Segregating NAS from internet?

[VirtualLarry]

What's the best way to do this? I want to have PCs on the LAN / WLAN that have internet access, and can access the NAS over the LAN, but I don't want the NAS to have internet access, nor internet access to the NAS?

Separate subnet for NAS, behind third router, and use static routes using reserved IP ranges, and delete the default gateway? (Not sure if you can delete the default gateway on a router?)

Or simply assign static IPs to the NAS in a separate subnet, and try to firewall those IPs off from the internet in the router's config?

Or would MAC address blocking be better? Wouldn't that block the NAS off from the WLAN or the LAN though?

 

[dave_the_nerd]

Firewall rules. Doesn't have to be on a separate subnet. Just keep the NAS IP from going out into the world.

 

[Ketchup]

I gave my file server a static IP (also marked on the router as reserved), standard subnet mask, and no default gateway.

It is available on every device on my network and no Internet access, without having to mess with the firewall.

 

[dave_the_nerd]

Ooh, clever.

 

[Emulex]

Make sure you use a non-routable subnet should your router default back to factory settings (thanks AC-RT66u!) you don't end up given away the farm!

 

[avos]

Just remember if your WLAN and LAN are separate subnets and you don't set a gateway on the NAS it needs to have an interface on both subnets.

Though personally I would probably still go the firewall approach as no default gateway is also going to break VPN access to it. But that is mostly because I like to at least have the ability to remotely access my devices if needed. That and I'd like to have the option to segment my network if needed.

 

[azazel1024]

There are umpteen different ways you can do this. What is the purpose?

If you want it for security sake, then don't go the empty gateway IP route. You could do it within the router (if your router supports it). I'd do it before the router with a semi-managed/managed switch and VLANs. Setup the VLAN rules so that the NAS doesn't have access to the router.

So the router is a member of VLAN 1, the NAS is a member of VLAN 2 and everything else attached to the network is a member of VLAN 1 and 2. Done. Router accidently gets reset or hacked, no worries, NAS can't even see that the router is there.

 

[kevnich2]

The only way to be a member of two valan's is by using tags and making each port a trunk port or a general port. Consumer NIC's typically don't have this ability unless the OP installs two NIC's in every system so each NIC can be a part of both VLAN's

I am curious on why the OP wants to do this in the first place? What's the purpose you want to achieve?

 

[azazel1024]

You can do that through the switch, you don't have to do VLAN tagging with the NIC. Or at least I can certainly do it though my TP-Link SG2216, Trendnet TEG160sw and DLink DGS-1100. I assume other switches can perform the same "magic".