I have searched and read many posts on this site. None of them directly addresses my problem. I have several Linux boxes which I wish to have unfettered access to the Internet. I have Windows machines which I do not want to have access to the Internet. I do however want to use Samba shares on the Linux boxes from the Windows units. Is this feasible using VLANs?
Asked
Active
Viewed 138 times
2 Answers
3
Can VLANs be used to segregate which devices on a Network get to the Internet?
No, not by using VLANs alone.
As the canonical Q&A on VLAN's explains placing specific systems in different VLAN's is one part of the solution to segregate them, but there is a second part of the puzzle; you will also need a router to provide (and restrict) the connectivity to/from/between those VLAN's and the internet at large.
HBruijn
- 72,524
- 21
- 127
- 192
-
If I used a DD-WRT Router to set the VLANs up and control them, is that feasible? – user3386373 May 23 '18 at 15:20
-
That should work – HBruijn May 23 '18 at 15:30
-
Thanks, just a followup question. Are the Vlans from a Router generally considered "Robust" as it relates to using a Hardware solution? And thanks for your replies, I appreciate it. :) – user3386373 May 23 '18 at 16:31
-
VLANs are always a software construct, and are expected to operate identically between devices. – Spooler May 23 '18 at 17:50
2
By putting your Windows clients in a VLAN that is not routed to the WAN you will effectively have stopped them from accessing the WAN aka "internet".
Then either give your Samba Host two NIC's, one for VLAN 1 and one for VLAN 2, or make it "VLAN aware" and trunk both VLANs to it.
Making the host "VLAN aware" is done differently based on what OS the service is installed on.
Windows hosts now cannot access the WAN, and they can access Samba. The Windows machines also cannot communicate with anything else outside VLAN 2, if you need this you can place a simple FW between the TP-Link and Switch01 to route the networks.
Can VLANs be used to segregate which devices on a Network get to the Internet?
Yes
Cristian Matthias Ambæk
- 257
- 1
- 13
-
Thanks for your reply. So a DD-WRT Flashed Router should be fine? So where you say `Than give your Samba machine two NIC's, one for VLAN 1 and one for VLAN 2 ` you mean a setting in the Routers Configuration and it is a Virtual NIC, yes? I would love to have you give more details as you so kindly offer. I am using a TP-Link Archer C7 with DD-WRT flashed onto it. Any assistance you could provide would be most welcome:) – user3386373 May 23 '18 at 16:44
-
-
I have several Fedora 24 Boxes running Samba Clients. They are available within the File Browser and are invoked from there allowing me to store a lot of my files from the past on the windows machines variously running Win7 versions. I guess in that sense the Windows is the Server and Linux is the client. I can read and write to the shares from either Linux or Windows. The Windows thing is a bit of a Legacy thing as I am fully, otherwise, on Linux. – user3386373 May 23 '18 at 18:06
-
-
Managed switch. So Windows are the one hosting the Samba service? The diagram is just an example, but it gives us something to talk "out from" instead of keeping it all fictional. – Cristian Matthias Ambæk May 23 '18 at 18:13
-
I have never looked into Managed Switches. They appear to be big corporate things I thought. So they can be managed similarly to DD-WRT but I suspect are always proprietary. Not a problem just thinking. – user3386373 May 23 '18 at 18:21
-
Would something like this work as you suggested to keep the cost down a bit? [link] (https://www.newegg.ca/Product/Product.aspx?Item=12K-008X-00022&cm_re=managed_switches-_-12K-008X-00022-_-Product) – user3386373 May 23 '18 at 18:25
-
Managed switches are available to all, try (for as an example) to look at Cisco Catalyst switches from e-bay to give you an idea. These switches are often second hand or brand new and never been used from companies that did not make it or just sold them. They are inexpensive and do their job very well. What some will say is that they are with old software that needs a license to update, this depends on seller, butit is not a problem (as i see it) aslong you keep them behind a firewall away from the WAN and use them accordingly within your infrastructure. Or look at SMB managed switches – Cristian Matthias Ambæk May 23 '18 at 18:27
-
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/77903/discussion-between-user3386373-and-cristian-matthias-ambaek). I thought I was logged in. I guess the system wants shorter comment sections. – user3386373 May 23 '18 at 18:29
-
I want to thank you so much for your excellent help. I guess the powers to be want the comments shutdown on this one. Have a great day:) – user3386373 May 23 '18 at 18:34