Posted: Mon Jan 21, 2008 2:56 Post subject: Cascading WRT54G(L) routers and security
I have two routers that are currently cascaded where one a WRT54GL v1.1 running DD-WRT 24 RC6.2 and the other a WRT54G V8 running current Linksys code. I have the 54GL connected to my cable provider as my main router and am running WPA2 on the wireless configuration for this network. I also have the WRT54G connected to from the WAN port to Port 4 on the GL router. This machine is configured with WEP for a PSP and DS access; but willing to open it if I can secure things correctly as a hotspot. In early testing it seems that the setup works and that the G router can get to the internet but not to my other lan or wireless. I was wondering if anyone can tell me how I should ensure this setup by having me configure port 4 on the GL to be on its own VLAN and direct it only to the Internet. I think I was able to attach a image of the setup if that helps. I had some issues with splitting a single WRT router to have the two security options running (WPA2 and WEP), so I found this to be a quick fix until it is easier to setup. Any thoughts or ideas on how I can best secure or use this configuration for either an open hotspot while protecting my current internal lan? I have them on two different IP subnets and also different wireless channels (2 and 6) recommendation, pointers, ideas, or comments?
Joined: 06 Jun 2006 Posts: 3763 Location: I'm the one on the plate.
Posted: Mon Jan 21, 2008 3:52 Post subject:
You actually already have exactly what you are asking for. Open the access on the primary GL to be your hotspot. The LAN behind the G radio is isolated from anything in front of the WAN port, and that is your private LAN. _________________ http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
Thanks for the quick reply... I have a few other questions.
So, you are saying I should switch my two routers wireless and wired nets so that the wrt54G is my private net and the WRT54GL is my open access hotspot? Right now, sorry I know the diagram is not the best, I have the GL (the first in the chain) as my secure lan/wirelwss and the second as my open/wep wireless. You are saying that I should switch them so the last in the chain is my secure lan and the one closest to the internet is my open system. I can do that, but could I not just set up a vlan in the first router running dd-wrt to only allow any traffic on port 4 going to the second router access to the Internet and none of the other portions of the first router?
Sorry for the confusion, and I would be happy to switch them around if that is the easiest or best solution. Would it be better if I loaded the G or last router with dd-wrt Micro code? Would I get anything different with that if I just want to use it for a secure lan/wireless and nothing else?
I have updated my design based on the previous feedback and I have now switched my router configurations so that the "secure" router/lan is now at the end of the router cascade; unlike the previous drawing above. Based on this new drawing, I have a few questions I was hoping that someone here may be able to answer.
1. Does this really provide a secure setup between the two router networks (192.168.50.x and 192.168.1.x)? In early testing, I was not able to get from the .50 network to the .1 network, but it appears I can go the other way (secure to unsecure); which I desire. Ideas from others that have fully tested and validated this configuration?
2. Would it be better if I configured the unsecure router with a secondary vlan for the port where I have them cascaded? Would I secure it more if I created a port 4 vlan and had it only access the Internet and not the insecure lan? Can I really improve security by trying to isolate even more the insure network, or should I setup a Vlan from the unsecure wireless to the Internet only?
3. Would I add anything that may assist or make the secure router better if I upgrade it with the DD-WRT micro firmware, or just leave it as is if I do not need the extra features on this router.
4. Is setting up a hotspot (once I confirm the security of this setup) as easy as enabling it on the unsecure router and allowing people to access the wireless for Internet access? Or, is it better to just remove the encryption on the unsecure router and open it to the world without creating a hotspot?
Joined: 06 Jun 2006 Posts: 3763 Location: I'm the one on the plate.
Posted: Tue Jan 22, 2008 15:07 Post subject:
I hope somebody else can help you with the VLAN questions. I've never messed with VLANs. _________________ http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
Your secure network will be as secure as it is when connected to the internet. They are all going share the same 192.168.50.x ip address (why you can connect secure to unsecure but not the other way around). The only way to hurt this is to define a dmz or port forwarding on the secure router.
I personally probably wouldn't bother with doing a vlan on the unsecure router, unless you are going get paranoid about arp spoofing and you have a habit of transfering your passwords unencrypted over the internet. I would just set port 4 qos setting to higher than the rest, so you will get internet usage priority over the other.
Thanks again for the great advice here. Configuring the QoS on port 4 of the unsecure router is a super idea. I will make this change and see how it goes. Thoughts on just having an open AP, or setting up a HotSopt? Advantages or disadvantages of either?
I've been looking to do the exact same thing as the original poster, but in my case, the "insecure" network consists of machines connected via CAT5 to the "DMZ" router.
My question is simple: If one of the machines on the insecure network gets rooted and
fully compromised, would an attacker be able to sniff the network traffic
between the "green" secure network and the internet?
I basically do not care if he can sniff the traffic between machines in the DMZ, but sniffing secure traffic would be very bad.
Theoredically, yes, they can, by using arp spoofing and causing the switch to send you all their packets.
Personally, since the unsecure it connected to the internet, and the secure is not, anything you pass over the unsecure is just as secure as anything you pass over the internet, and I would be much more paranoid of what people do on the internet than someone hacking into your dmz to look at your stuff.
The difference between someone sniffing my packets on the internet and someone sniffing it directly on my DMZ is that the guy on the DMZ usually knows who I am and where I live
Information that can be difficult to obtain for packets sniffed in a random attack (at least I would hope so).
Is there any way I could 100% avoid being "sniffed" and still provide a DMZ?
Maybe with more hardware?
I'm afraid my network-security-foo is rather low :)
EDIT:
I wonder if the following setup would be a solution:
Both "DMZ" and "Secure LAN" are dd-wrt routers doing DHCP. The DMZ router will have a disabled radio, whereas the Secure router provides WPA2 WIFI access.
As the "secure" traffic never passes the "DMZ" machines, I assume the secure traffic can not be sniffed / captured. Is that assumption correct?
Joined: 06 Jun 2006 Posts: 3763 Location: I'm the one on the plate.
Posted: Wed Jan 23, 2008 1:45 Post subject:
That will work great as long as the service provider is giving you an IP address for each router. _________________ http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
Joined: 06 Jun 2006 Posts: 3763 Location: I'm the one on the plate.
Posted: Wed Jan 23, 2008 22:43 Post subject:
coredump wrote:
The DSL Gateway is just another dd-wrt router =)
Precicely why you should start a new thread of your own instead of hijacking this one. _________________ http://69.175.13.131:8015 Streaming Week-End Disco. Station Ripper V 1.1 will do.
There was nothing to be hijacked as the original thread is basically closed and the OP had his answer.
My problem is very similar to the original post and even the subject of this thread (cascading dd-wrt routers) is still accurate. My setup only takes the OP's problem to the next stage and clearly builds upon the earlier posts. If fail to see a problem here.
hey guys, i am using the same kind of cascaded config but the devices are on the same lan segment configured as switches. For the LAN ports i am putting them on a separate VLAN27 and the wireless are both on VLAN41 and 51 for home and guest.
The VLAN27 switch ports and the LAN work on both devices, but the downstream wifi is not connecting to the VLANs upstream.
Independently, both devices work. it is only in the cascaded config the wifi doesn't work. the same is true when the devices are reversed/