Private network in apartment building

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
TheGuyCalledBob
DD-WRT Novice


Joined: 17 May 2019
Posts: 3

PostPosted: Fri May 17, 2019 18:58    Post subject: Private network in apartment building Reply with quote
Hi all,

I've been using dd-wrt for some time now on my own private internet connections. However, I'm moving to a building that has a a main router and a switch on every floor. I would really like my own wired and wifi network to have more control over my devices. This feels like a challenge and I could use some tips on where to start.

It is set up and works like this:
( | and - are wired connections)

Code:
Main Router (192.168.1.xxx / 255.255.255.0)
|
|
1st floor Switch
|
|
2nd floor Switch
|
|
3rd floor Switch----computer (gets IP by DHCP from main router)
|               
|
4th floor Switch


Now, what I would like to achieve is this:

Code:
Main Router (192.168.1.xxx / 255.255.255.0)
|
|
1st floor Switch
|
|
2nd floor Switch
|
|
3rd floor Switch --- DD WRT --- private wired devices AND *)) private wifi
|                                       
|
4th floor Switch


So I would like to create my own private network (subnet ?) behind the main router and have control IP addresses etc.

I'm kinda lost on which mode to use. I have a wired connection between the primary and secondary (DD-WRT) router and I would like private wired and wifi connections on the secondary router.

Important note: I don't have access to the primary router Sad

Could someone give me a hint on this ?
Thanks in advance !
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3658
Location: Netherlands

PostPosted: Fri May 17, 2019 20:09    Post subject: Reply with quote
Reset the router to defaults.
Login set username and password
Change the routers ip address from 192.168.1.1 to 192.168.55.1.

Connect WAN from router to the switch and reboot the router.

That is all

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
TheGuyCalledBob
DD-WRT Novice


Joined: 17 May 2019
Posts: 3

PostPosted: Sat May 18, 2019 17:59    Post subject: Reply with quote
Really ? Ok Smile Thnx/dankjewel!

I do have some additional questions though.

The owner insisted that I use an access point like this:



He was talking about security concerns. Saying that when using some other setup a whole floor could be blocked.

Could he be talking about something like this ?:

Quote:
As an example, some colleges still allow students to have their own wireless access points (WAPs). They require that the WAPs not hand out private IP addresses (like routers with DHCP/NAT) because it makes it difficult to track down which client is causing problems (eg. virus infections, worms, etc.)


And are these assumptions correct when using egc's solution?
- My secondary router gets a WAN IP 192.168.1.xxx
- I can use DCHP to give my devices 192.168.55.xxx IP's
- All traffic to the primary router seems to be coming from 192.168.1.xxx
- Computers on the primary router (192.168.1.xxx) cannot see/acces my devices behind my secondary router (192.168.55.xxx)

Thanks in advance
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3658
Location: Netherlands

PostPosted: Sat May 18, 2019 18:27    Post subject: Reply with quote
TheGuyCalledBob wrote:
Really ? Ok Smile Thnx/dankjewel!

I do have some additional questions though.


And are these assumptions correct when using egc's solution?
- My secondary router gets a WAN IP 192.168.1.xxx
- I can use DCHP to give my devices 192.168.55.xxx IP's
- All traffic to the primary router seems to be coming from 192.168.1.xxx
- Computers on the primary router (192.168.1.xxx) cannot see/acces my devices behind my secondary router (192.168.55.xxx)

Thanks in advance


Spot on, so make sure you set a strong WPA2 /AES password, because anybody who knows or acquires it use your IP address and you will be blamed.

The real security risk, in my opinion, is not using this setup. With this setup you have a firewall between yourself and the appartment.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
SurprisedItWorks
DD-WRT User


Joined: 04 Aug 2018
Posts: 291
Location: Appalachian mountains, USA

PostPosted: Sat May 18, 2019 18:43    Post subject: Reply with quote
Looks to me like you are good, but there are some here (e.g. egc) who know way better than I.

I think the big issue is when you have two DHCP servers on two devices both handing out addresses in the same IP space like 192.168.1.X. You've worked around that by having your router work with the space 192.168.55.Y, so you should be good. I've done the same with several setups with absolutely no problems.

_________________
Six of the Linksys WRT1900ACSv2 on r38159 and r40009.
On various: VLANs, client-mode travel router, two DNSCrypt servers (incl Quad9), multiple VAPs, USB/NAS, OpenVPN client/PBR (random NordVPN server).

VLANs on the WRT1900ACSv2 and other two-CPU Linksys/Marvell routers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317199

DNSCrypt for Quad9 DNS and/or multiple servers and/or missing DNSCrypt enable button: Sun Jan 06, 2019 post at
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318094

Restarting OpenVPN from the CLI or script or SES button:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1172761
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 752

PostPosted: Sat May 18, 2019 20:30    Post subject: Reply with quote
TheGuyCalledBob wrote:
Really ? Ok Smile Thnx/dankjewel!

