Home Networking

238 readers

3 users here now

A community to help people learn, install, set up or troubleshoot their home network equipment and solutions.

Rules

Please stay on topic.
Please use the search function to look for keywords related to what you want to ask before posting since most common issues have been answered.
No Ads. This community is for support and discussion. Ads and self promotion are not welcome here.
No product reviews or announcements. If you have a question about a product, be specific about what you want to know.
Be civil. Don't be a jerk. Not being a jerk is surprisingly easy.
No URL shorteners. URL shorteners tend to hide the real use of a link. For this reason, please use normal links, even if they're long.
No affiliate links.
No gatekeeping. With profession shall come professionalism. Extend help without judging others for their ignorance. The same goes for downvoting of comments or posts for "stupid questions" or not being as knowledgeable as others.

founded 1 year ago

MODERATORS

[email protected]

How to block wired computers from accessing the internet?? (alien.top)

submitted 1 year ago by [email protected] to c/[email protected]

12 comments fedilink hide all child comments

I have a problem that I hope is easy for you guys to help me with.

At work we have 4 computers that currently are not connected to the internet, only to a local network for our point of sale system. Our debit machines are connected to the PoS computers by RJ45 to serial cables and the debit terminals are connected through an unmanaged switch to our modem to access the internet. Our debit processing company is forcing us to change terminals and these new ones take ethernet in and send it to the computers to communicate through TCP/IP instead of serial. That will force the PoS computers to have access to the internet. We would rather they didn't have access to the net. I called our ISP today to see if MAC address filtering was a possibility on our modem and it is not. So I am looking for a simple solution to keep the NIC of each of the computers functional but prevent them from accessing the internet.

Would simply upgrading the switch they are on to a managed one or a router, be all I need to do so I can set up a MAC filter? If so any suggestions on one would be appreciated. Is it even possible for wired connections? If not any help would be greatly appreciated. Thanks in advance!

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 1 points 1 year ago (4 children)

I'm not sure I understand the need/concern here, you're jumping straight to the solution you want, not necessarily need.

What form factor are the POS terminals? iPads, Windows, custom? By default they won't allow incoming connections anyway. If you've got them locked down to a kiosk mode so they only run the POS software and users can't play with any settings then they're only going to reach out to legit destinations.

You also need to ensure the terminals are kept up to date, aggressively patch them.

Most routers now have a guest network mode. The simplest network protection for you right now is probably to put your terminals on the main network and everyone else uses the guest network or vice versa.

[–] [email protected] 1 points 1 year ago (1 children)

nah you arent understanding what he asked for.

old configuration:

-POS terminals on a local non internet connected network.

-Debt machines on a seperate network that is connected to the internet

-Debt machines connected to POS terminals via serial cable.

New Setup:

-Debt machines will communicate with POS terminals through the TCP/IP network.

-therefore, the POS machines will theoretically now have network access to the internet.

[–] [email protected] 1 points 1 year ago (1 children)

Yeah I got that. I don't see the issue though. The previous connection could still be exploited, it's not like the serial cable stops comms.

I don't see the issue with the POS terminals having access to the internet. It's not going to allow inbound connections and the outbound connections will make it much easier to keep them up to date.

Unless I'm missing something here it sounds like they're trying to make their network unnecessarily complex for no security gain.

[–] [email protected] 1 points 1 year ago (1 children)

you are 100% correct that his systems arent air gapped before and they arent air gapped going forward.

that doesnt mean that there is no point doing anything in the middle.

some people are very paranoid about having financial data on any system that can access the internet. i was treating this as besides the point of the question OP asked and was keeping status quo. it is possible they are running outdated software that cannot have security vulnerabilities patched and that a decision somewhere has been made to keep these devices off of direct internet access.

there is nothing wrong with that.

[–] [email protected] 1 points 1 year ago

Absolutely agree. If he's running POSs with outdated software then keeping it away from the internet is sensible. I think we're all making assumptions and we need more info on the devices, software, and the other use cases for the network before we can give any concrete advice.

load more comments (2 replies)