Isolate network with DNS but without NAT

Yamioni · July 19, 2023, 6:45pm

We have the following situation:

Screenshot from 2023-07-19 20-21-45

Our landlord provides a network to us and the neighbors. Because we are all in the same network, we would like to isolate our devices so they cannot be seen or accessed from other tenants. Furthermore we would like to use our own DNS (pi-hole). Using NAT is not an option as it slows down the internet speed significantly (~200Mbit to ~20Mbit).

DHCP and DNS are provided by the landlords devices and we cannot access them or ask him to change anything (already tried).

Our Idea is to use firewall rules to protect our network and to block the landlords DHCP. Then we can use our own DHCP and therefore our DNS. The problem is that in this case our DHCP gives out IP addresses without knowledge of the landlords DHCP, but in the same network.

Is there an option to configure a DHCP to get the IPs from another (landlord)DHCP but announces our DNS? Or if there is a completely different solution (not NAT) I would be happy to hear it

psherman · July 19, 2023, 6:58pm

DNS doesn't isolate networks. It is purely a method of converting a domain name (openwrt.org) into an IP address (139.59.209.225). That's all it does -- it is "Domain Name System"

To isolate your network, you need to use routing.. typically NAT + firewall is used, but if you have control over the upstream rotuer, you can setup a non-NAT routed configuration and setup the firewall to prevent your neighbors from accessing your devices.

That is rather hard to believe unless you're using a really old or low end device. What are you using? Are you using OpenWrt? Let's see the output of this:

ubus call system board

NPeca75 · July 20, 2023, 12:05pm

Hi

without over complicated L2 filtering ...
your only choice is to ask your landlord to enter static route in his device and give you static LAN address
ex:
existing network 192.168.0.0/24
your OWRT wan 192.168.0.58/24
your OWRT lan 192.168.10.1/24
static route on primary router: 192.168.10.0/24 via 192.168.0.58

psherman · July 21, 2023, 6:09am

I mentioned that, too, but the OP had mentioned that they cannot get the landlord to make any changes to the network for them.

This means that NAT Masquerading is the only option.

NPeca75 · July 21, 2023, 7:56am

sorry

looks like i skipped this part of your reply