Two Networks isolated from each other and the Provider

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2  Next
Author Message
TechieTroglodyte
DD-WRT Novice


Joined: 04 Jun 2022
Posts: 14

PostPosted: Sat Jun 04, 2022 21:47    Post subject: Two Networks isolated from each other and the Provider Reply with quote
Hi, I'm a DD-WRT newbie and need some advice on my network setup, especially with regard to SECURITY.

I've included two setups, and included diagrams to make the setups very clear.

Both identical tp-link Archer C7 v5. Both running dd-wrt, and I'm keeping them up to date with the most recent firmware. As of Yesterday it is release 49081, the current Beta.

Before anybody says
"But you didn't need to use TWO DD-WRT routers, you could have done all that with Virtual Sub-Nets."
Well - "Yes I know! - I've been reading up about that."
But the trouble is - that with Virtual Sub-Nets, I know I've GOT to get into much more complex setup outside of the GUI. Firewall rules become ESSENTIAL.
It seems to me beyond my DD-WRT "Paygrade"... (until I've learnt a whole lot more)

- - -

The first setup is up and running and seems secure, at least by tests I've done on
www.grc.com
www.whatsmydnsserver.com
routercheck.com
A "Network Check" by Avast Free AntiVirus, on the Laptop, from various points. It was most interesting to see "What it COULDN'T SEE"!
AND loads of "Ping" tests I've done, from every conceivable point, to every other point.

Network A connects to the internet and can Manage the Orange "Box of Death", but NOT Network B.

Network B can likewise connect to the internet and can Manage the Orange "Box of Death". But likewise it cannot connect to Network A.

Network C - actually ON the Orange "Box of Death 6+" - can browse the internet, but cannot SEE either of the other two Networks, nor can it Manage either of those Routers. It lists my "Connected Devices" simply as the two Routers, knowing nothing about them, except the IP address and the name that I've TOLD it to use for them... It didn't even know the "type of device", I had to set that too.
I have the "Orange Net of Death", with NOTHING CONNECTED except for the Phone, and for tests with my Laptop, and for my ancient Kindle Keyboard Wi-Fi, which can't connect to the new WPA3, so I connect on the Orange Box of Death, only activating the Wi-Fi there as and when I'm connecting the Kindle - which isn't often.

But I know for a fact that the two DD-WRT routers with the default settings DROP all pings, so perhaps the "Ping" tests are reassuring in a bad way - I should perhaps NOT be re-assured?

So I have 3 questions about this WORKING setup.

a) With regard to the security, what more tests should I do, other than what I've done - given that I'm a newbie?
Should I de-select the Dropping of Incoming Pings on the two DD-WRTs, and then test again? Would that give me better information? (I think I will try that - and then rapidly SET them back to that default after!)

b) MOST IMPORTANT - Must I setup any special Firewall Rules to keep the ISOLATION - which is after all the whole intention. If so can anybody give me some guidance.
With regard to iptables and Linux, I'm even more of a newbie than with DD-WRT (which I can at least get working...)
I DO have FWBuilder installed, and have been playing with it, but I've not got very far yet... I can't yet design my own Firewall - certainly not anything that I could trust and rely on. This is the primary reason I chose to use two "Hardware Networks" rather than "Virtual Networks" on ONE Router. But HAS using the "Hardware Solution" absolved me from those Security Problems??

c) The Orange "Box of Death 6+" introduces the only security problem that I've encountered so far. A test on www.grc.com showed that port 113 was closed but NOT stealthed. This is the first setup I've run in 20 years (since Window 95!) that has failed a grc port test...
According to what I've read, Port 113 is an outdated authentication protocol, with existing, better alternatives, but is still used in just a few "Messaging" situations.
IT'S ALSO KNOWN TO HAVE BEEN USED BY HACKERS!
I've tried every possible secure setting on the Orange "Box of Death 6+" (truth be told there aren't many!) and simply can't get the "Box of Death" to pass grc.com's test - without also dropping the connection of the VoIP Phone.
I suppose that Orange are using this old, protocol for their own rendition of VoIP?
It seems I might have to live with this? At least the ports on my two tp-link-DD-WRT routers have port 113 CLOSED and I presume "Stealthed", but I can't test that directly on grc.com. So am I worrying too much???

- - -

With regard to the "Port 113 Problem", I came up with a further idea to try to eliminate it, as shown in my "alternate" diagram. (It looks like I might have to include this diagram in a "comment".)

The basic idea is to have a further tp-link running DD-WRT connected directly to the ONT (if I can get that to work!) THEN connect Networks A and B and C directly to that.

Being on "Orange" in an area where "Moviestar" are running the Laser Generators, gave me the posibility because I didn't get the combined unit with ONT inside the Router - The ONT MUST be compatible with "Moviestar"...
The Orange "Box of Death" DOESN'T have any visible settings for connection to the ONT, so I'm assuming that if I set the tp-link-DD-WRT router to the same as the Orange was, then it SHOULD connect????
But I might well loose the VoIP Phone connection??
(I got connected to the Orange Cable, not because of any "Offer", but because my ADSL line was COMPLETELY DEAD - Phone and Internet - so I really NEED that VoIP Phone line!)
If I set the tp-link to 192.168.1.1 then I'd have to change the Orange box to 192.168.1.2, but then the ONT might not like that? Phone down again?

So what if I tried putting the tp-link to 192.168.1.2 and KEPT the Orange box at it's existing 192.168.1.1 ?
Then the ONT will probably not connect to the tp-link at all, and the whole setup would be INTERNET and PHONE FREE?

If it might work, I'd happily spend the €63 for another identical tp-link to the others. In a recent beta update to DD-WRT, it's even gained WPA3 support! HOORAY!!! (and Thanks to the team!)

And yes, again I KNOW, if I were only a DD-WRT expert, I could perhaps do ALL that with just one tp-link running DD-WRT and multiple Virtual Lans..............

Any advice and help gratefully received.


Last edited by TechieTroglodyte on Sun Jun 05, 2022 9:43; edited 4 times in total
Sponsor
TechieTroglodyte
DD-WRT Novice


Joined: 04 Jun 2022
Posts: 14

PostPosted: Sat Jun 04, 2022 21:51    Post subject: Two Networks isolated from each other and the Provider Reply with quote
Just to add that second diagram I mentioned.
The forum didn't seem to want to add a second attachment.

This setup is entirely hypothetical. I THINK it won't work!

I'm not sure it would even solve the "Port 113" problem.

- - -

Actually I've just noticed, that what I've put in the diagram as Network "C" and "D" are in fact on the same network - 192.168.1.X
So it won't even help in isolating from the Orange Provider's Crap Router!


Last edited by TechieTroglodyte on Sun Jun 05, 2022 9:41; edited 2 times in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Sun Jun 05, 2022 7:40    Post subject: Reply with quote
Hi and welcome to the forum...
-first read https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326419
-especially guide lines and sticky's
-when help is needed always start with your router model (i can see brand but not model) and current firmware number on it(i can see 49081)..it helps a lot...
-regarding your set up i didn't read all the post...my bad..
-isolated networks could be made by either 2 physical routers,
or VLAN's on switch ports...but router model and firmware matters...
-in general SPI firewall is what SPI firewall do...it closes everting and permits related established connections only...so its up to you what you do on your router...if you have malware on your PC or any device SPI will not help a lot...so yes closing ports and limiting connections could play role...

here is an example,what i have as a set up's here and there..
-router with isolated VLAN'S, so its running isolated internal networks/own subnets with WAN access...on the router physical switch ports...on those VLan's with their own subnets i have untrusted devices isolated from the main important traffic...
-dual router set up (Lan to WAN chained) where router A is main subnet, and router B is running VPN, so whatever goes trough router A switch from router B is encrypted...and both routers have their own subnets...

of course you can build your firewall using IPtables and IPset (that's why i said router model matters), but not all router models have IPset...as well some lower class routers have stripped iptables...
-from what i can see from the picture both routers are going into the crap router switch ports and there is where those will communicate on switch level, so they can talk to each other on layer 2, unless you use a VPN on any of the routers...
- ill try to read all your post later Rolling Eyes Embarassed

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
TechieTroglodyte
DD-WRT Novice


Joined: 04 Jun 2022
Posts: 14

PostPosted: Sun Jun 05, 2022 8:03    Post subject: Two Networks isolated from each other and the Provider Reply with quote
Hi Alozaros.

