Jump to content

Home Networking Question


ADDandy
 Share

Recommended Posts

Hey everyone,

I just bought a house and i have the benifit of not having tennants for the first month, so i have the time to set up a proper and awesome home network.

there is a diagram of my network attached.

Network Hardware:

2Wire Router: this is the broadband box that comes with my internet service. i want to run the open/WEP wifi off this router. i want this router to only be able to access only the internet, and nothing else on the LAN. it will be the guest wifi network, but should keep my actuall network sans virus.

Linksys 610N: main firewall/router, broadcasting main wifi network (B & N) WPA2 personal. running DD-WRT (hopefully).

Switch 1: this switch is for ethernet into the basement (3 personal computers, PS3, Xbox, 2 extra in media center area)

Questions:

1) What is the best way to make the WEP-wifi network only able to access the internet and not any of the other LAN devices?

2) What is a good is a good 8port GigE switch? i was looking at an HP pro-curve 1400 8g but they are about 30$ over my budget for the switch (i want to spend 100 cnd)

3) Is the PS3 or Xbox a better platform for watching content stored on the media server (fed10 box)?

4) Is the 610N the best router? i am looking for 4 port gigE, wireless G/N simultanious Dual band

5) i have a bunch of extra wireless G equipment (some dlink, asus). would it be easier to set up the internet only guest wifi using one of these?

Thanks

Attention Deficit DINOSAURS!

post-11942-1245159147_thumb.png

Link to comment
Share on other sites

Hey everyone,

I just bought a house and i have the benifit of not having tennants for the first month, so i have the time to set up a proper and awesome home network.

there is a diagram of my network attached.

Network Hardware:

2Wire Router: this is the broadband box that comes with my internet service. i want to run the open/WEP wifi off this router. i want this router to only be able to access only the internet, and nothing else on the LAN. it will be the guest wifi network, but should keep my actuall network sans virus.

Linksys 610N: main firewall/router, broadcasting main wifi network (B & N) WPA2 personal. running DD-WRT (hopefully).

Switch 1: this switch is for ethernet into the basement (3 personal computers, PS3, Xbox, 2 extra in media center area)

Questions:

1) What is the best way to make the WEP-wifi network only able to access the internet and not any of the other LAN devices?

2) What is a good is a good 8port GigE switch? i was looking at an HP pro-curve 1400 8g but they are about 30$ over my budget for the switch (i want to spend 100 cnd)

3) Is the PS3 or Xbox a better platform for watching content stored on the media server (fed10 box)?

4) Is the 610N the best router? i am looking for 4 port gigE, wireless G/N simultanious Dual band

5) i have a bunch of extra wireless G equipment (some dlink, asus). would it be easier to set up the internet only guest wifi using one of these?

Thanks

Attention Deficit DINOSAURS!

Ok I'll give this a shot....

1. Use that router/firewall as your gateway to the internal network. There is no way to keep the wifi traffic off the LAN unless you have some advanced ACLs or packet filtering going on, which I doubt your 2Wire router does. If you lock down your 610N properly, you should be fine.

2. Define "good switch"? Do you need it to do vlans? If you want an unmanaged gigabit switch for a network of this size, just go with what fits your budget. They're all the same at that level. Honestly, you won't be putting enough stress on the switch to see the flaws, if any.

3. Depends on what you want to watch. Do they play all the file formats you want? I like XBMC but I have to make sure to get the appropriate formats supported for that. It's all up to your tastes.

4. Each vendor has a different implementation of N (almost), so we'll have to just sit back and wait until N is final, so I make no judgments there. My opinion is the best router is one that can run custom firmware like DD-WRT or Tomato.

5. Again, depends on the capabilities of the specific equipment. I doubt consumer grade equipment can make dedicated SSIDs tied to a specific vlan. Put an AP outside your firewall and you'll be fine. You might get your bandwidth sapped, but that's another issue.

Home networks are a different breed altogether, you don't need to take into considerations things that you do in enterprise networks. They don't have the same requirements or considerations. You really don't need gigabit and when you are all done, if you measure your bandwidth, I would be surprised if you went over 100Mbps between PCs streaming. The software will be your bottleneck.

Link to comment
Share on other sites

ok 1) i was hoping to get the WEP wifi working like a fonera works, were it has a private wifi and then a completly seperate wifi that only gets the internet.

2) i define a good switch by low switching latency and good through put, and when i say 'i define' i mean 'the sysAdmin at work told me that is what to look for'

3) in most cases it will be standard video formats, i just wanted to know which has the best viewing experience when streaming off a linux based media server.

4) right now the 610N is in almost supported by DD-wrt. they don't have the dual band working yet.

5) sorry i should clarify that question.

5 new) Would it be easier to set up the Guest wireless network (the one that doesn't have access to any network resources, it can only access the internet) using a dlink product?

Thanks!

Link to comment
Share on other sites

ok 1) i was hoping to get the WEP wifi working like a fonera works, were it has a private wifi and then a completly seperate wifi that only gets the internet.

2) i define a good switch by low switching latency and good through put, and when i say 'i define' i mean 'the sysAdmin at work told me that is what to look for'

3) in most cases it will be standard video formats, i just wanted to know which has the best viewing experience when streaming off a linux based media server.

4) right now the 610N is in almost supported by DD-wrt. they don't have the dual band working yet.

5) sorry i should clarify that question.

5 new) Would it be easier to set up the Guest wireless network (the one that doesn't have access to any network resources, it can only access the internet) using a dlink product?

Thanks!

1. If your router/modem thing has it, you'll see an option in the GUI. I doubt it's there. Use 2 APs instead.

2. The sysadmin here says get a cisco switch. You'll pay a ton for it, especially gigabit, compared to dlink/netgear/junk. The more ram and higher CPU will give you better numbers, it's going to be hard to find the specs for consumer grade switches.

3. If it's HDMI on both, it'll probably look the same on both. They're both gaming systems, treat them as such, this is the equivalent of asking which cell phone has a better camera and basing your decision on that.

4. Then I would say no, I like the advanced options that you get. But that's just me.

5+. Nothing is easier using Dlink. :)

You are looking for enterprise features in consumer grade equipment, there's a reason that this stuff costs so much less.

Link to comment
Share on other sites

I'm also interested in running to Wireless SSID to isolate my Public and Private networks, I've not really found a 100% way to do this yet. I had hoped to do it with DD-WRT but it just doesn't seem to work right, a wireless device in my house craps out constantly when I use any kind of security so I was just going to allow it to connect to the public wireless and only allow it access to a specific server. At the moment I'm having to use 2 AP's :angry: I'll probally invest in some Cisco kit one day. ;)

Link to comment
Share on other sites

Here's how I have my network set up. I'm running an older P3 machine with 3 nics in it with smoothwall as it's os. This is my firewall/router. One nic is WAN, one is LAN, and the third is WIFI. The WIFI and LAN ports are on separate subnets. The LAN can talk to the WIFI, but not the other way around. This setup can also track internet usage, and run a pretty good basic IDS/IPS. I have a WRT54gs running the wireless in AP mode, it doesn't do any routing or ip assigning.

Link to comment
Share on other sites

Here's how I have my network set up. I'm running an older P3 machine with 3 nics in it with smoothwall as it's os. This is my firewall/router. One nic is WAN, one is LAN, and the third is WIFI. The WIFI and LAN ports are on separate subnets. The LAN can talk to the WIFI, but not the other way around. This setup can also track internet usage, and run a pretty good basic IDS/IPS. I have a WRT54gs running the wireless in AP mode, it doesn't do any routing or ip assigning.

"The LAN can talk to the WIFI, but not the other way around."

How did you configure 1 way packet exchange? ('exchange' is used for lack of a better word, since there would be no actual exchange)

TCP transactions need to make round trips, hence both networks need permission to talk to each other. Either they can both talk to each other, or they cannot.

Link to comment
Share on other sites

I think he means that the wifi is on the WAN side of a NAT. Thus devices behind the NAT can establish a new connection to devices on the wifi while devices on the wifi cannot establish connections to devices behind the NAT.

Link to comment
Share on other sites

I think he means that the wifi is on the WAN side of a NAT. Thus devices behind the NAT can establish a new connection to devices on the wifi while devices on the wifi cannot establish connections to devices behind the NAT.

Kinda. Both networks are inside the firewall and natted, but the firewall is keeping them separate as well. Hosts on the lan can make connections to devices on the wifi, but not the other way around.

Link to comment
Share on other sites

Kinda. Both networks are inside the firewall and natted, but the firewall is keeping them separate as well. Hosts on the lan can make connections to devices on the wifi, but not the other way around.

I figured that, but let's not get in the habit of calling a NAT device a firewall. NAT is not an acceptable method of firewalling for security, it's for convenience.

Link to comment
Share on other sites

I figured that, but let's not get in the habit of calling a NAT device a firewall. NAT is not an acceptable method of firewalling for security, it's for convenience.

I never said it was. Which is why I don't use those POS dsl modems isp's hand out. Especially 2wire, freaking things have a huge security flaw.

Link to comment
Share on other sites

I never said it was. Which is why I don't use those POS dsl modems isp's hand out. Especially 2wire, freaking things have a huge security flaw.

they have a huge security flaw?

when you say you don't use them, do you just make them a dumb modem and handle your network with a router?

Link to comment
Share on other sites

The NAT technology (or configuration if this is a more accurate name) works very similarly to a firewall. The difference been that NAT has the advantage of been able to map several connections to different hosts on a network.

If you mean this in the context of consumer NAT routers being crap firewalls you are indeed correct. A good number of them (particularly the no name brands) have fail all over them.

Link to comment
Share on other sites

The NAT technology (or configuration if this is a more accurate name) works very similarly to a firewall. The difference been that NAT has the advantage of been able to map several connections to different hosts on a network.

If you mean this in the context of consumer NAT routers being crap firewalls you are indeed correct. A good number of them (particularly the no name brands) have fail all over them.

I meant in the context of TCP sequence numbers on the outgoing packets, if you can predict them, you can punch a hole in the NAT "firewall" and go right in. A device that performs packet inspection would be an appropriate firewall. NAT is good for home networks, but don't get a false sense of security by calling it a firewall.

Link to comment
Share on other sites

I meant in the context of TCP sequence numbers on the outgoing packets, if you can predict them, you can punch a hole in the NAT "firewall" and go right in. A device that performs packet inspection would be an appropriate firewall. NAT is good for home networks, but don't get a false sense of security by calling it a firewall.

If a NAT device assigns each new connection by sequentially generating information that identifies each connection, you would indeed be able to more easily guess this information. You would also have to know what outside resources they where connecting to in order to 'get through' the NAT. If you managed to get a packet through the NAT, the NAT thinks your IP address on the internet is not the one you actually have. The result is you never receive any thing back from your target. If a packet did get through it will have achieved nothing unless you have a payload that can be delivered in a single packet or multiple packets that are not actually part of the steam while appearing to be.

A computer behind a firewall is just as vulnerable to this kind of attack as a computer behind a NAT. Both a software firewall or hardware firewall would rely on the OS to generate the information that uniquely identifies each connection. If the OS generates it sequentially nothing has changed.

Aside from this there is also the issue of you not knowing what software will ultimately receive your payload. Obviously a computer will, but will it go to Firefox, IE, Steam, Pidgin, iTunes even? If you have a payload that exploits the network stack of a given OS (probably Windows) you increase your target size slightly.

Given that there are approximately 4000000000 possible IP address on the internet and that there are approximately 64000 possible ports usable by any given connection. If you knew a particular host on the internet was always there you would be hammering at it for a very long time before you got a packet through. Unless you are passively monitoring traffic going in and out of the connection is very unlikely any packet will get in. Mathematically speaking there are 4000000000^64000 = very big number possible combinations of IP address and port used. Realistically speaking you are more likely to randomly turn in to an elephant that has found it's self at the edge of the expanding universe in a elephant sized stable than get a packet through NAT with out knowing any thing about the target.

Link to comment
Share on other sites

If ....

It's possible and it's been done, I agree it's probably unlikely you or I will be the victim of such an attack. If the router/firewall doesn't do any packet inspection, the packets get passed through if they match the appropriate conditions. If you can guess those conditions, you probably have a better chance at getting through. It's just naive to tell somebody that a netgear router doing NAT is the equivalent of a firewall. I understand that the start of this discussion was somebody using Smoothwall, which probably does packet inspection, so I'm not knocking that, but it might be configured to do so in that example.

http://en.wikipedia.org/wiki/TCP_Sequence_Prediction_Attack

http://www.tech-faq.com/tcp-sequence-prediction.shtml

Somebody would have to be pretty dedicated and knowledgeable to accomplish such a feat with a specific goal in mind, who would do such a thing?

http://www.networkcomputing.com/unixworld/...ty/001.txt.html

Mitnick did it.

Link to comment
Share on other sites

Ok I'll give this a shot....

1. Use that router/firewall as your gateway to the internal network. There is no way to keep the wifi traffic off the LAN unless you have some advanced ACLs or packet filtering going on, which I doubt your 2Wire router does. If you lock down your 610N properly, you should be fine.

you could also but this device on a dmz. for your gaming devices you will have to forward the ports manually. and personally i think the 360 is the better platform for viewing media

Link to comment
Share on other sites

they have a huge security flaw?

when you say you don't use them, do you just make them a dumb modem and handle your network with a router?

I use a dumb modem and let smoothwall do the work. They don't get the chance to fuck up my network.

I'm not sure if it's been fixed or not, I don't care.

http://blogs.chron.com/techblog/archives/2...ng_exploit.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...