Extending Wi Fi Across a Castle Grounds

Malor wrote:

Well, I'd thought about a multihomed server, but I was assuming that he'd want to be backing up multiple machines directly to the outside provider. If he can do all his backups locally to one machine, and then back that one machine up over the DSL (by telling it never to talk to the Internet via the satellite), then that would work, and would be easier. But that also puts his backup server on the guest network, so evil guests could potentially hack into it.

And, since he's going to be providing a free WiFi service, he's also directly exposing his backup server to anyone within miles with a good antenna and a sense of mischief.

That's pretty much the gist of it. I can do all my backups to one machine (from one machine actually, there's only one that I need to backup), and I wanted to back that up over the DSL.

From a low brow standpoint, I might just go with having someone unplug the office machine from the dish router and plug it into the DSL router on say Thursday evening, and swap it back Friday morning. Schedule the backup during that window, and I'm set. Very low brow I understand, but it makes for a nice short term solution.

Long term I think I'm going to kill the dish altogether (pending successful trial with Frontier starting Monday). At that point I'll just hire someone with a networking background to set me up two separate networks and securely wall off my office stuff from the guest network.

Frontier has a terrible, terrible reputation. I wouldn't kill the dish just yet.

oh, and edit to add quite a bit later:

From a low brow standpoint, I might just go with having someone unplug the office machine from the dish router and plug it into the DSL router on say Thursday evening, and swap it back Friday morning.

So that means attackers can only try to crack that machine Thursday night to Friday morning, which is better than 24x7x365, but that doesn't mean it's particularly good.

Rise thread.

I have a plan and just want to double check my thoughts with people that have done more then just setup a home network.

SO Pencon is in a week and a half.
Exede who does our satellite internet which has an archaically small cap on it has now opened up the cap from 12am-5am and I want to open that up to our guests during Pencon as well I have a 2nd router and am thinking if I put it before our current router then set it up to only allow connections between those hours and I should be all set. I have already changed the router we have for the business to a non-standard ip ( so that should avoid any conflicts correct? This setup will also keep out business computers protected from any guests that are trying to be nosey, right?

Um, if you wire it this way:

Satellite -> untrusted router -> trusted router

that should work, and should be kinda-sorta safe. Your trusted router will firewall attempts to get in from outside, but if someone compromises the untrusted router, they can really make your life difficult, even if they can't directly get into the trusted network.

Further, that will mean you'll be running double NAT, which won't matter most of the time, but can break some things.

Of course, that would only matter if the IP you get from the satellite provider is in public IP space. If it's private network space, which isn't unusual for satellite and phone data connections, you won't be having any incoming connections anyway. Adding another layer of NAT would make no difference at all.

You probably already did this, but the private network on the untrusted router should be different than the private network on the trusted router. Otherwise, the trusted router will end up with both its WAN and its LAN ports with addresses in the same network, which will cause severe breakage.

You would be best to set the trusted router to a static IP, outside the DHCP range of the untrusted router. This means that your trusted router can't be attacked through a DHCP exploit.

So, adding it would actually sorta look like this:

Satellite | v (public ip on WAN port, DHCP client) [b]untrusted router[/b] (LAN port, with DHCP server, serving - .100 or so) | v (WAN port, static/fixed [b]trusted router[/b] (LAN port, with DHCP server, serving to .100 or so)

As I tried to indicate in the diagram, don't forget to update your trusted router's DHCP server to give out addresses in 192.168.5.X instead.

I've done a small home network upgrade that I want to pass by the GWJer brain trust in case I've overlooked something.

I've got Frontier Fios service that comes into the house over coax and into an Actiontec MI424wr router. This router is 802.11g and barely/doesn't-quite reach our bedroom which is upstairs on the opposite side of the house. Not a huge deal, but I'd win some spouse points if she can watch netflix in bed on her ipad without have the connection occasionally flake out.

So I picked up a TP-Link wr1043nd router, flashed it to dd-wrt and set it up as an access point. Then I turned off the wifi radio on the actiontec router. (I followed these instructions.)

Where I'm concerned I'm going to have complications is that I now have 2 DCHP servers active, one on the Actiontec router and one on the TP-Link. I'm running all wired connections through the tp-link's switch and I've set everything that plugs into it (a NAS w/ USB printer & my gaming rig) to DHCP for the time being. Eventually, I'm going to want to use the switch on the Actiontec router and set up static IPs again. Any advice on what I need to study up on before I do that?

Um, why don't you just disable one of the two DHCP servers? Then you can just link the two into one flat network, and you don't have to think about much of anything. You can do static IPs if you want, but they're usually not necessary in a small home network, except maybe for servers.

Every router I've ever owned would allow you to disable DHCP without disabling any NAT functionality that it's doing.

Basically, what I'd probably try to do is this: use the new router as your external gateway, because it's so fast, and you're on FIOS. Turn its NAT and DHCP on. Optionally, turn its wireless on in a different channel, maybe FRONTROOM or something, and maybe turn on a 5GHz channel if you have any clients that will use it.

Run a single wire to wherever you want to set up the Actiontec, rigging it up somewhere convenient, near the back of the house. Plug your other wired devices into the remaining three ports, and put it into "bridge mode", where it's being as absolutely stupid as possible, just taking anything it sees on the LAN and shoving it out the wireless, and vice versa. Have it set up a separate network, maybe BEDROOM. You want it doing no NAT, and no DHCP. It's doing three things for you at that point -- hauling the network to the back bedroom over a wire, giving you three live switch ports to plug wired clients into, and bridging that network it to the wireless, doing nothing else. The TP-link becomes the brains of the operation, doing all the smart stuff (because it's much faster), and the Actiontec is just a bridge and a switch.

I can't promise that the native firmware will do this, but if it doesn't, check to see if you can run DD-WRT on it -- that will work for sure.

So, your network will kinda look like this:

FIOS | V (external IP) [b]TP-link Router[/b] .......... front of house wireless clients (DHCP/DNS/NAT server/firewall) | | (long wire to back of house) | | (plug into one of the four [b]LAN[/b] ports) [b]Actiontec Router[/b] (bridging to wireless) .... back of house wireless clients (onboard switch) | | | wired clients

You'll also have some free ports on the TP-link, so you can plug some wired devices in there, too.

You want to plug into the LAN port on the Actiontec, because the four LAN ports are all served by a dedicated switch chip, which can move packets at full wire speed. Any wired client you plug in should be able to push (or pull) close to 100Mbit. Depending on how smart your firmware is, you might be able to also bridge the WAN port, so that all five ports are on the same network, but that bridging will require active intervention by the processor, probably slowing throughput to maybe 30Mbit. This is also true of the wireless, as the same thing is happening, but that's more than G signal can carry, so it's no biggie. So you want to maybe put a little bit of tape over the WAN port on the Actiontec, and only take it off if you need another port, and don't mind it being slower than the others.

You know, I just looked it up, and that Actiontec is faster than I thought -- it's supposedly gigabit and wireless N, just like the other one. So you could rig up the two APs in either spot. All the same caveats apply -- use the LAN ports, put all the brains on one, and make the other one as stupid as possible. But you'll have a full gigabit network, instead of a mix of gigabit and Fast Ethernet.

The lowest-impact solution would be, then, to leave the Actiontec where it is, and set up the TP-link in stupid slave mode, just bridging, without doing NAT or DHCP or, well, much of anything. You want one smart router, and one very, very stupid one. If you find you strongly prefer the TP-link's firmware, you could swap it in as the brain, and make the Actiontec the dumb one. Up to you.

The two separate wireless networks would probably still be convenient. You could actually end up with four -- two each on G and N.

Thanks Malor. I had to do some fixing this morning in order to allow me to connect to my NAS from outside the network again. In a nutshell, I made the TP-Link router dumb and left the actiontec doing the heavy lifting. This isn't optimal, since my version of the Actiontec router is only 10/100, BUT my FIOS connection comes in over coax and the Actiontec handles that (moca). This morning I did a hard reset on the TP-Link and configured it through dd-wrt to be an access point. Now I've got my static IPs set through the actiontec and ports are forwarding properly.

thanks again.

Remember that if you can connect to your NAS from outside via open ports (as opposed to VPN or something similar), then so can bad guys. Be sure to use an excellent password, keep up on your patches, and maintain multi-generation backups.