In my apartment, I have a PC running Linux with four network interfaces:
One Ethernet port built into the motherboard, connected to a switch that the rest of my hard-wired devices are connected to
One PCIe Wi-Fi 5 card, serving as my apartment’s wireless access point
One USB Ethernet dongle, connected to my ISP’s optical network terminal
One USB Ethernet dongle, connected directly to an employer’s PC (for working from home)
It forwards packets between all of these (i.e. is a router) and uses nftables (i.e. is a firewall).
The firewall is specially configured to isolate interface 4: it is only allowed to talk to the Internet and the router’s DHCP and DNS servers, but not any other device in my apartment, nor any other process running on the router itself.
Seems pretty radical on both axes, but it’s neat that I can do this with nothing but common consumer equipment and free software. No fancy Cisco gear required. And unlike the average home router, the software running on mine actually receives security audits and patches, so I consider it far more secure.
In my apartment, I have a PC running Linux with four network interfaces:
It forwards packets between all of these (i.e. is a router) and uses nftables (i.e. is a firewall).
The firewall is specially configured to isolate interface 4: it is only allowed to talk to the Internet and the router’s DHCP and DNS servers, but not any other device in my apartment, nor any other process running on the router itself.
Seems pretty radical on both axes, but it’s neat that I can do this with nothing but common consumer equipment and free software. No fancy Cisco gear required. And unlike the average home router, the software running on mine actually receives security audits and patches, so I consider it far more secure.