How can I isolate my home network from the building network?

In my building there is a central router that provides internet to a number of apartments. Every apartment has its own wireless access point and any device connected to the "private" WiFi in each apartment obtains an IP address from the central router.

The issue I am having is that the networks in each apartment are connected to each other. This means that, even though we are not connected to the same WiFi, we can still see each other. I am able to broadcast my YouTube screen to their TV with my smartphone and vice versa.

Or for example by doing nmap -sP 192.168.0.0/24, I can see computers located in other apartments on the network.

Current network setup:

Is it possible to change the given wireless switch and put my own switch which that I could configure to create a real private network? (Some sort of NAT?)

Hypothetical setup:

I am basically worried that they can start printing random stuff and control some domotic things I am buying.

Ricard Molins

Posted 2019-10-28T18:41:13.177

Reputation: 35

1The fact that you can see other computers in the 192.168.xxx.yyy means that you are already on a private network, probably a NAT (network address translation) internet address sharing scheme. 192.168 is a prefix reserved for private address networks. If you add your own router (with NAT set up) you can make a double-NAT giving you your own private network. For IPv4 TCP connections it acts sort of like a firewall, But there are limitations inherent to double NAT that I don't have time to . expand on now. Which is why this is not an answer. – infixed – 2019-10-28T20:18:52.383

You should probably put your personal local net on its own sub-net. Don't share the zero in the third byte subnet. For instance use 192.168.111.xxx/24. And there is no guarantee that the building subnet is limit to 8 bits of subnet. the 192.168 prefix could be used up to /16. If you can examine the netmask that DHCP sets for your device when the building is the DHCP server, you could tell its netmask size. – infixed – 2019-10-29T18:04:20.847

Answers

There should be no technical obstacle to doing what you suggest, unless the building network is configured to only allow connections via their own wifi devices. If you use your own router, however, you should change the IP subnet on your side to be other than the building subnet. I would speak to the building network administrator, explain your concerns, and ask whether you can in fact do this.

@Infixed comments to your question that there are some issues with respect to "double-NAT"; this is essentially the setup that I have at home (for irrelevant-to-you legacy-equipment and network-change reasons). The main problem that I've noticed is that one program in particular that I use has trouble establishing FTP connections through the double-NAT; if I (temporarily) bypass the second level with that computer only (by plugging it in to the cable company router directly, instead of my second-level router), I have no trouble with the specific program. Other "ordinary" use - web, email, listening to streaming media, online games, IRC including DCC, etc. - doesn't seem to be affected by the double-NAT in any way that I can discern.

Jeff Zeitlin

Posted 2019-10-28T18:41:13.177

Reputation: 2 918

I am not required to connect via their devices. I can connect my PC directly to the Ethernet port. I made the question to avoid unnecessary buying or to or to came up with possible obstacles. Thanks you for the feedback. Will give it a try and comment – Ricard Molins – 2019-10-28T19:42:21.107

As an example of other issues with double NAT, sometime UDP protocol based programs can have problems. Sometimes UPNP is involved in allowing UDP packets to be routed past a NAT. In a double NAT, dealing with two UPNP servers can be a challenge. Not to mention many consider UPNP to be risky regardless, as it allows inward access from the internet to the local net. (my kid had a game that required UPNP, I enabled it only for his internal IP address. Still a risk. ) – infixed – 2019-10-29T17:54:11.837

As you said, there was no problem. Double NAT was not an issue at the moment. I have tried, netflix, some general internet, some wireles power plugs, my local Synology NAS, and another remote NAS and everything works like a charm. – Ricard Molins – 2019-10-29T19:05:08.950