| If you buy a business type router, a similar wireless AP, and some "smart" switches, you can actually segregate things pretty well. Examples: Ubiquiti EdgeRouter Lite https://www.ubnt.com/edgemax/edgerouter-lite/ Ubiquiti UniFi AP AC Lite https://www.ubnt.com/unifi/unifi-ap-ac-lite/ Netgear Web Managed Plus switches http://www.netgear.com/business/products/switches/unmanaged-... $238.98 on Amazon (before tax/shipping) for the ER Lite, UniFi AC Lite, and the GS108E 8-port switch. The key here is to have network gear that supports VLANs and VLAN trunking (802.1q). On the ER Lite, you setup separate VLANs (networks) for each class of device just as you said. You can control what traffic can go from one network to the others via firewall rules. So, just as you said, your laptop can access everything, while your wall switches can't get anywhere. Each VLAN will have a number associated with it, I recommend starting at 100 or something and going up from there (the netgear switches treat vlans 1-3 as special). There are up to 4096 vlans available. Tell each switch about which VLANs are coming and going on each port. For actual devices (eg. an IP camera hard-wired) you want to have the port Untagged with the PVID and Untagged vlan being the vlan for that class of device. For traffic between switches and the AP, mark every VLAN in use as Tagged on those ports. Tagging puts an extra header on the Ethernet frames so that the devices on either end know the traffic is for a different network. On the wireless AP, send all the VLANs into it as tagged. Then create separate SSIDs for each VLAN with separate credentials. I recommend hiding the SSIDs (disable SSID broadcast) for this, not for security, but for sanity. With all that setup, you can set arbitrarily broad or specific rules on your router as to which traffic will be routed between vlans and the internet. As said in another comment, you can use "dumb" switches still, but they won't understand VLAN traffic. So every device on the switch will have access to the same network(s). One important caveat about separation like this is that devices normally discover each other via broadcast traffic. Since each VLAN is a separate broadcast domain, only devices on one VLAN with discover each other. This may or may not matter for your devices. For example, you probably connect to an IP camera directly rather than via discovery. However, for a Chromecast there would be discovery needed. For many devices, they use mDNS for discovery. There is a mDNS reflector service on the Edgerouter that can be used to replicate discovery packets on another network. That way your laptop can discover devices on other VLANs. All that said, while it isn't outrageously expensive to accomplish this, it will be time consuming to configure properly. ;-) |