Need extra security for my home network

1st time poster, looked at the threads and I can't find anything that covers my question so here goes...

Sorry for the text wall below, but I want to cover all the relevant info

My home has a wired network of PCs. I use a TPlink VR400 router, 3 cheap switchboxes and a powerline (which rarely gets used).

All the PCs have full read/write access to each other, that might sound reckless but I need it for my PCs to do what they do. As a result of that, the router wifi is always off and I have a whitelist on the router. And obviously everything is WPA2

Phones/tablets rarely need web access, so they use the guest wifi when needed

But ... for my router's guest network to be on, I have to have the main wifi network on (but that allows the main wifi access to my wired network). That kinda defeats the point of the guest network afaic, as I don't want to give the main wifi access to my main network at the same time. I don't used the main wifi anyway so its password is 'very long', so long that I always forget it!

So, if I want to use wifi for the phone/tablet, I put the PCs to sleep, switch on wifi, do what i need, then swtich off wifi.

However, I may use the guest wifi more often in the future so I need better security. I have now put on AP isolation and everything still works normally (so that's a result I suppose), but I'm not sure it's increased security much.

What I really need to do is isolate all wifi from the wired network completely. I dont think VLAN is an option because a) I know sweet FA about it and b ) the following from TPlink's site about the VR400 might mean I can't do it anyway:

"VLAN passthrough for bridging is not a function of the current firmware"

Logically that would leave me with subnetting, but the problem is I know just enough about subnetting to get me in trouble.

So, my question is, what's the best solution to my problem, subnetting, some sort of separate wireless access point (but then it'd be on the wired network so it'd be no different than the guest network?) or a new router which separates guest wifi and main wifi?

TIA

Neil

 

Edited by jipit, 07 September 2023 - 05:49 AM.

What makes you believe that you need more security on your home network than end users using best practices in not allowing malware and the such to spread. Put the guests if any on a isolated Guest network through your current Router and that is it.

What makes you believe that you need more security on your home network than end users using best practices in not allowing malware and the such to spread. Put the guests if any on a isolated Guest network through your current Router and that is it.

As I said, in order for the guest network to be on, the primary wifi also has to be on which means it automatically has access to the rest of the network. I'm not worried about someone getting in via the guest wifi, but someone getting in via main wifi

There are 10 houses within range of my router. When I setup my VR400 a few years back, by the time I had logged into it and set it up with a new username and password (the settings I normally use so i didn't screw them up), afaict someone had  logged in (via wifi) when I was in the process of changing the defaults and had changed the username & password after I exited the router.

I had to reset the router and do it at 6am the next day to make sure the 'suspect'  (who still lives near) was asleep. Things worked fine since. So, the 'suspect' is still a threat afaic.

 

Uh what are you doing tgat requires read/write access network wide?

Share that with us, and we can help you better.

Also if you have a good password and hide your ssid, then you'll be better protected and you can leave your wifi on.

Yep the ssid is hidden and the primary wifi password is over 20 characters long with no words, just letters, numbers and special characters.

Why do I need full read/write? ... I thought someone might ask ... ok, here goes

Media PC: other PCs need to copy/delete media to it. The media PC sometimes copies files to other PCs, though not often.

2 other PCs (mainly used to access the media PC) are also used for the 2nd and 3rd backups of the media PC (primary backup is an ext 10tb HD).

Alpha PC (my everyday PC) is the hub of downloads etc, stuff moved to media PC but sometimes there's stuff that needs to go on the other PCs. And vice versa if I can't get to my Alpha due to health.

Gaming PC. Also backs up the boot drives of the other PCs, plus backup of Alpha data and it also controls the ext 10tb HD media backup.

Also (due to my health) there are times when i can't get to my Alpha so the other PCs need access to it. Not keen on Anydesk etc

All the PCs can WOL each other (except the gaming PC), because my health may mean I'm restricted to my bed etc.

FYI: my backups are done by fastcopy, as I prefer mirrored and uncompressed backups.

Each PC has a different AV, so they're not all vulnerable at the same time if there's an issue, Alpha uses ESET as it's the most important PC.

All PCs have multiple drives

Edited by jipit, 08 September 2023 - 02:34 AM.

Edited by cryptodan, 08 September 2023 - 08:25 PM.

Guest networks and a private LAN on the same router never touch each other unless you make changes on the Gateway/Router firewall settings. Using different malware products is not good, using WOL and everything else you are stating is reckless and unsafe in terms of network security.

That's solid advice you got from some very knowledgeable people. I agree with all of it.

I'd add only that if you're superparanoid about WiFi security, see if your gear allows you turn down the transmit power of your WiFi interface radios. Some gear allows you to do that, some does not. Of course, you have to balance that with being able to get a signal on all client devices.

Much of this is moot anyways, because it only takes...what is it currently, a day or two to crack WPA2 passwords with the right tools? So if someone were serious, they'd get in that way anyways. Someone please remind me what the approx. crack time is currently, I can't remember.

Edited by Shplad, 08 September 2023 - 08:14 PM.

Hmm, it's becoming clear that my views and thoughts on this topic do not align with some others on this forum, so I'll close my account and leave.

Well put.