The problem: A small business running card transactions, security cameras, and daily office operations off a single flat network with no segmentation, no firewall, and satellite internet as the only WAN option. The business needed a network architecture that could handle PCI compliance for payment processing while keeping operations running reliably in a rural environment.
Environment: Small business — office, service areas, and grounds Internet: Internet → firewall → managed switch → wired and wireless endpoints Security: PCI-compliant network segmentation for card transaction processing Guest Wi-Fi: Not offered — deliberate decision to minimize attack surface on a PCI-compliant network
Internet Router
Internet Gateway — Bridge Mode
Firewall
Firewall / Router
Network Switch
Distribution
Operations VLAN
Phones
Wired
Desktops
Wired
Printer
Wired
PCI VLAN
Card Reader
Wired — Isolated
Wi-Fi AP VLAN
Access Point
Wi-Fi
Untrusted Wi-Fi VLAN
Cell Phones
Wireless — Isolated
🔗
Staff Wi-Fi VLAN
Laptops
Wireless
Cameras
Wireless
Gateway
Firewall
Switch
Wired Endpoint
PCI Endpoint (Isolated VLAN)
Wireless
Untrusted Wireless (Isolated)
Wireless Endpoint
Device Inventory
Device
Role
Connection
Notes
Internet Router
Internet gateway
WAN
Satellite internet, bridge mode — passthrough to firewall
Firewall
Security gateway
Wired
Network segmentation, PCI compliance, VPN
Network Switch
Distribution
Wired
Connects all wired endpoints and AP
Access Point
Wi-Fi
Wired
Serves laptops, mobile phones, cameras
Desktops
Workstations
Wired
Office machines, Windows 10/11
Phones
Office phones
Wired
Desk phones for business operations
Printer
Office printer
Wired
Shared office printer
Card Reader
POS terminal
Wired
Payment processing, isolated on PCI VLAN
Laptops
Mobile workstations
Wireless
Staff Wi-Fi VLAN
Cameras
Security
Wireless
Staff Wi-Fi VLAN
Cell Phones
User devices
Wireless
Untrusted Wi-Fi VLAN — isolated, no inter-device communication
VLAN Assignments
VLAN ID
Name
Subnet
DHCP Range
Purpose
10
Operations
192.168.10.0/24
.100 – .200
Phones, desktops, printer — daily business use
20
PCI
192.168.20.0/24
.100 – .110
Card reader only — fully isolated for PCI compliance
30
AP Management
192.168.30.0/24
.100 – .110
Access point management interface
40
Staff Wi-Fi
192.168.40.0/24
.100 – .200
Staff laptops, security cameras — wireless
50
Untrusted Wi-Fi
192.168.50.0/24
.100 – .250
Employee cell phones — internet only, fully isolated
DHCP ranges are intentionally narrow on PCI and AP Management VLANs to limit the number of devices that can obtain an address.
Inter-VLAN Traffic Matrix
Read as: "Can [Row] talk to [Column]?"
Operations
PCI
AP Mgmt
Staff Wi-Fi
Untrusted
Internet
Operations
—
DENY
ALLOW
ALLOW
DENY
ALLOW
PCI
DENY
—
DENY
DENY
DENY
ALLOW *
AP Mgmt
DENY
DENY
—
DENY
DENY
ALLOW
Staff Wi-Fi
ALLOW **
DENY
DENY
—
DENY
ALLOW
Untrusted
DENY
DENY
DENY
DENY
—
ALLOW
* PCI internet access is restricted to payment processor endpoints only.
** Staff Wi-Fi → Operations is allowed for printer access from laptops.
Firewall Rules — Inter-VLAN
Rules are evaluated top-down. First match wins.
#
Source
Destination
Protocol / Port
Action
Purpose
1
VLAN 20 (PCI)
Any local VLAN
Any
Deny
PCI isolation — no lateral movement
2
Any local VLAN
VLAN 20 (PCI)
Any
Deny
Nothing reaches the card reader
3
VLAN 50 (Untrusted)
Any local VLAN
Any
Deny
Cell phones cannot reach internal resources
4
Any local VLAN
VLAN 50 (Untrusted)
Any
Deny
Nothing reaches untrusted devices
5
VLAN 40 (Staff Wi-Fi)
VLAN 10 (Ops)
TCP 9100, 631
Allow
Laptops can print (RAW + IPP)
6
VLAN 10 (Ops)
VLAN 30 (AP Mgmt)
TCP 443
Allow
Admin desktop can manage the access point
7
VLAN 10 (Ops)
VLAN 40 (Staff Wi-Fi)
Any
Allow
Ops can reach staff devices for support
8
Any VLAN
Any VLAN
Any
Deny
Default deny — catch-all
PCI Note: Rules 1 and 2 must remain at the top. The card reader VLAN has no path to any internal resource.
Firewall Rules — Outbound (WAN)
#
Source
Destination
Protocol / Port
Action
Purpose
1
VLAN 20 (PCI)
Payment processor IPs
TCP 443
Allow
Card reader → payment gateway (HTTPS only)
2
VLAN 20 (PCI)
Any
Any
Deny
Card reader cannot reach anything else on the internet
3
VLAN 10 (Ops)
Any
TCP 80, 443
Allow
Web browsing
4
VLAN 10 (Ops)
Any
TCP 587, 993
Allow
Email (SMTP submission + IMAP over TLS)
5
VLAN 10 (Ops)
Any
UDP 5060; UDP 10000–20000
Allow
VoIP signaling (SIP) + media (RTP)
6
VLAN 10 (Ops)
VPN provider endpoints
UDP 1194; TCP 443
Allow
VPN tunnel for privacy and security
7
VLAN 40 (Staff Wi-Fi)
Any
TCP 80, 443
Allow
Web access for staff laptops
8
VLAN 40 (Staff Wi-Fi)
Camera cloud IPs
TCP 443; UDP 8554
Allow
Security cameras → cloud storage/streaming
9
VLAN 50 (Untrusted)
Any
TCP 80, 443
Allow
Internet-only for cell phones
10
VLAN 30 (AP Mgmt)
Vendor cloud
TCP 443
Allow
AP firmware updates and cloud management
11
Any
Any
UDP 53
Allow
DNS resolution (all VLANs)
12
Any
Any
Any
Deny
Default deny — catch-all
Note: "Payment processor IPs" and "Camera cloud IPs" should be replaced with the actual IP ranges provided by those vendors.
Inbound Rules (WAN → LAN)
#
Source
Destination
Protocol / Port
Action
Purpose
1
VPN provider endpoints
VLAN 10 (Ops)
UDP 1194; TCP 443
Allow
Inbound VPN tunnel
2
Any
Any
Any
Deny
No unsolicited inbound traffic
No ports are exposed directly to the internet.
Additional Security Measures
Measure
Setting
Rationale
Content filtering
Enabled on VLAN 50 (Untrusted)
Block malware, phishing, and adult content categories on the cell phone network
DNS
Forced to firewall for all VLANs
Prevents devices from using external DNS to bypass filtering
UPnP
Disabled
Prevents devices from automatically opening ports
Firewall management
Cloud management — no local admin interface exposed
Managed via app or web dashboard; no ports open for router administration
Remote desktop
Chrome Remote Desktop — no ports exposed
Encrypted remote access for service maintenance; NAT traversal via Google relay, no open inbound ports
Firmware updates
Automatic via vendor cloud
Firewall receives patches without manual intervention
Guest Wi-Fi
Not configured
Deliberate decision — reduces attack surface on a PCI-compliant network