My bad for not including model details.

Both identical tp-link Archer C7 v5. Both running dd-wrt, and I'm keeping them up to date with the most recent firmware. As of Yesterday it is release 49081.

I'm not a computer newbie, in fact my hardware is old..old..old. I've run Win 95, 98, Millenium, 7 and 10, but never Linux.

My two machines are not updatable to Win 11 due to lack of certain chips... In fact the Laptop couldn't even be updated to Win 10 and is still on win 7!
So I have to make my own extra security provisions! I'm quite used to running machines MUCH more secure than Microsoft's defaults, so I hope that won't be a problem - till I can afford to update... (That Laptop - Apart from updates - I simply don't connect to the internet!)

I'm a "Security Guy" (to quote "Pretty Woman") and just want advice on Maximum Security for my older Hardware/OS. I hope someone can help - if I need to add Firewall Rules (since I can't do that).

TechieTroglodyte

and P.S.

Yes I've searched for help here, but most posts are to do with Connectivity, wheras I've "Got That" - so I'm interested most in Dis-Conectivity, ie security!

I've also done a lot of research on youtube, and got some help there with the intial setup.

My bad again - my images, while within what the Forum Software said, are larger than that specified by Sash, which I've only just seen. Should I change them?

I think that if I can be sure that this is secure, then it's the kind of setup that an awful lot of people should be using.
So far it's relatively "Newbie Friendly" and GUI only. If it can stay that way, then "What's the cost of an extra tp-link Archer C7 v5? - only €63!"
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Sun Jun 05, 2022 10:14    Post subject: Reply with quote
your main problem is, you are using an ISP provided router...where it lack's of updates, and probably has security issues, as those always do...
-if you poke around, you can find a way how to completely remove and replace it with a DDWRT router...
as DDWRT can run pretty much everything that ISP provided router do...the only thing is, ISP router could be better in WAN performance than those DDWRT units you have, as those have a single core CPU and are not for heavy use...(VPN, QoS, Firewall and ect.)... a better router second hand like dual core Netgear R7800 will do......
R7800 has all the DDWRT extras and binaries, as well performance that you may need...to fully replace your ISP router(kinds of)
-as far as running an old OS witch lack's of support and security fixes...yep its an open field...but there where isolated VLAN or VPN will apply in order to isolate it from the other traffic...

Yours biggest security issue would be the ISP router where those other 2 networks meet at the switch level...if your ISP router is VLAN capable and you can make different vlans with their own subnets on each port than you are a touch better...
if its not VLAN capable, you can create vlans on your Archers and use VPN on those, so information passed to the main ISP router will be encrypted and channelled via VPN tunnel
Here is the DDWRT thread that i used to learn how to do a VLAN segmentation on DDWRT Atheros based routers via start up commands or (CLI)
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1119771
and its not for beginners, but if you read it all and understand the matter its get easy...
-the term "Internet Secure" usually requires lots of good internet hygiene, enterprise hardware and deep understanding..so there is not such an animal...
Cool

What i use in my networks is in my signature...i've VPN, encrypted DNS, and Vlan's for untrusted networks...
i do have some extra Firewall rules and IPset https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sun Jun 05, 2022 11:00    Post subject: Reply with quote
RE: Port 113 is ident, On Security tab, I cant remebemr if that is filtered by default.

As for the rest, who knows, without setup screenshots from all machines including shitty ISP router to determine if the routing is properly setup and the routers are in correct mode, amongst other things.

And forget Windows 11, its another Vista type shit release, Its always been like that with MS since day one. One good OS release, one shit, alternatiing trough the years without fail.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
TechieTroglodyte
DD-WRT Novice


Joined: 04 Jun 2022
Posts: 14

PostPosted: Sun Jun 05, 2022 11:10    Post subject: Two Networks isolated from each other and the Provider Reply with quote
Yes, what you say is true, but like many new subscribers to a Cable Service these days, the find ways of keeping you tied to their shoddy hardware.

Unlike my old ADSL service where they had given me the necessary details to log into their service, so I could simply throw away THEIRS and replace it with my old Netgear D6400, which also has the ADSL. That was fine - except for Netgear...

Netgear were told about Zero Day Threats on a whole bunch of their routers - mine included. They have 6 months after notification to "fix it" and then the notifying authority publishes the flaw. Netgear took 9 whole months. Leaving us users swinging by the short and curlies for three months! I contacted Netgear and told them I would never buy another of their Routers. I'd prefer to stick with that...

(Though if I had a Netgear running dd-wrt I wouldn't need any updates from Netgear!)

With the new Cable installations, they are REFUSING to give the necessary connection details. So even if I get one of the VERY FEW Routers that have Phone connections via VoIP integrated, I may not be able to connect it...

I've seen on a YouTube video that the only Router currently that has this is a Fritzbox. But now THAT probably won't be supported by dd-wrt? It would almost certainly be better than the Orange "Box of Death 6+"!!

I've also seen videos on YouTube that show how you can "Hack" the necessary connection details, by connecting directly to contacts INSIDE the Providers Router. Now that's way beyond me... I'm gonna regularly search the web to see if someone else has done that and is sharing!!!!
If they do I'll post it here too!

So it seems that to keep my Phone I may have to keep that "Free and Valueless" Router they provide...
TechieTroglodyte
DD-WRT Novice


Joined: 04 Jun 2022
Posts: 14

PostPosted: Sun Jun 05, 2022 11:38    Post subject: Reply with quote
the-joker wrote:
As for the rest, who knows, without setup screenshots from all machines including shitty ISP router to determine if the routing is properly setup and the routers are in correct mode, amongst other things.


The Orange "Livebox 6+" has very very little setup options.
NO control of Wan Port. If there is any, it's hidden.
No Bridging/Router/Static Modes.
No Routing setup at all.
It's "Advanced" Page, is everybody else's Basic Setup page...

My two tp-link Archer C7 v5 s are both:-
in "Static IP" mode on the Wan Port. Setup to be in the Orange Box's Network. Working Configuration.
GUI only setup.
No added Virtual Networks, on either Ethernet or Wi-Fi.
No added Routing.
No Added Firewall Rules.
Both with their own fully working DHCP server.
Both very "Newbie Friendly" because apart from the couple of changed IP addresses, there are NO CHANGES from the Firmwares default settings for the Ethernet side of things.
Yes "Filter IDENT" - Port 113 is indeed the Default.
Wi-Fi is of course set up with WPA3 and is fully working.
Just a couple of Security minded "tweaks".
I Disabled all remote management!!!

Please remember that my first "setup" is fully working, and I'm only requesting help if you think I need extra security, with added Firewall Rules.
Also suggestions on extra tests I could use to check out the security.

Regards the Troglodyte
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Sun Jun 05, 2022 17:53    Post subject: Reply with quote
Lots of youtube videos on iptables use subject...not bad to have a look and educate first..
ive no idea if your router supports IPset which is the better and faster way to restrict stuff/traffic, lost of youtube videos...too

Using the ISP router upfront even not in bridge mode...not much to do...only VPN use on the chained routers below will do better, but expect very low performance as those have single core CPU, (with my 1043v2 witch has similar CPU i have 10MBit over VPN)...you could use Wireguard, as alternative to OpenVPN as its a bit faster..but both come with their caveats, as many websites filter or do not allow VPN use while browsing...
Not much point to add extra iptables rules, unless you know what you are doing...with SPI firewall you must have a good internet hygiene, to not open the door from inside..
Than if you want to get a step further...you can run PFsense or OpenSense on a PC as a dedicated firewall...

