Separate network for POS

[Modifyinc]

My wife has a small shop that she runs, and she will be adding a POS (Point of Sale) that requires it to be on a separate network. I realize there are probably a few different ways to do this, some being very expensive. Since it's just a small store with only the POS and one other PC, and maybe some cameras later, what's the more practical and affordable way to go about this? I thought about the Sonicwall TZ500, but $1300 to just separate the network seems a bit much. There has to be a more cost effective solution for a basic setup like hers that still complies with required polices.

 

Any suggestions?

[Lurick]

If you need easy separation/segmentation then perhaps a Firewalla Gold but that's still a few hundred bucks alone. Another option is you get a simple managed switch which supports VLANs and a router which can do 802.1q trunking and so long as it supports ACLs to block the POS system from talking to anything else and vice versa would do it as well. You could get a PoE switch to support cameras down the line and then toss in a PFSense box or something as the firewall/router and block the POS VLAN from talking to anything else and vice versa as mentioned earlier.

[Modifyinc]

42 minutes ago, Lurick said:

If you need easy separation/segmentation then perhaps a Firewalla Gold but that's still a few hundred bucks alone. Another option is you get a simple managed switch which supports VLANs and a router which can do 802.1q trunking and so long as it supports ACLs to block the POS system from talking to anything else and vice versa would do it as well. You could get a PoE switch to support cameras down the line and then toss in a PFSense box or something as the firewall/router and block the POS VLAN from talking to anything else and vice versa as mentioned earlier.

What about the UniFi Security Gateway? It says it can create VLANS and it's only $139. Would I still need a router which can do 802.1q trunking or anything else?

Edit: Actually it is a router, so I guess disregard the 802.1q question

Edited September 15, 2020 by Modifyinc

[Electronics Wizardy]

50 minutes ago, Modifyinc said:

I thought about the Sonicwall TZ500, but $1300 to just separate the network seems a bit much. There has to be a more cost effective solution for a basic setup like hers that still complies with required polices.

For the sonicwalls(i work with them), its also annouther few hunder a year for licenses for the full featres.

 

But you can probably get away with a much lower end model.

 

What are you exact requirements? Id probably get a low end mikrotik or edge router here, theyshould be only like a 100 bucks or so.

 

1 minute ago, Modifyinc said:

What about the UniFi Security Gateway? It says it can create VLANS and it's only $139. Would I still need a router which can do 802.1q trunking or anything else?

I don't think you would need vlans, just plug the pos system into the port for its network, and the rest of the network to the other port.

 

How much bandwidth doyou need?

 

Id probably get the edge router under unless you already have unifi devices.

[Modifyinc]

21 minutes ago, Electronics Wizardy said:

For the sonicwalls(i work with them), its also annouther few hunder a year for licenses for the full featres.

 

But you can probably get away with a much lower end model.

 

What are you exact requirements? Id probably get a low end mikrotik or edge router here, theyshould be only like a 100 bucks or so.

 

I don't think you would need vlans, just plug the pos system into the port for its network, and the rest of the network to the other port.

 

How much bandwidth doyou need?

 

Id probably get the edge router under unless you already have unifi devices.

They just said to make sure the POS is separate from her main network. That she didn't need two modems either, just that the POS can't be accessed from the other network.

 

Her internet is around 75mbs, so it would be nice to maintain speeds up to what she paying for or close to it.

 

She does not have any Unifi devices currently.

 

Which edge router were you referring to? EdgeRouter X is only $59, but I don't believe it separates the network.

[Falcon1986]

@Modifyinc

 

I’d just get the EdgeRouter-X for $60, make it your primary router, and create a segregated network through one of the eth ports for the POS.

 

Here’s a video on how to do that.

[Electronics Wizardy]

3 minutes ago, Modifyinc said:

They just said to make sure the POS is separate from her main network. That she didn't need two modems either, just that the POS can't be accessed from the other network.

 

Her internet is around 75mbs, so it would be nice to maintain speeds up to what she paying for or close to it.

 

She does not have any Unifi devices currently.

 

Which edge router were you referring to? EdgeRouter X is only $59, but I don't believe it separates the network.

The edge router x should be able to do what you need. It can have multiple lan networks, and then setup firewall rules so the lans can't talk to each other, but can both talk to the wan connection.

[JP!]

Why not try something much simpler: on the router/AP just configure a second wireless network / guest network and enabled AP isolation or set up a 2,4GHz network for the POS with AP isolation and leave a 5GHz for the PC.

