[Discuss] Simple, unintrusive firewall solution?

[me at mattgillen.net (Matthew Gillen)]

On 6/15/2020 4:06 PM, Daniel Barrett wrote:
> 
> tl;dr: Seeking help preventing one network from seeing another.
> 
> I have two routers -- call them R1 and R2 -- and would like to define a
> firewall rule so clients of R2 can't see clients of R1. Something like:
> 
>   iptables -A INPUT -s <R2's network> -d <any R1 client> -j DROP
> 
> Unfortunately, neither router allows such rules to be defined. (R1 is
> a Verizon FIOS Quantum Gateway serving a wired network. R2 is a Google
> Wi-Fi mesh router connected as a node on the Verizon wired network.)
> 
> Any suggestions how to achieve this goal? My first thought is to place
> a simple hardware device between the two routers. In my dreams, it's a
> tiny, low-cost box with a WAN & LAN connector and running iptables, and fast
> enough that it doesn't slow down R2's network.

Dan,
Not entirely clear what you're aiming to do, but assuming that the
Wifi-mesh router needs to go through the FIOS gateway to get to the
internet and you just want to keep the clients from each other, you
might look into the FIOS device config, but not the firewall (probably
'my network' or the like).  What you are looking for is a way to
configure some of the internal switch ports on the FIOS gateway
separately.  For example, you might set up port 1 to have a different
DHCP subnet than ports 2-4, and then not allow routing between them.

Depending on exactly what you're looking to do, you can do any of:
 - vlan: creates ethernet-layer isolation; doesn't look like it's
supported by the FIOS gateway though
 - routing: if you make it so the IP layer doesn't know how to get to
the other network, bi-directional comms won't work.  Might be as dumb as
creating an intentionally bad route on the google mesh device so it
can't find the other client network, but the preferred method would be
convincing the FIOS gateway not to route between nets.  NOTE: multicast
might still work through the FIOS gateway, which means a chromecast on
the wifi network will still be discoverable (just not usable).  On the
flip side, if you kill multicast between the two networks, you killed
any auto-discovery, which might be all you actually wanted in the first
place.
 - firewall: you look like you have a good handle on this

This is going pretty far beyond what you asked, but in case it inspires
you: My border router/firewall is a linux box with two ethernet ports.
I have the ONT box (fiber termination point) feed a linux box directly
via ethernet. The other port plugs into a VLAN-capable 16-port switch
that everything else in the house is plugged into.  By configuring the
switch to send tagged packets to the router, I can configure that one
physical interface with as many VLAN interfaces as I want. Each VLAN has
its own subnet, and even though all the devices physically go through
that one switch, because of the VLAN isolation they need to route
through the router to actually talk to each other.  So the firewall on
the router can then implement all the access control rules I want: make
some subnets unable to see each other, or make some subnets unable to
get out to the internet.  If I want to move a device around in the
virtual network, I never have to mess around with rewiring: just change
the VLAN membership of that port on the switch (and then convince the
device to get a new DHCP lease).

It was an interesting learning experience getting DHCPD and BIND to do
what I wanted in this kind of setup, and figuring out how to get linux
to do the VLAN interfaces right.

HTH,
Matt