Cascading WRT54G(L) routers and security

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
quella
DD-WRT Novice


Joined: 21 Jan 2008
Posts: 4

PostPosted: Mon Jan 21, 2008 2:56    Post subject: Cascading WRT54G(L) routers and security Reply with quote
I have two routers that are currently cascaded where one a WRT54GL v1.1 running DD-WRT 24 RC6.2 and the other a WRT54G V8 running current Linksys code. I have the 54GL connected to my cable provider as my main router and am running WPA2 on the wireless configuration for this network. I also have the WRT54G connected to from the WAN port to Port 4 on the GL router. This machine is configured with WEP for a PSP and DS access; but willing to open it if I can secure things correctly as a hotspot. In early testing it seems that the setup works and that the G router can get to the internet but not to my other lan or wireless. I was wondering if anyone can tell me how I should ensure this setup by having me configure port 4 on the GL to be on its own VLAN and direct it only to the Internet. I think I was able to attach a image of the setup if that helps. I had some issues with splitting a single WRT router to have the two security options running (WPA2 and WEP), so I found this to be a quick fix until it is easier to setup. Any thoughts or ideas on how I can best secure or use this configuration for either an open hotspot while protecting my current internal lan? I have them on two different IP subnets and also different wireless channels (2 and 6) recommendation, pointers, ideas, or comments?

Quella



net1.jpg
 Description:
 Filesize:  24.79 KB
 Viewed:  23659 Time(s)

net1.jpg


Sponsor
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Mon Jan 21, 2008 3:52    Post subject: Reply with quote
You actually already have exactly what you are asking for. Open the access on the primary GL to be your hotspot. The LAN behind the G radio is isolated from anything in front of the WAN port, and that is your private LAN.
_________________
http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
quella
DD-WRT Novice


Joined: 21 Jan 2008
Posts: 4

PostPosted: Mon Jan 21, 2008 12:22    Post subject: Reply with quote
Thanks for the quick reply... I have a few other questions.

So, you are saying I should switch my two routers wireless and wired nets so that the wrt54G is my private net and the WRT54GL is my open access hotspot? Right now, sorry I know the diagram is not the best, I have the GL (the first in the chain) as my secure lan/wirelwss and the second as my open/wep wireless. You are saying that I should switch them so the last in the chain is my secure lan and the one closest to the internet is my open system. I can do that, but could I not just set up a vlan in the first router running dd-wrt to only allow any traffic on port 4 going to the second router access to the Internet and none of the other portions of the first router?

Sorry for the confusion, and I would be happy to switch them around if that is the easiest or best solution. Would it be better if I loaded the G or last router with dd-wrt Micro code? Would I get anything different with that if I just want to use it for a secure lan/wireless and nothing else?

Quella
quella
DD-WRT Novice


Joined: 21 Jan 2008
Posts: 4

PostPosted: Tue Jan 22, 2008 14:59    Post subject: Reply with quote
I have updated my design based on the previous feedback and I have now switched my router configurations so that the "secure" router/lan is now at the end of the router cascade; unlike the previous drawing above. Based on this new drawing, I have a few questions I was hoping that someone here may be able to answer.

1. Does this really provide a secure setup between the two router networks (192.168.50.x and 192.168.1.x)? In early testing, I was not able to get from the .50 network to the .1 network, but it appears I can go the other way (secure to unsecure); which I desire. Ideas from others that have fully tested and validated this configuration?

2. Would it be better if I configured the unsecure router with a secondary vlan for the port where I have them cascaded? Would I secure it more if I created a port 4 vlan and had it only access the Internet and not the insecure lan? Can I really improve security by trying to isolate even more the insure network, or should I setup a Vlan from the unsecure wireless to the Internet only?

3. Would I add anything that may assist or make the secure router better if I upgrade it with the DD-WRT micro firmware, or just leave it as is if I do not need the extra features on this router.

4. Is setting up a hotspot (once I confirm the security of this setup) as easy as enabling it on the unsecure router and allowing people to access the wireless for Internet access? Or, is it better to just remove the encryption on the unsecure router and open it to the world without creating a hotspot?

Thanks

Quella



Drawing1.gif
 Description:
 Filesize:  19.29 KB
 Viewed:  23586 Time(s)

Drawing1.gif


GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Tue Jan 22, 2008 15:07    Post subject: Reply with quote
I hope somebody else can help you with the VLAN questions. I've never messed with VLANs.
_________________
http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
patrickdk
DD-WRT User


Joined: 01 Dec 2007
Posts: 76

PostPosted: Tue Jan 22, 2008 15:24    Post subject: Reply with quote
Your secure network will be as secure as it is when connected to the internet. They are all going share the same 192.168.50.x ip address (why you can connect secure to unsecure but not the other way around). The only way to hurt this is to define a dmz or port forwarding on the secure router.

