I’d like to differentiate machines (or, possibly, users) on my small business network so that only some of them have access to the internet. The solution I’ve been using to this day is quite terrible: clients which should have access to the internet are given a specific IP address based on their MAC address or identifier.
In turn, the firewall has different setting for those predefined IP addresses.
This is poor both in matters of security and usability: changing the IP of a client is even easier than spoofing a MAC address. Moreover, adding a new machine is added to the network implies adding an entry on the DNS server and modifying the firewall settings.
What would be the proper way to restrict access to the internet by clients (or, possibly, users)?
Some details about the environment:
- it’s for a small business network which doubles as a home network;
- there are about 15 users + guests;
- there are about 23 clients on the network + 10 mobile clients;
- some clients need access to the LAN only, some others (mostly phones) need access to the WAN only, other (access points) to both;
- 2 main NASes, 1 backup NAS and a few home NAS for clients backup;
- a Cisco 1921 router with an outdated, no IPsec IOS;
- a Netgear FS 526T switch;
- 2 Wireless Access Points, of which the model escape me right now; I believe they’re part Cisco Small Business range;
- the utter lack of business lately means that investments above a few hundreds euros are probably unreasonable.