The KISS principal really applies to networks...
-
I know enough about networking--clearly enough to be dangerous--but not enough to resolve all problems. My network configuration started simple, but grew in complexity over time (years in the making). Trying to reconfigure everything all at once just proved to be too much. I recently switched ISPs (there's a long and sad story that goes with that, which I won't get into), and I had to put the KISS principal into practice. The theory was that I'd only have to disconnect the wire from my DSL modem (which went into my router) and hook it up to the new provider's router. A full day later, I: a) removed 2 routers, both providing wi-fi b) had the new provider's router bypassing the router and going directly into a switch c) removed a pair of Ethernet-over-powerline adapters altogether d) replaced one of the routers with a second switch e) ran a cable between both switches f) got Pi-hole out of the equation This means the ISP's router is now doing all the heavy lifting (whereas it used to be my own router's responsibility), including wifi, which means I'm now more at the mercy of that one router than I've ever been. But the rest of it is comparatively soooo simple... The complete saga is just way too long to get into in detail. Suffice it to say that having multiple routers on the same network is just going to end up badly, with each router trying to assert itself as being in charge of everything, and it's a fight to the death. Do that over wireless on both ends, and that's just a recipe for disaster. At the very least I want to eventually re-introduce Pi-hole, as I've now been reminded just how bad some pages are without some serious ad-blocking. But I've been seriously burnt this weekend, and I want to take it a step at a time.
-
I know enough about networking--clearly enough to be dangerous--but not enough to resolve all problems. My network configuration started simple, but grew in complexity over time (years in the making). Trying to reconfigure everything all at once just proved to be too much. I recently switched ISPs (there's a long and sad story that goes with that, which I won't get into), and I had to put the KISS principal into practice. The theory was that I'd only have to disconnect the wire from my DSL modem (which went into my router) and hook it up to the new provider's router. A full day later, I: a) removed 2 routers, both providing wi-fi b) had the new provider's router bypassing the router and going directly into a switch c) removed a pair of Ethernet-over-powerline adapters altogether d) replaced one of the routers with a second switch e) ran a cable between both switches f) got Pi-hole out of the equation This means the ISP's router is now doing all the heavy lifting (whereas it used to be my own router's responsibility), including wifi, which means I'm now more at the mercy of that one router than I've ever been. But the rest of it is comparatively soooo simple... The complete saga is just way too long to get into in detail. Suffice it to say that having multiple routers on the same network is just going to end up badly, with each router trying to assert itself as being in charge of everything, and it's a fight to the death. Do that over wireless on both ends, and that's just a recipe for disaster. At the very least I want to eventually re-introduce Pi-hole, as I've now been reminded just how bad some pages are without some serious ad-blocking. But I've been seriously burnt this weekend, and I want to take it a step at a time.
You got a 👍 because I didn't know whether to give you a 🤣 or a 🏆. Or even a 🌹, given that you were dealing with one of those wonderful Canadian ISPs.
Robust Services Core | Software Techniques for Lemmings | Articles
The fox knows many things, but the hedgehog knows one big thing. -
I know enough about networking--clearly enough to be dangerous--but not enough to resolve all problems. My network configuration started simple, but grew in complexity over time (years in the making). Trying to reconfigure everything all at once just proved to be too much. I recently switched ISPs (there's a long and sad story that goes with that, which I won't get into), and I had to put the KISS principal into practice. The theory was that I'd only have to disconnect the wire from my DSL modem (which went into my router) and hook it up to the new provider's router. A full day later, I: a) removed 2 routers, both providing wi-fi b) had the new provider's router bypassing the router and going directly into a switch c) removed a pair of Ethernet-over-powerline adapters altogether d) replaced one of the routers with a second switch e) ran a cable between both switches f) got Pi-hole out of the equation This means the ISP's router is now doing all the heavy lifting (whereas it used to be my own router's responsibility), including wifi, which means I'm now more at the mercy of that one router than I've ever been. But the rest of it is comparatively soooo simple... The complete saga is just way too long to get into in detail. Suffice it to say that having multiple routers on the same network is just going to end up badly, with each router trying to assert itself as being in charge of everything, and it's a fight to the death. Do that over wireless on both ends, and that's just a recipe for disaster. At the very least I want to eventually re-introduce Pi-hole, as I've now been reminded just how bad some pages are without some serious ad-blocking. But I've been seriously burnt this weekend, and I want to take it a step at a time.