I personally probably wouldn't bother with doing a vlan on the unsecure router, unless you are going get paranoid about arp spoofing and you have a habit of transfering your passwords unencrypted over the internet. I would just set port 4 qos setting to higher than the rest, so you will get internet usage priority over the other.
quella
DD-WRT Novice


Joined: 21 Jan 2008
Posts: 4

PostPosted: Tue Jan 22, 2008 16:48    Post subject: Reply with quote
Thanks again for the great advice here. Configuring the QoS on port 4 of the unsecure router is a super idea. I will make this change and see how it goes. Thoughts on just having an open AP, or setting up a HotSopt? Advantages or disadvantages of either?

Quella
coredump
DD-WRT Novice


Joined: 02 Feb 2007
Posts: 11
Location: Germany

PostPosted: Tue Jan 22, 2008 17:01    Post subject: Reply with quote
I've been looking to do the exact same thing as the original poster, but in my case, the "insecure" network consists of machines connected via CAT5 to the "DMZ" router.

My question is simple: If one of the machines on the insecure network gets rooted and
fully compromised, would an attacker be able to sniff the network traffic
between the "green" secure network and the internet?

I basically do not care if he can sniff the traffic between machines in the DMZ, but sniffing secure traffic would be very bad.
patrickdk
DD-WRT User


Joined: 01 Dec 2007
Posts: 76

PostPosted: Tue Jan 22, 2008 17:23    Post subject: Reply with quote
Theoredically, yes, they can, by using arp spoofing and causing the switch to send you all their packets.

Personally, since the unsecure it connected to the internet, and the secure is not, anything you pass over the unsecure is just as secure as anything you pass over the internet, and I would be much more paranoid of what people do on the internet than someone hacking into your dmz to look at your stuff.
coredump
DD-WRT Novice


Joined: 02 Feb 2007
Posts: 11
Location: Germany

PostPosted: Tue Jan 22, 2008 18:00    Post subject: Reply with quote
Thank you for reply.

The difference between someone sniffing my packets on the internet and someone sniffing it directly on my DMZ is that the guy on the DMZ usually knows who I am and where I live Smile

Information that can be difficult to obtain for packets sniffed in a random attack (at least I would hope so).

Is there any way I could 100% avoid being "sniffed" and still provide a DMZ?
Maybe with more hardware?

I'm afraid my network-security-foo is rather low :)

EDIT:

I wonder if the following setup would be a solution:

Both "DMZ" and "Secure LAN" are dd-wrt routers doing DHCP. The DMZ router will have a disabled radio, whereas the Secure router provides WPA2 WIFI access.

As the "secure" traffic never passes the "DMZ" machines, I assume the secure traffic can not be sniffed / captured. Is that assumption correct?



DMZ Layout.JPG
 Description:
 Filesize:  16.52 KB
 Viewed:  23518 Time(s)

DMZ Layout.JPG


GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Wed Jan 23, 2008 1:45    Post subject: Reply with quote
That will work great as long as the service provider is giving you an IP address for each router.
_________________
http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
coredump
DD-WRT Novice


Joined: 02 Feb 2007
Posts: 11
Location: Germany

PostPosted: Wed Jan 23, 2008 11:31    Post subject: Reply with quote
The DSL Gateway is just another dd-wrt router =)
GeeTek
DD-WRT Guru


Joined: 06 Jun 2006
Posts: 3763
Location: I'm the one on the plate.

PostPosted: Wed Jan 23, 2008 22:43    Post subject: Reply with quote
coredump wrote:
The DSL Gateway is just another dd-wrt router =)

Precicely why you should start a new thread of your own instead of hijacking this one.

_________________
http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
coredump
DD-WRT Novice


Joined: 02 Feb 2007
Posts: 11
Location: Germany

PostPosted: Wed Jan 23, 2008 23:02    Post subject: Reply with quote
There was nothing to be hijacked as the original thread is basically closed and the OP had his answer.

My problem is very similar to the original post and even the subject of this thread (cascading dd-wrt routers) is still accurate. My setup only takes the OP's problem to the next stage and clearly builds upon the earlier posts. If fail to see a problem here.

What was your point again?
gwaitsi
DD-WRT User


Joined: 11 Jan 2007
Posts: 79

PostPosted: Wed Oct 09, 2019 17:54    Post subject: Reply with quote
hey guys, i am using the same kind of cascaded config but the devices are on the same lan segment configured as switches. For the LAN ports i am putting them on a separate VLAN27 and the wireless are both on VLAN41 and 51 for home and guest.

The VLAN27 switch ports and the LAN work on both devices, but the downstream wifi is not connecting to the VLANs upstream.

Independently, both devices work. it is only in the cascaded config the wifi doesn't work. the same is true when the devices are reversed/

any thoughts
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum