|
Here's a theoretical question.
If I didn't want to reconfigure their router (or only apply the absolutely minimal number of changes), but introduce one of my own routers between it and my main switch...how should my router be configured?
If I introduce my own router between theirs and my switch (to which all of my other systems are connected), they would have no visibility into my own network, right?
|
|
|
|
|
The WAN port of your router should be connected to one of the LAN ports on your ISP's router. Use DHCP to acquire an IP address for the WAN port from your IPS's router when it starts up. Then, choose and setup your internal LAN IP network (block) to be different from the one the router from ISP uses. For example if the ISP assigned 192.168.0.0/24 network to their own router for the LAN, then your LAN network could be 172.16.x.0/24 where x=(0-255) or it could be 192.168.x.0/24 where x=(1-255) with x=0 excluded.
As to how to bootstrap the LAN network setup of your router, it should be in the manual. Here is a simple one. If the router has a factory setup LAN network that is different from the one assigned by your ISP, then you don't have to mess with it, just setup the WAN port (see below); in case it is the same, then do not wire connect the WAN port when performing the LAN network setup. Configuration can be done by connecting a computer with a browser to one of the LAN ports of your router using a network wire and then use the admin web interface, which should be described in the manual, to do job. Note restarting the router is required when the LAN network is changed. The WAN port should be wire connected when the LAN is properly setup.
You are right. A router is also a simple firewall by default in the sense that the internal LAN is invisible to the WAN part unless the one who can control it add specific rules to open part or all of it.
|
|
|
|
|
Very interesting, I think this lines up with my expectations, and certainly sounds feasible. Thanks so much for that - I'm saving this and will absolutely refer back to it when I feel ballsy enough again to try it out.
In theory, as you said, I should be able to completely set up my router with one machine wired to it, and - once it looks okay (as far as I can tell), I should be able to just hook up a cable between my router's WAN port back to the ISP router's LAN port without further change? That would be ideal.
The ISP's router is using 192.168.1.1. My router was previously set up to use 192.168.0.0/16 (subnet mask = 255.255.0.0). I'd like to keep that, except maybe excluding 192.168.1.[0-255] (so that'll remain the ISP router's own playground).
Most of my machines have static IPs that I've assigned from various ranges, and with subnet mask set to 255.255.0.0, for example:
- 192.168.1.[0-50] = various physical machines
- 192.168.1.199 = my Windows DC's static IP
- 192.168.1.[200-255] = the range for DHCP, assigned by my router (for whoever shows up and wants to get on my network without me giving them an explicit static IP)
- 192.168.50.[0-255] = my printers
- 192.168.100.[0-255] = my Windows virtual machines
- 192.168.200.[0-255] = various Linux virtual machines
I don't know if it makes sense to segregate things this way, but it did in my mind when I set it up, and I'd like to keep it that way (more or less). However, I do realize since 192.168.1.xyz will become (remain) what the ISP router manages, I think I'd change the 3 first items in the above to 192.168.10.xyz (otherwise I'd clash with other addresses the ISP's router would own).
I'd hook up wireless devices to use my router's Wifi. I could leave (or turn off) the ISP router's Wifi - I don't think I'd care all that much; it does, after all, have its own password you'd have to know to use.
Does all of this make sense to you?
|
|
|
|
|
Sure, just don't clash with the WAN part of the your networks. But I don't know if excluding a sub-network from a larger one will be ok from security point of view, your LAN 192.168.0.0/16 seems to be too large. The firewall rules are IP network based, it would very likely that your WAN network will be able to visit you LAN in your settings for not a sophisticated enough router. If you'd like to use a larger network for the LAN, use one of the 172.[16-31].x.x/16 network (class B) instead, that way, there will be no conflict.
modified 17-Jan-24 16:58pm.
|
|
|
|
|
That would mean reconfiguring the static IPs for the vast majority of my systems, which is not going to be a small endeavor.
But, if that's the right way to do it...I'll do it. I did say I know enough about networks to be dangerous.
|
|
|
|
|
I have missed the security problems in the above reply, it is modified. Please read it again.
|
|
|
|
|
Gotcha. It makes sense.
If my router allowed a rule to be defined as such, would it be possible to explicitly block 192.168.1.[0-255]?
Not that it sounds like the best idea in the world. I'm warming up to the idea of using 172.* instead of 192.168.*. There should be no way for the networks to see each other if they're working off of entirely different subnets.
|
|
|
|
|
It's likely that the firewalls in most routers are not that sophisticate that they can detect and exclude a subset of ip addresses from within a given set of the same in building default forwarding rules.
|
|
|
|
|
Edumacate me:
Wouldn't 172.16.x.x/16 and 192.168.0.0/16 allow for the same number of endpoints (65534), given that /16 essentially means a subnet mask of 255.255.0.0?
I think I need to brush up on my subnet literature.
|
|
|
|
|
Right, they are the same, namely 256*256-2 (2 excluded are special ip addresses ends with 0 or 255).
|
|
|
|
|
The key to doing this is to turn off the DHCP server on the ISP's router. It can broadcast WiFi all it wants but if it's not a DHCP server nothing will connect to it by accident.
|
|
|
|
|
Yup. The router supplied by our ISP has the login credentials printed on the bottom. We need to provide WiFi for visitors. Since we run static IP's, I turned off WiFi in the ISP's router, changed the log in credentials and put a "smart" router on a separate public IP, blocked objectionable stuff and social media, then put a label with the credentials on a separate access point.
I had a client, some years back, who had me set up blocking for social media then made the browser message say: "Get back to work". (I would have added the exclamation point but am afraid Chris would kick me out).
>64
There is never enough time to do it right, but there is enough time to do it over.
|
|
|
|
|
It's probably not quite enough to just turn off DHCP; my router was previously set up so it provided my ISP credentials back to my ISP.
I'm guessing I have to set up my ISP's router in bridge mode, and (when I reintroduce my router on the network) have it provide the credentials for my new ISP, along with other settings I probably know nothing about. I'll be sure to follow up with my new ISP to determine how to get that going, 'cuz I really do hate leaving them in charge.
|
|
|
|
|
dandy72 wrote: This means the ISP's router is now doing all the heavy lifting (whereas it used to be my own router's responsibility), including wifi, which means I'm now more at the mercy of that one router than I've ever been. I do the same, just to keep it simple. But, I still buy my own router that just works with their service. So, in effect, it's not really different than having my own router inside the network elsewhere. Just less stuff to mess with.
Jeremy Falcon
|
|
|
|
|
Yeah, I think right now that's my next goal: DON'T change their router's configuration at all, if I can help it...but introduce my own router in-between it, and my switch (to which all my other systems are connected). I'm not sure how to configure it however. My router's running DD-WRT.
|
|
|
|
|
Update: Here goes nothing. Visual FA Part 1: Understanding Finite Automata[^]
Man, my Visual FA project sure has given me fits.
First I crack on at it for like 4 days and then write an article.
A bit later I realize the whole endeavor is seriously bogus and needs a rewrite.
The article gets deleted.
So, more carefully this time, I rewrite the entire thing, benchmarking against Microsoft the whole way.
I think it's done finally. I thought that last time too. I checked though. (I checked last time too)
I'm scared to write the article now. I've got cold feet. On the other hand, I'm freaked out by not writing it, because regardless of the reality of it, that bad post feels like a stain on my reputation here.
"It's not a big deal", I tell myself. Stuff happens, and it's how we move on from that that matters.
Well, I'm not moving on so easy. It's silly, I know.
Check out my IoT graphics library here:
https://honeythecodewitch.com/gfx
And my IoT UI/User Experience library here:
https://honeythecodewitch.com/uix
modified 15-Jan-24 16:45pm.
|
|
|
|
|
I suggest that you look up statistics on how many peer-reviewed articles are withdrawn either before or after publication. This, by scientists who supposedly take great care in performing their research. It won't make you feel better, but at least you'll be in good company.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
Okay that on a personal level makes me feel better.
But in the big scheme of things, I worry for us as a species.
Check out my IoT graphics library here:
https://honeythecodewitch.com/gfx
And my IoT UI/User Experience library here:
https://honeythecodewitch.com/uix
|
|
|
|
|
Daniel Pfeffer wrote: you look up statistics on how many peer-reviewed articles are withdrawn either before or after publication.
If only the pay to publish market had that same withdrawal rate.
|
|
|
|
|
Post it, lady! This is a community, and the purpose of articles is not only to teach, but to learn! You have an entire community that will let you know if there's something wrong, and most of them will help you to get it right. That is, if it isn't already! You're the Codewitch; we await your next spell.
Will Rogers never met me.
|
|
|
|
|
|
Write it. If you don’t, you will forever regret it. Also, by writing it, you will be helping others who are interested in what you’re doing. Me, I don’t understand much of what you’re doing; I’m only a dabbler in programming. It took me awhile to realise what DNF stood for in one of your previous posts. I assume it means Dot Net Framework.
I’d like to read your article to try and understand more of what you’re doing.
|
|
|
|
|
yeah it means DotNet Framework. I hate that there actually needs to be such a disambiguation. .NET was supposed to just be .NET. Now there are 31 flavors of .NET, Diet .NET, Dr. NET, Cherry Vanilla .NET with Lime.
I'm over it.
I did publish the article, and I updated my original post accordingly around the same time you wrote your response.
Check out my IoT graphics library here:
https://honeythecodewitch.com/gfx
And my IoT UI/User Experience library here:
https://honeythecodewitch.com/uix
|
|
|
|
|
Well done for biting the bullet and writing the article. I’ve started to read it. May I make one small suggestion? You introduce the acronym ’AST’. To help a layperson such as myself, is it possible to expand on what the acronym means within the article? I was always told when doing technical writing to explain an acronym on its first use and then it’s fine to use it as often as required.
|
|
|
|
|
Oversight on my part. Thanks for catching it. I did explain it in the last article attempt. I thought I did so here too. I'm kinda tired.
It stands for Abstract Syntax Tree
Check out my IoT graphics library here:
https://honeythecodewitch.com/gfx
And my IoT UI/User Experience library here:
https://honeythecodewitch.com/uix
|
|
|
|