I do have some additional questions though.

The owner insisted that I use an access point like this:



He was talking about security concerns. Saying that when using some other setup a whole floor could be blocked.

Could he be talking about something like this ?:

Quote:
As an example, some colleges still allow students to have their own wireless access points (WAPs). They require that the WAPs not hand out private IP addresses (like routers with DHCP/NAT) because it makes it difficult to track down which client is causing problems (eg. virus infections, worms, etc.)


And are these assumptions correct when using egc's solution?
- My secondary router gets a WAN IP 192.168.1.xxx
- I can use DCHP to give my devices 192.168.55.xxx IP's
- All traffic to the primary router seems to be coming from 192.168.1.xxx
- Computers on the primary router (192.168.1.xxx) cannot see/acces my devices behind my secondary router (192.168.55.xxx)

Thanks in advance


My guess would be that the concern is someone hooking up their router wrong. If you connected your routers LAN port at factory defaults to the building's LAN port, then your router could start replying to DHCP requests. Users in the building might get DHCP replies from the main router or your router. If they get a reply from your incorrectly connected router then they wouldn't be able to route out of the main building router, essentially being "blocked"

This could be solved if the network is setup properly. Likely it is not, unless your building has contracted/onsite IT staff. Or building management is an IT guru. Though more then likely this is just a bunch of "dumb" switches on each floor that have't been touched since they were installed years ago.

That is really a bad setup they have in your building. Sounds like a hackers wet dream. This kind of setup should only be done if you trust every device on the network like a corp network. You basically have a building wide lan. Management really should have provided a router in each tenant's apartment to isolate.

Kind of reminds me of when cable modems were 1st introduced and SOHO routers didn't exist yet, so people connected modems straight to their PC. It turned the entire neighborhood into a "LAN" Used to be able to browse peoples unsecured windows file shares or mess around with their shared printers.

I personally would not settle for this kind of connectivity in an apartment. You don't have control of your own WAN ip for doing possible needed port forwards. Hopefully they still have a coax in the apartment connected out to your cable company to have the option to get a cable modem.

Though if they are doing this kind of building wide internet, they might be doing the same for cable TV, having a bank of tuners for either cable or sat, and then re-modulating it into the coax running throughout the building basically being their own cable company. This is what is usually done in hotels and why hotels usually have a shitty limited selection of channels. It saves the hotel money by not needing a cable box in each room. They have a bank of cable boxes in a closet somewhere and re-modulate the output of each box into an analog or clear QAM channel that the room TV can directly tune.

Here is an ebay listing for such a setup https://www.ebay.com/itm/48-CHANNELS-DIRECTV-HEADEND-MICRO-MODULATOR-MOTEL-HOTEL-h25-receiver-standard-/130537502888
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun May 19, 2019 2:41    Post subject: Reply with quote
TheGuyCalledBob wrote:
Really ? Ok Smile Thnx/dankjewel!

I do have some additional questions though.

The owner insisted that I use an access point like this:



He was talking about security concerns. Saying that when using some other setup a whole floor could be blocked.

Could he be talking about something like this ?:

Quote:
As an example, some colleges still allow students to have their own wireless access points (WAPs). They require that the WAPs not hand out private IP addresses (like routers with DHCP/NAT) because it makes it difficult to track down which client is causing problems (eg. virus infections, worms, etc.)


And are these assumptions correct when using egc's solution?
- My secondary router gets a WAN IP 192.168.1.xxx
- I can use DCHP to give my devices 192.168.55.xxx IP's
- All traffic to the primary router seems to be coming from 192.168.1.xxx
- Computers on the primary router (192.168.1.xxx) cannot see/acces my devices behind my secondary router (192.168.55.xxx)

Thanks in advance


Either the owner has ulterior motives, or he doesn't know what he's talking about.

What the owner is describing is a bridged (LAN to LAN) configuration. That's the one that causes all the problems, and undermines your own security. What you want is a routed (WAN to LAN) configuration so, as egc says, you have your own firewall. As far as the rest of the owner's network is concerned, there's *one* device from you connected to his network and all it does is issue a DHCP request to his DHCP server to get configured. Case closed.

In addition, I'd recommend a VPN between your router and the internet to prevent eavesdropping by the owner or anyone else using his LAN.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
TheGuyCalledBob
DD-WRT Novice


Joined: 17 May 2019
Posts: 3

PostPosted: Mon May 20, 2019 18:59    Post subject: Reply with quote
Thanks for your replies guys !

I will be testing this week. And yes, I have a VPN subscription that I'll be using.

I'll post back here if it's all up and running (/me crossing fingers Smile)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum