The KISS principal really applies to networks...
-
dandy72 wrote:
This means the ISP's router is now doing all the heavy lifting (whereas it used to be my own router's responsibility), including wifi, which means I'm now more at the mercy of that one router than I've ever been.
I do the same, just to keep it simple. But, I still buy my own router that just works with their service. So, in effect, it's not really different than having my own router inside the network elsewhere. Just less stuff to mess with.
Jeremy Falcon
Yeah, I think right now that's my next goal: DON'T change their router's configuration at all, if I can help it...but introduce my own router in-between *it*, and my switch (to which all my other systems are connected). I'm not sure how to configure it however. My router's running DD-WRT.
-
Here's a theoretical question. If I didn't want to reconfigure their router (or only apply the absolutely minimal number of changes), but introduce one of my own routers between *it* and my main switch...how should *my* router be configured? If I introduce my own router between theirs and my switch (to which all of my other systems are connected), they would have no visibility into my own network, right?
The WAN port of your router should be connected to one of the LAN ports on your ISP's router. Use DHCP to acquire an IP address for the WAN port from your IPS's router when it starts up. Then, choose and setup your internal LAN IP network (block) to be different from the one the router from ISP uses. For example if the ISP assigned 192.168.0.0/24 network to their own router for the LAN, then your LAN network could be 172.16.x.0/24 where x=(0-255) or it could be 192.168.x.0/24 where x=(1-255) with x=0 excluded. As to how to bootstrap the LAN network setup of your router, it should be in the manual. Here is a simple one. If the router has a factory setup LAN network that is different from the one assigned by your ISP, then you don't have to mess with it, just setup the WAN port (see below); in case it is the same, then do not wire connect the WAN port when performing the LAN network setup. Configuration can be done by connecting a computer with a browser to one of the LAN ports of your router using a network wire and then use the admin web interface, which should be described in the manual, to do job. Note restarting the router is required when the LAN network is changed. The WAN port should be wire connected when the LAN is properly setup. You are right. A router is also a simple firewall by default in the sense that the internal LAN is invisible to the WAN part unless the one who can control it add specific rules to open part or all of it.
-
The WAN port of your router should be connected to one of the LAN ports on your ISP's router. Use DHCP to acquire an IP address for the WAN port from your IPS's router when it starts up. Then, choose and setup your internal LAN IP network (block) to be different from the one the router from ISP uses. For example if the ISP assigned 192.168.0.0/24 network to their own router for the LAN, then your LAN network could be 172.16.x.0/24 where x=(0-255) or it could be 192.168.x.0/24 where x=(1-255) with x=0 excluded. As to how to bootstrap the LAN network setup of your router, it should be in the manual. Here is a simple one. If the router has a factory setup LAN network that is different from the one assigned by your ISP, then you don't have to mess with it, just setup the WAN port (see below); in case it is the same, then do not wire connect the WAN port when performing the LAN network setup. Configuration can be done by connecting a computer with a browser to one of the LAN ports of your router using a network wire and then use the admin web interface, which should be described in the manual, to do job. Note restarting the router is required when the LAN network is changed. The WAN port should be wire connected when the LAN is properly setup. You are right. A router is also a simple firewall by default in the sense that the internal LAN is invisible to the WAN part unless the one who can control it add specific rules to open part or all of it.
Very interesting, I think this lines up with my expectations, and certainly sounds feasible. Thanks so much for that - I'm saving this and will absolutely refer back to it when I feel ballsy enough again to try it out. In theory, as you said, I *should* be able to completely set up my router with one machine wired to it, and - once it looks okay (as far as I can tell), I *should* be able to just hook up a cable between my router's WAN port back to the ISP router's LAN port without further change? That would be ideal. The ISP's router is using 192.168.1.1. My router was previously set up to use 192.168.0.0/16 (subnet mask = 255.255.0.0). I'd like to keep that, except maybe excluding 192.168.1.[0-255] (so that'll remain the ISP router's own playground). Most of my machines have static IPs that I've assigned from various ranges, and with subnet mask set to 255.255.0.0, for example: - 192.168.1.[0-50] = various physical machines - 192.168.1.199 = my Windows DC's static IP - 192.168.1.[200-255] = the range for DHCP, assigned by my router (for whoever shows up and wants to get on my network without me giving them an explicit static IP) - 192.168.50.[0-255] = my printers - 192.168.100.[0-255] = my Windows virtual machines - 192.168.200.[0-255] = various Linux virtual machines I don't know if it makes sense to segregate things this way, but it did in my mind when I set it up, and I'd like to keep it that way (more or less). However, I do realize since 192.168.1.xyz will become (remain) what the ISP router manages, I think I'd change the 3 first items in the above to 192.168.10.xyz (otherwise I'd clash with other addresses the ISP's router would own). I'd hook up wireless devices to use my router's Wifi. I could leave (or turn off) the ISP router's Wifi - I don't think I'd care all that much; it does, after all, have its own password you'd have to know to use. Does all of this make sense to you?
-
Very interesting, I think this lines up with my expectations, and certainly sounds feasible. Thanks so much for that - I'm saving this and will absolutely refer back to it when I feel ballsy enough again to try it out. In theory, as you said, I *should* be able to completely set up my router with one machine wired to it, and - once it looks okay (as far as I can tell), I *should* be able to just hook up a cable between my router's WAN port back to the ISP router's LAN port without further change? That would be ideal. The ISP's router is using 192.168.1.1. My router was previously set up to use 192.168.0.0/16 (subnet mask = 255.255.0.0). I'd like to keep that, except maybe excluding 192.168.1.[0-255] (so that'll remain the ISP router's own playground). Most of my machines have static IPs that I've assigned from various ranges, and with subnet mask set to 255.255.0.0, for example: - 192.168.1.[0-50] = various physical machines - 192.168.1.199 = my Windows DC's static IP - 192.168.1.[200-255] = the range for DHCP, assigned by my router (for whoever shows up and wants to get on my network without me giving them an explicit static IP) - 192.168.50.[0-255] = my printers - 192.168.100.[0-255] = my Windows virtual machines - 192.168.200.[0-255] = various Linux virtual machines I don't know if it makes sense to segregate things this way, but it did in my mind when I set it up, and I'd like to keep it that way (more or less). However, I do realize since 192.168.1.xyz will become (remain) what the ISP router manages, I think I'd change the 3 first items in the above to 192.168.10.xyz (otherwise I'd clash with other addresses the ISP's router would own). I'd hook up wireless devices to use my router's Wifi. I could leave (or turn off) the ISP router's Wifi - I don't think I'd care all that much; it does, after all, have its own password you'd have to know to use. Does all of this make sense to you?
Sure, just don't clash with the WAN part of the your networks. But I don't know if excluding a sub-network from a larger one will be ok from security point of view, your LAN 192.168.0.0/16 seems to be too large. The firewall rules are IP network based, it would very likely that your WAN network will be able to visit you LAN in your settings for not a sophisticated enough router. If you'd like to use a larger network for the LAN, use one of the 172.[16-31].x.x/16 network (class B) instead, that way, there will be no conflict.
-
Sure, just don't clash with the WAN part of the your networks. But I don't know if excluding a sub-network from a larger one will be ok from security point of view, your LAN 192.168.0.0/16 seems to be too large. The firewall rules are IP network based, it would very likely that your WAN network will be able to visit you LAN in your settings for not a sophisticated enough router. If you'd like to use a larger network for the LAN, use one of the 172.[16-31].x.x/16 network (class B) instead, that way, there will be no conflict.
-
That would mean reconfiguring the static IPs for the vast majority of my systems, which is not going to be a small endeavor. But, if that's the right way to do it...I'll do it. I did say I know enough about networks to be dangerous. :-)
I have missed the security problems in the above reply, it is modified. Please read it again.
-
Sure, just don't clash with the WAN part of the your networks. But I don't know if excluding a sub-network from a larger one will be ok from security point of view, your LAN 192.168.0.0/16 seems to be too large. The firewall rules are IP network based, it would very likely that your WAN network will be able to visit you LAN in your settings for not a sophisticated enough router. If you'd like to use a larger network for the LAN, use one of the 172.[16-31].x.x/16 network (class B) instead, that way, there will be no conflict.
-
I have missed the security problems in the above reply, it is modified. Please read it again.
Gotcha. It makes sense. If my router allowed a rule to be defined as such, would it be possible to explicitly block 192.168.1.[0-255]? Not that it sounds like the best idea in the world. I'm warming up to the idea of using 172.* instead of 192.168.*. There should be *no* way for the networks to see each other if they're working off of entirely different subnets.
-
Edumacate me: Wouldn't 172.16.x.x/16 and 192.168.0.0/16 allow for the same number of endpoints (65534), given that /16 essentially means a subnet mask of 255.255.0.0? I think I need to brush up on my subnet literature.
Right, they are the same, namely 256*256-2 (2 excluded are special ip addresses ends with 0 or 255).
-
Gotcha. It makes sense. If my router allowed a rule to be defined as such, would it be possible to explicitly block 192.168.1.[0-255]? Not that it sounds like the best idea in the world. I'm warming up to the idea of using 172.* instead of 192.168.*. There should be *no* way for the networks to see each other if they're working off of entirely different subnets.
It's likely that the firewalls in most routers are not that sophisticate that they can detect and exclude a subset of ip addresses from within a given set of the same in building default forwarding rules.