First post 
I am looking for some general advice on security for a subnet.
This network is a Caravan / Camping park. In the past, the Archer D9 was used to cordon off the Office LAN from the rest of the network using a NAT. The owner has come along and set up a VoIP server on 192.168.1.3, which is fine, but the multiple phones in the office don't like the NAT.
So I'm doing the best with what I have. I disabled the NAT on the Archer D9, which also forces its firewall to become unavailable. I configured a static route on the USG (Unifi Security Gateway) to route traffic from 192.168.0.0/24 out to the Internet. I then added some firewall rules on the USG to block traffic from 192.168.1.0/24 to 192.168.0.0/24, with an exception for the VoIP server. Works well. And seemingly achieves what we were trying to do.
But I'm worried that someone, Joe Public, could come along and connect to the public wifi, and do some nefarious IP spoofing or masquerading, gaining access to the Office LAN. Perhaps they could set their hosts default gateway to 192.168.1.4 and off they go. I'm not sure.
So the question is, will a device configured to operate purely as a router, with no NAT and no firewall, only accept packets on its WAN port that have been routed by its default gateway? Or is a firewall traditionally required in these circumstances?
I am looking for some general advice on security for a subnet.
This network is a Caravan / Camping park. In the past, the Archer D9 was used to cordon off the Office LAN from the rest of the network using a NAT. The owner has come along and set up a VoIP server on 192.168.1.3, which is fine, but the multiple phones in the office don't like the NAT.
So I'm doing the best with what I have. I disabled the NAT on the Archer D9, which also forces its firewall to become unavailable. I configured a static route on the USG (Unifi Security Gateway) to route traffic from 192.168.0.0/24 out to the Internet. I then added some firewall rules on the USG to block traffic from 192.168.1.0/24 to 192.168.0.0/24, with an exception for the VoIP server. Works well. And seemingly achieves what we were trying to do.
But I'm worried that someone, Joe Public, could come along and connect to the public wifi, and do some nefarious IP spoofing or masquerading, gaining access to the Office LAN. Perhaps they could set their hosts default gateway to 192.168.1.4 and off they go. I'm not sure.
So the question is, will a device configured to operate purely as a router, with no NAT and no firewall, only accept packets on its WAN port that have been routed by its default gateway? Or is a firewall traditionally required in these circumstances?