12.3. XNET LanSecure

XSTRA
XFORCE LanSecure
Secure, Zero-Trust, LAN segmentation, device and guest isolation, and network access control designed and supported by XSTRA.
Overview
Scope: Customer site LANs
XFORCE LanSecure is XSTRA’s structured LAN security solution for client sites that need safer wired networks, protected guest and staff Wi-Fi, controlled public access, and stronger separation between staff systems, guest users, shared devices, and management infrastructure.
Many business networks allow devices to see each other simply because they are connected to the same switch or Wi-Fi network. This creates unnecessary risk. XFORCE LanSecure delivers a Zero-Trust (or Deny by Default) office network that reduces risk by segmenting the network, isolating all devices, and allowing only the traffic that is specifically required.
The outcome
All Client endpoints, and guests or public devices, if approved, can access the Internet and other services without being able to freely browse, scan, or attack the client’s internal network.
Why LAN security matters
A firewall at the edge of the network is important, but it does not automatically protect devices from each other once they are already inside the LAN.
The common problem
  • Guest Wi-Fi users may be able to see other users or internal devices.
  • Public wired ports may provide direct access to the venue network.
  • Printers, POS systems, cameras, routers, switches, and servers may be unnecessarily exposed.
  • Compromised devices may be able to scan and attack other systems on the same network.
  • Management interfaces may be reachable from places they should never be reachable from.
The XFORCE LanSecure answer
XFORCE LanSecure breaks the network into controlled security zones. Devices only get access to what they need. Everything else is blocked by design. Devices in the same zone cannot directly communicate with each other unless permitted to, across all wired and wireless infrastructure.
How XFORCE LanSecure works
XFORCE LanSecure uses a combination of MikroTik routing and switching, VLAN segmentation, switch-level client isolation, router firewall rules, and UniFi guest Wi-Fi controls.
Layer Security Function
MikroTik Router Controls traffic between VLANs, blocks guest access to internal networks, and permits only approved destinations.
MikroTik Switches Use Horizon or switch isolation to stop devices on the same switch from communicating directly.
VLAN Segmentation Separates guest wired, guest Wi-Fi, staff Wi-Fi, staff LAN, shared services, and management infrastructure.
UniFi Guest Wi-Fi Provides guest SSID, captive portal, client isolation, and controlled guest access.
Shared Services VLAN Allows controlled access to approved shared devices such as guest printers or kiosks without exposing the rest of the LAN.
Reference design
The exact design is tailored to each customer site, but a typical XFORCE LanSecure deployment uses the following model as an example.
Network Zone Example VLAN Purpose
Operations LAN 10 Servers, POS systems, and private business systems.
Client Wired – Switch 1 101 Wired ports on Switch 1 with local client isolation.
Client Wired – Switch 2 102 Wired ports on Switch 2 with inter-switch traffic controlled at the router.
Guest Wi-Fi 120 UniFi guest SSID with captive portal and client isolation.
Shared Services 150 Approved staff and/or guest-accessible resources such as printers, kiosks, or signage systems.
Management 999 Routers, switches, access points, monitoring, and infrastructure administration.
Business benefits
  • Improved cybersecurity posture through stronger network segmentation and reduced attack surface.
  • Reduced ransomware spread risk by limiting lateral movement between devices.
  • Safer guest Wi-Fi with captive portal, client isolation, and restricted LAN access.
  • Safer client wired ports for venues, shared workspaces, accommodation, public areas, kiosks, and visitor zones.
  • Better protection for POS, printers, cameras, servers, and management interfaces.
  • Cleaner compliance story by demonstrating intentional network separation and default-deny access control.
  • Flexible shared-resource access where staff and /or guests need limited access to approved printers, kiosks, or public systems.
  • Designed for real-world SMB and venue environments using practical, cost-effective network controls.
Security outcomes
Traffic Type Default Result Reason
Guest to Internet Allowed Public and guest users still receive usable Internet access.
Guest to Guest Blocked Reduces scanning, malware spread, and device-to-device attacks.
Guest to Venue LAN Blocked Protects staff devices, business systems, servers, and POS.
Guest to Management Blocked Protects routers, switches, access points, and admin interfaces.
Guest to Shared Services Allowed only as required Enables approved services without exposing the broader network.
Zero Trust aligned
XFORCE LanSecure follows a practical Zero Trust principle: do not allow internal access simply because a device is connected to the network. Access must be intentionally designed, approved, and controlled.
Who should consider XFORCE LanSecure?
  • Hotels, clubs, pubs, restaurants, and hospitality venues
  • Medical, allied health, and professional services offices
  • Childcare, education, community, and non-profit organisations
  • Retail sites with POS systems and public Wi-Fi
  • Shared offices, coworking spaces, and multi-tenant buildings
  • Warehouses, depots, and industrial sites with mixed trusted and untrusted devices
  • Any business offering guest Wi-Fi or public network access
XSTRA delivery approach
Designed, implemented, documented, and supported by XSTRA
  • Review existing network design, switches, Wi-Fi, VLANs, and firewall rules
  • Identify trusted, untrusted, shared, and management network zones
  • Design a practical VLAN and firewall model for the site
  • Configure MikroTik routing, switching, firewall, and Horizon isolation where applicable
  • Configure UniFi guest Wi-Fi, captive portal, and client isolation
  • Test guest isolation, internal access blocking, Internet access, and approved shared services
  • Document the final network design for support and future change control
  • Provide ongoing support, monitoring, and improvement recommendations
Practical, not theoretical
XFORCE LanSecure is designed for real customer environments. It is suitable for sites with a single switch, multi-switch venues, mixed wired and wireless access, public areas, and locations where guests need Internet access but should not have access to internal systems.
Before and after
Area Typical Unsegmented LAN With XFORCE LanSecure
Guest Wi-Fi May have visibility of other clients or internal systems Captive portal, client isolation, and restricted internal access
Public wired ports Often connected directly to the internal LAN Placed into isolated guest VLANs with firewall controls
Client-to-client access Often allowed by default Blocked wherever guest/public isolation is required
Management access May be reachable from too many places Restricted to approved management networks only
Cyber risk Higher lateral movement and reconnaissance risk Reduced attack surface and improved containment
We are the experts
  • XSTRA designs practical network security solutions for real business environments
  • We understand MikroTik routing, VLAN design, UniFi wireless, firewall policy, guest networks, and managed support
  • We can assess existing LAN weaknesses and implement a safer, documented network architecture
  • Clients can choose project-only implementation or ongoing managed support
Ready to secure your LAN?
Contact XSTRA to review your current network and discuss how XFORCE LanSecure can reduce risk, protect internal systems, and provide safer public and guest access.

Need more help with this?
© 2021–2026 XSTRA Group Pty Ltd (Australia). All rights reserved.

Thanks for your feedback.