You could be better off if your ISP allows you to set its router in bridge mode so that you could use one of your own (replaceable and customizable) router. It could provide you with more flexibility and even privacy. Having ISP in control of your router is not a good idea, IMO.
-
I know enough about networking--clearly enough to be dangerous--but not enough to resolve all problems. My network configuration started simple, but grew in complexity over time (years in the making). Trying to reconfigure everything all at once just proved to be too much. I recently switched ISPs (there's a long and sad story that goes with that, which I won't get into), and I had to put the KISS principal into practice. The theory was that I'd only have to disconnect the wire from my DSL modem (which went into my router) and hook it up to the new provider's router. A full day later, I: a) removed 2 routers, both providing wi-fi b) had the new provider's router bypassing the router and going directly into a switch c) removed a pair of Ethernet-over-powerline adapters altogether d) replaced one of the routers with a second switch e) ran a cable between both switches f) got Pi-hole out of the equation This means the ISP's router is now doing all the heavy lifting (whereas it used to be my own router's responsibility), including wifi, which means I'm now more at the mercy of that one router than I've ever been. But the rest of it is comparatively soooo simple... The complete saga is just way too long to get into in detail. Suffice it to say that having multiple routers on the same network is just going to end up badly, with each router trying to assert itself as being in charge of everything, and it's a fight to the death. Do that over wireless on both ends, and that's just a recipe for disaster. At the very least I want to eventually re-introduce Pi-hole, as I've now been reminded just how bad some pages are without some serious ad-blocking. But I've been seriously burnt this weekend, and I want to take it a step at a time.
-
The key to doing this is to turn off the DHCP server on the ISP's router. It can broadcast WiFi all it wants but if it's not a DHCP server nothing will connect to it by accident.
Yup. The router supplied by our ISP has the login credentials printed on the bottom. We need to provide WiFi for visitors. Since we run static IP's, I turned off WiFi in the ISP's router, changed the log in credentials and put a "smart" router on a separate public IP, blocked objectionable stuff and social media, then put a label with the credentials on a separate access point. I had a client, some years back, who had me set up blocking for social media then made the browser message say: "Get back to work". (I would have added the exclamation point but am afraid Chris would kick me out). :)
>64 There is never enough time to do it right, but there is enough time to do it over.
-
You got a 👍 because I didn't know whether to give you a 🤣 or a 🏆. Or even a 🌹, given that you were dealing with one of those wonderful Canadian ISPs.
Robust Services Core | Software Techniques for Lemmings | Articles
The fox knows many things, but the hedgehog knows one big thing.Not to make my story any longer, but - too late:
Greg Utas wrote:
dealing with one of those wonderful Canadian ISPs.
Exactly. I had DSL through Bell Canada, and the phone line (landline) coming into the house has been severed a number of times over the last +2 years as there's some serious housing development going on around my area. The wires in the ground are supposed to be clearly marked, but the backhoe driver keeps saying Bell never shows up to mark them. So I had to call them to replace the cable as it got severed by said backhoe in September 2022. The guy who replaced it insisted burying it was not his job, and he couldn't be bothered to schedule the follow-up. So I had to call them again. I called every two weeks (if not more often) between September to December, trying to get them to come over before the ground froze over. Nobody ever showed up. Then in December, I was told "not until May, because the ground's frozen". Had to explain to them that was exactly why I had been calling them repeatedly multiple times a month for the previous 3 months. Meanwhile, my cable was running across my neighbor's gravel driveway. Every time someone drove over it, it was getting ever so slightly more damaged; it was just a matter of time it got severed. Not only that, but my neighbor would eventually have hit it with his snowblower. I had to get really angry at them, and go three levels up, before someone with common sense sent someone from "another group" - the guy was here the next morning. Last Fall another backhoe showed up to replace a culvert. Same scenario and I finally got the cable buried after a few more calls. Then over the Christmas holidays, after some heavy rainfall, I started getting static on the line, to the point where I couldn't hear the dialtone anymore, and completely lost the DSL connection. I spent the Christmas week with no landline service whatsoever. And once more, the cable is running across the neighbor's gravel driveway right now, just like before...and Bell won't bury it until some time in Spring. Their take on it is that as this area is under development, we're supposed to eventually be upgraded to fiber optic, so they won't invest in doing a proper job until that's done. Great, but that can take years. And: a) what does that do for me in the meantime and b) is a fiber optic cable going to magically keep working even if it gets severed? To add insult to inju
-
You could be better off if your ISP allows you to set its router in bridge mode so that you could use one of your own (replaceable and customizable) router. It could provide you with more flexibility and even privacy. Having ISP in control of your router is not a good idea, IMO.
That is exactly my concern right now. Every system on my LAN is now back on the internet, and I seriously stressed out about it, so I'm not quite ready to tackle this. But this is how I was set up previously - the ISP's modem (and that's all it was, a DSL modem, not a router) just played dumb, and *my* router--outside of their control--was responsible for everything. But I'm now dealing with a router from my new ISP, and I really don't like it this way.
-
The key to doing this is to turn off the DHCP server on the ISP's router. It can broadcast WiFi all it wants but if it's not a DHCP server nothing will connect to it by accident.
It's probably not quite enough to just turn off DHCP; my router was previously set up so it provided my ISP credentials back to my ISP. I'm guessing I have to set up my ISP's router in bridge mode, and (when I reintroduce my router on the network) have *it* provide the credentials for my new ISP, along with other settings I probably know nothing about. I'll be sure to follow up with my new ISP to determine how to get that going, 'cuz I really do hate leaving them in charge.
-
Not to make my story any longer, but - too late:
Greg Utas wrote:
dealing with one of those wonderful Canadian ISPs.
Exactly. I had DSL through Bell Canada, and the phone line (landline) coming into the house has been severed a number of times over the last +2 years as there's some serious housing development going on around my area. The wires in the ground are supposed to be clearly marked, but the backhoe driver keeps saying Bell never shows up to mark them. So I had to call them to replace the cable as it got severed by said backhoe in September 2022. The guy who replaced it insisted burying it was not his job, and he couldn't be bothered to schedule the follow-up. So I had to call them again. I called every two weeks (if not more often) between September to December, trying to get them to come over before the ground froze over. Nobody ever showed up. Then in December, I was told "not until May, because the ground's frozen". Had to explain to them that was exactly why I had been calling them repeatedly multiple times a month for the previous 3 months. Meanwhile, my cable was running across my neighbor's gravel driveway. Every time someone drove over it, it was getting ever so slightly more damaged; it was just a matter of time it got severed. Not only that, but my neighbor would eventually have hit it with his snowblower. I had to get really angry at them, and go three levels up, before someone with common sense sent someone from "another group" - the guy was here the next morning. Last Fall another backhoe showed up to replace a culvert. Same scenario and I finally got the cable buried after a few more calls. Then over the Christmas holidays, after some heavy rainfall, I started getting static on the line, to the point where I couldn't hear the dialtone anymore, and completely lost the DSL connection. I spent the Christmas week with no landline service whatsoever. And once more, the cable is running across the neighbor's gravel driveway right now, just like before...and Bell won't bury it until some time in Spring. Their take on it is that as this area is under development, we're supposed to eventually be upgraded to fiber optic, so they won't invest in doing a proper job until that's done. Great, but that can take years. And: a) what does that do for me in the meantime and b) is a fiber optic cable going to magically keep working even if it gets severed? To add insult to inju
My understanding is that fiber does not get run to a house. Might not even be all that close. So it would never fix what you are describing.
dandy72 wrote:
I had DSL through Bell Canada
Where I live utilities are beholden to a 'utilities commission'. Looks like most of Canada is also. That is where you should file grievances. Also perhaps find an individual on it and start contacting them directly. A Guide to All Provincial Utility Commissions in Canada – EnergyRates.ca[^]
-
My understanding is that fiber does not get run to a house. Might not even be all that close. So it would never fix what you are describing.
dandy72 wrote:
I had DSL through Bell Canada
Where I live utilities are beholden to a 'utilities commission'. Looks like most of Canada is also. That is where you should file grievances. Also perhaps find an individual on it and start contacting them directly. A Guide to All Provincial Utility Commissions in Canada – EnergyRates.ca[^]
If I was a Twitter user, and one who didn't mind having his name splattered all over the place, I would've been very, very tempted to make this a very public thing. But, you have to pick your battles, and I, for one, don't see myself going toe-to-toe with the likes of freaking Bell Canada. Right now, I have a working replacement. Bell is going to be completely out of the picture very soon.
-
I know enough about networking--clearly enough to be dangerous--but not enough to resolve all problems. My network configuration started simple, but grew in complexity over time (years in the making). Trying to reconfigure everything all at once just proved to be too much. I recently switched ISPs (there's a long and sad story that goes with that, which I won't get into), and I had to put the KISS principal into practice. The theory was that I'd only have to disconnect the wire from my DSL modem (which went into my router) and hook it up to the new provider's router. A full day later, I: a) removed 2 routers, both providing wi-fi b) had the new provider's router bypassing the router and going directly into a switch c) removed a pair of Ethernet-over-powerline adapters altogether d) replaced one of the routers with a second switch e) ran a cable between both switches f) got Pi-hole out of the equation This means the ISP's router is now doing all the heavy lifting (whereas it used to be my own router's responsibility), including wifi, which means I'm now more at the mercy of that one router than I've ever been. But the rest of it is comparatively soooo simple... The complete saga is just way too long to get into in detail. Suffice it to say that having multiple routers on the same network is just going to end up badly, with each router trying to assert itself as being in charge of everything, and it's a fight to the death. Do that over wireless on both ends, and that's just a recipe for disaster. At the very least I want to eventually re-introduce Pi-hole, as I've now been reminded just how bad some pages are without some serious ad-blocking. But I've been seriously burnt this weekend, and I want to take it a step at a time.
dandy72 wrote:
This means the ISP's router is now doing all the heavy lifting (whereas it used to be my own router's responsibility), including wifi, which means I'm now more at the mercy of that one router than I've ever been.
I do the same, just to keep it simple. But, I still buy my own router that just works with their service. So, in effect, it's not really different than having my own router inside the network elsewhere. Just less stuff to mess with.
Jeremy Falcon
-
That is exactly my concern right now. Every system on my LAN is now back on the internet, and I seriously stressed out about it, so I'm not quite ready to tackle this. But this is how I was set up previously - the ISP's modem (and that's all it was, a DSL modem, not a router) just played dumb, and *my* router--outside of their control--was responsible for everything. But I'm now dealing with a router from my new ISP, and I really don't like it this way.
You could try to call your ISP and let them to set the router to bridge mode (it most likely can be done remotely) by telling them you know how to setup an internal private router when you are ready. The default settings of the ISP (not in Canada) I am using is also use the router they provide, which is not that good, but I asked them to allow using my own one.
-
You could try to call your ISP and let them to set the router to bridge mode (it most likely can be done remotely) by telling them you know how to setup an internal private router when you are ready. The default settings of the ISP (not in Canada) I am using is also use the router they provide, which is not that good, but I asked them to allow using my own one.
Here's a theoretical question. If I didn't want to reconfigure their router (or only apply the absolutely minimal number of changes), but introduce one of my own routers between *it* and my main switch...how should *my* router be configured? If I introduce my own router between theirs and my switch (to which all of my other systems are connected), they would have no visibility into my own network, right?
-
dandy72 wrote:
This means the ISP's router is now doing all the heavy lifting (whereas it used to be my own router's responsibility), including wifi, which means I'm now more at the mercy of that one router than I've ever been.
I do the same, just to keep it simple. But, I still buy my own router that just works with their service. So, in effect, it's not really different than having my own router inside the network elsewhere. Just less stuff to mess with.
Jeremy Falcon
Yeah, I think right now that's my next goal: DON'T change their router's configuration at all, if I can help it...but introduce my own router in-between *it*, and my switch (to which all my other systems are connected). I'm not sure how to configure it however. My router's running DD-WRT.
-
Here's a theoretical question. If I didn't want to reconfigure their router (or only apply the absolutely minimal number of changes), but introduce one of my own routers between *it* and my main switch...how should *my* router be configured? If I introduce my own router between theirs and my switch (to which all of my other systems are connected), they would have no visibility into my own network, right?
The WAN port of your router should be connected to one of the LAN ports on your ISP's router. Use DHCP to acquire an IP address for the WAN port from your IPS's router when it starts up. Then, choose and setup your internal LAN IP network (block) to be different from the one the router from ISP uses. For example if the ISP assigned 192.168.0.0/24 network to their own router for the LAN, then your LAN network could be 172.16.x.0/24 where x=(0-255) or it could be 192.168.x.0/24 where x=(1-255) with x=0 excluded. As to how to bootstrap the LAN network setup of your router, it should be in the manual. Here is a simple one. If the router has a factory setup LAN network that is different from the one assigned by your ISP, then you don't have to mess with it, just setup the WAN port (see below); in case it is the same, then do not wire connect the WAN port when performing the LAN network setup. Configuration can be done by connecting a computer with a browser to one of the LAN ports of your router using a network wire and then use the admin web interface, which should be described in the manual, to do job. Note restarting the router is required when the LAN network is changed. The WAN port should be wire connected when the LAN is properly setup. You are right. A router is also a simple firewall by default in the sense that the internal LAN is invisible to the WAN part unless the one who can control it add specific rules to open part or all of it.
-
The WAN port of your router should be connected to one of the LAN ports on your ISP's router. Use DHCP to acquire an IP address for the WAN port from your IPS's router when it starts up. Then, choose and setup your internal LAN IP network (block) to be different from the one the router from ISP uses. For example if the ISP assigned 192.168.0.0/24 network to their own router for the LAN, then your LAN network could be 172.16.x.0/24 where x=(0-255) or it could be 192.168.x.0/24 where x=(1-255) with x=0 excluded. As to how to bootstrap the LAN network setup of your router, it should be in the manual. Here is a simple one. If the router has a factory setup LAN network that is different from the one assigned by your ISP, then you don't have to mess with it, just setup the WAN port (see below); in case it is the same, then do not wire connect the WAN port when performing the LAN network setup. Configuration can be done by connecting a computer with a browser to one of the LAN ports of your router using a network wire and then use the admin web interface, which should be described in the manual, to do job. Note restarting the router is required when the LAN network is changed. The WAN port should be wire connected when the LAN is properly setup. You are right. A router is also a simple firewall by default in the sense that the internal LAN is invisible to the WAN part unless the one who can control it add specific rules to open part or all of it.
Very interesting, I think this lines up with my expectations, and certainly sounds feasible. Thanks so much for that - I'm saving this and will absolutely refer back to it when I feel ballsy enough again to try it out. In theory, as you said, I *should* be able to completely set up my router with one machine wired to it, and - once it looks okay (as far as I can tell), I *should* be able to just hook up a cable between my router's WAN port back to the ISP router's LAN port without further change? That would be ideal. The ISP's router is using 192.168.1.1. My router was previously set up to use 192.168.0.0/16 (subnet mask = 255.255.0.0). I'd like to keep that, except maybe excluding 192.168.1.[0-255] (so that'll remain the ISP router's own playground). Most of my machines have static IPs that I've assigned from various ranges, and with subnet mask set to 255.255.0.0, for example: - 192.168.1.[0-50] = various physical machines - 192.168.1.199 = my Windows DC's static IP - 192.168.1.[200-255] = the range for DHCP, assigned by my router (for whoever shows up and wants to get on my network without me giving them an explicit static IP) - 192.168.50.[0-255] = my printers - 192.168.100.[0-255] = my Windows virtual machines - 192.168.200.[0-255] = various Linux virtual machines I don't know if it makes sense to segregate things this way, but it did in my mind when I set it up, and I'd like to keep it that way (more or less). However, I do realize since 192.168.1.xyz will become (remain) what the ISP router manages, I think I'd change the 3 first items in the above to 192.168.10.xyz (otherwise I'd clash with other addresses the ISP's router would own). I'd hook up wireless devices to use my router's Wifi. I could leave (or turn off) the ISP router's Wifi - I don't think I'd care all that much; it does, after all, have its own password you'd have to know to use. Does all of this make sense to you?
-
Very interesting, I think this lines up with my expectations, and certainly sounds feasible. Thanks so much for that - I'm saving this and will absolutely refer back to it when I feel ballsy enough again to try it out. In theory, as you said, I *should* be able to completely set up my router with one machine wired to it, and - once it looks okay (as far as I can tell), I *should* be able to just hook up a cable between my router's WAN port back to the ISP router's LAN port without further change? That would be ideal. The ISP's router is using 192.168.1.1. My router was previously set up to use 192.168.0.0/16 (subnet mask = 255.255.0.0). I'd like to keep that, except maybe excluding 192.168.1.[0-255] (so that'll remain the ISP router's own playground). Most of my machines have static IPs that I've assigned from various ranges, and with subnet mask set to 255.255.0.0, for example: - 192.168.1.[0-50] = various physical machines - 192.168.1.199 = my Windows DC's static IP - 192.168.1.[200-255] = the range for DHCP, assigned by my router (for whoever shows up and wants to get on my network without me giving them an explicit static IP) - 192.168.50.[0-255] = my printers - 192.168.100.[0-255] = my Windows virtual machines - 192.168.200.[0-255] = various Linux virtual machines I don't know if it makes sense to segregate things this way, but it did in my mind when I set it up, and I'd like to keep it that way (more or less). However, I do realize since 192.168.1.xyz will become (remain) what the ISP router manages, I think I'd change the 3 first items in the above to 192.168.10.xyz (otherwise I'd clash with other addresses the ISP's router would own). I'd hook up wireless devices to use my router's Wifi. I could leave (or turn off) the ISP router's Wifi - I don't think I'd care all that much; it does, after all, have its own password you'd have to know to use. Does all of this make sense to you?
Sure, just don't clash with the WAN part of the your networks. But I don't know if excluding a sub-network from a larger one will be ok from security point of view, your LAN 192.168.0.0/16 seems to be too large. The firewall rules are IP network based, it would very likely that your WAN network will be able to visit you LAN in your settings for not a sophisticated enough router. If you'd like to use a larger network for the LAN, use one of the 172.[16-31].x.x/16 network (class B) instead, that way, there will be no conflict.
-
Sure, just don't clash with the WAN part of the your networks. But I don't know if excluding a sub-network from a larger one will be ok from security point of view, your LAN 192.168.0.0/16 seems to be too large. The firewall rules are IP network based, it would very likely that your WAN network will be able to visit you LAN in your settings for not a sophisticated enough router. If you'd like to use a larger network for the LAN, use one of the 172.[16-31].x.x/16 network (class B) instead, that way, there will be no conflict.
-
That would mean reconfiguring the static IPs for the vast majority of my systems, which is not going to be a small endeavor. But, if that's the right way to do it...I'll do it. I did say I know enough about networks to be dangerous. :-)
I have missed the security problems in the above reply, it is modified. Please read it again.
-
Sure, just don't clash with the WAN part of the your networks. But I don't know if excluding a sub-network from a larger one will be ok from security point of view, your LAN 192.168.0.0/16 seems to be too large. The firewall rules are IP network based, it would very likely that your WAN network will be able to visit you LAN in your settings for not a sophisticated enough router. If you'd like to use a larger network for the LAN, use one of the 172.[16-31].x.x/16 network (class B) instead, that way, there will be no conflict.