 

JP

[Falcon1986]

19 hours ago, JP! said:

Why not try something much simpler: on the router/AP just configure a second wireless network / guest network and enabled AP isolation or set up a 2,4GHz network for the POS with AP isolation and leave a 5GHz for the PC.

 

JP

I would be a bit wary about putting a POS terminal on a wireless network even if it has wireless security/encryption. With the right tools and time, wireless security can be breached and packets intercepted.

 

Furthermore, I’d never put a POS terminal on a WiFi connection to add wireless interruptions to a piece of equipment that needs to be working 100% of the time.

[JP!]

I thought it was a Wifi POS and I didn't know POS manufacturers were still making them with wired connectivity.

 

Are we talking about a PCI certified terminal for credit/debit card transactions, right?

 

JP

[Alex Atkin UK]

18 hours ago, JP! said:

I thought it was a Wifi POS and I didn't know POS manufacturers were still making them with wired connectivity.

 

Are we talking about a PCI certified terminal for credit/debit card transactions, right?

 

JP

POS is the till itself, not the payment terminal.  The payment terminal may be part of that POS, or not.  Smaller stores it often is not and connects over the cell network or WiFi (older units over traditional telephone lines).

[Modifyinc]

On 9/15/2020 at 3:55 PM, Falcon1986 said:

@Modifyinc

 

I’d just get the EdgeRouter-X for $60, make it your primary router, and create a segregated network through one of the eth ports for the POS.

 

Here’s a video on how to do that.

 

This looks promising. I wonder though if I really need all those firewall rules to make it actually work. Below is a quick view of them.

configure
set firewall group network-group PROTECT_NETWORKS
set firewall group network-group PROTECT_NETWORKS description "Protected Networks"
set firewall group network-group PROTECT_NETWORKS network 192.168.0.0/16
set firewall group network-group PROTECT_NETWORKS network 172.16.0.0/12
set firewall group network-group PROTECT_NETWORKS network 10.0.0.0/8
set firewall name BLOCK_IN
set firewall name BLOCK_IN default-action accept
set firewall name BLOCK_IN rule 10 action accept
set firewall name BLOCK_IN rule 10 description "Accept Established/Related"
set firewall name BLOCK_IN rule 10 protocol all
set firewall name BLOCK_IN rule 10 state established enable
set firewall name BLOCK_IN rule 10 state related enable
set firewall name BLOCK_IN rule 20 action drop
set firewall name BLOCK_IN rule 20 description "Drop PROTECT_NETWORKS"
set firewall name BLOCK_IN rule 20 destination group network-group PROTECT_NETWORKS
set firewall name BLOCK_IN rule 20 protocol all
set firewall name BLOCK_LOCAL
set firewall name BLOCK_LOCAL default-action drop
set firewall name BLOCK_LOCAL rule 10 action accept
set firewall name BLOCK_LOCAL rule 10 description "Accept DNS"
set firewall name BLOCK_LOCAL rule 10 destination port 53
set firewall name BLOCK_LOCAL rule 10 protocol udp
set firewall name BLOCK_LOCAL rule 20 action accept
set firewall name BLOCK_LOCAL rule 20 description "Accept DHCP"
set firewall name BLOCK_LOCAL rule 20 destination port 67
set firewall name BLOCK_LOCAL rule 20 protocol udp
commit
set interfaces ethernet eth1 firewall in name BLOCK_IN
set interfaces ethernet eth1 firewall local name BLOCK_LOCAL
commit
save
exit

MAKE SURE TO CHANGE THE INTERFACES IN THE LAST TWO SET COMMANDS TO MATCH YOUR PHYSICAL INTERFACE OR VLAN!!!!!!!!!!!!!!!!!!

 

 

[Falcon1986]

On 9/17/2020 at 1:58 PM, Modifyinc said:

This looks promising. I wonder though if I really need all those firewall rules to make it actually work. Below is a quick view of them.

Some advanced EdgeRouter firewall configuration must be done through the CLI. Those scripts just get a bunch of things done in one go.

 

But you can still achieve 2 separate LANs sharing the same WAN using the graphical interface. There's a built-in wizard to guide you.

[Modifyinc]

On 9/18/2020 at 5:16 PM, Falcon1986 said:

Some advanced EdgeRouter firewall configuration must be done through the CLI. Those scripts just get a bunch of things done in one go.

 

But you can still achieve 2 separate LANs sharing the same WAN using the graphical interface. There's a built-in wizard to guide you.

Great! Can't wait to try this.