draytek 2860n which is now configured for two port based LANs (and potentially 3). Bought for the Dual WAN functionality as we are on slow broadband (3.6MB) and a local radio solution at 5MB but has opened up room for significant improvements to the security of our system. (trying to lock the stable door first).

LAN 1 connects to an Archer C7 which provides for the domestic and office network. Ports 1-3
LAN 2 connects to an open-to-guests site wide wifi repeater (External Ubiqiti). Port 5-6
LAN 3 (if I set it up) will have just the credit card machine (this currently is within LAN 1 so protected from guests by the Archer C7) Port 4

LAN 2 Question
I have disabled access to the management console from LAN 2 so they can't attack the router (and it has a strong password anyway)

There is a single physical device plugged into Port 6 on LAN 2, the wifi repeater, that ideally I would like to have access to from LAN1 if possible. Is this possible to allow one way traffic from LAN 1 to LAN2. Otherwise if I need to do anything to it I need to plug a laptop into Port 5 of the 2860, or connect to the Guest Wifi network (I'm hoping to lock access to the wifi repeater from a wireless client anyway)

LAN 1 Question
Do I lose any security by removing the Archer C7 router and plugging my switch directly into Port 1. I guess I lose the physical protection of the C7 firewall but presumably any one on LAN2 would need to pass the Draytek firewall to get at LAN1. It would also add some 60 odd domestic IP related devices to the Draytek load on top of the guest 50 or so IP devices. (Sonos system, Sky, smart TVs, printers, and a pile of hand held devices, the majority are hard wired to a Netgear smart switch.)

LAN 3 Question
I need to protect the credit card machine from unapproved access. Is a port based VLAN suitable or should it sit behind another router (e.g. the Archer C7 for domestic). As long as something serves it an IP address, and it gets net access, it is happy. I would look to lock this network down on MAC Address only if possible. Ideally I would like it off the house network but not if a port based VLAN isn't as secure as sitting behind the Archer C7 firewall. The house network has a wifi access point (old router) that in my mind reduces the security of the house network compared to a port based VLAN that has a single port. But not certain on the security between ports - if it is the same as from the internet (e.g. has to pass the same firewalls) then I think I am happy.

I know there is a lot of questions there but all help appreciated.

Cheers
Dave

Please Log in or Create an account to join the conversation.