Once again, "security paranoia" is a funny thing, especially if you don't know the subject...

Also using WPA3, you must have clients fully compatible with it, otherwise it can cause either a troubles or just fall back to a WPA2

DDWRT OS (firmware) is an ultimate router platform that allows you a lots of flexibility on set up, lots of extra settings and ect... its good to start with wiki, despite the fact some articles there are a bit outdated..

Best way to improve your settings is to read and educate, or just post a pics of your settings (hide the sensitive data) and consolidate with others...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
TechieTroglodyte
DD-WRT Novice


Joined: 04 Jun 2022
Posts: 14

PostPosted: Sun Jun 05, 2022 18:39    Post subject: Reply with quote
Alozaros wrote:
ive no idea if your router supports IPset which is the better and faster way to restrict stuff/traffic


Yes, while I'm sure the Archer C7 supports iptables, I just don't know about IPset. How can I find that out?

Alozaros wrote:
expect very low performance as those have single core CPU


I'm fine with the Archer C7. I'm not using VPN and only the SPI Firewall, so I suppose it hasn't got much to do. What I care about at the moment is that the internet is 1,100% faster now!
And I don't use Wi-Fi enough to care about not having Wi-Fi 6! I'm not just Troglodyte by name, but I actually live in a cave, with some of my walls being nearly 2 meters of very solid clay. Wi-Fi is only really "in a single room". Outside that it's very patchy.
And again that's another reason why two nice cheap routers is good for me. It gives me full Gigabyte speed in the next room, so the FireTV stick does NO complaining now! Very Happy

Alozaros wrote:
Than if you want to get a step further...you can run PFsense or OpenSense on a PC as a dedicated firewall...


Yes I've seen about PFsense before. But another sharp learning curve... I think I'll leave that for another time.

Thanks Alozaros, I get the feeling that my system is not lacking anything crucial in the security stakes. Smile

My levels of security Paranoia are actually LOWER now than they used to be. When I was running windows 98 and Millenium, I ran the most "hacked" windows believable to enhance Windows lamentable Security - "We at Microsoft don't even understand the word!"

Regards the Troglodyte Cool
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12839
Location: Netherlands

PostPosted: Sun Jun 05, 2022 18:54    Post subject: Reply with quote
If you do not have remote administration enabled and have used the default settings you should be good.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
TechieTroglodyte
DD-WRT Novice


Joined: 04 Jun 2022
Posts: 14

PostPosted: Fri Jun 10, 2022 21:19    Post subject: Two Networks isolated from each other and the Provider Reply with quote
OK I'll admit to any "old-timer" here that my setup (of Two Networks, Independent both from each other and from the Provider Network) uses NONE of the advanced capablity of dd-wrt!

But nevertheless it has some distinct advantages which you "Very Advanced", "Old-Timers" with dd-wrt, shouldn't overlook.

THE ADVANTAGES - of this Hardware application, with multiple routers, rather than using Virtual Lans within one machine.

1) It does things that many MILLIONS of people should be doing with their networks - making for areas that DON'T COMMUNICATE - Thereby increasing security!
It seems that the large bulk of the Forum and the various Wiki's are to do with getting connectivity WORKING, and not considering security, even half enough for my liking!
I've read on the Forum a comment by a moderator, that said that few of the Moderators are expert in iptables.....

2) Despite spending nearly six months reading up on the dd-wrt site and Forum and watching many dd-wrt themed videos on youtube.com, I wasn't able to find either a Wiki, a Video or a Forum thread that helped me find EXACTLY what I needed for my plan to create Two secure networks independent of each other and the Provider. And certainly nothing that was within my reach as a novice...

3) In lieu of that, I used this "hardware solution" from a dd-wrt user, Richard Lloyd, on youtube. and it was EASY for a novice like me! His video showed adding just one, secondary, but independent network, with one extra router running dd-wrt. I've just "doubled up".

4) It requires no coding of firewalls, no inserting of iptable rules in the command interface.
This was important to me because I was reluctant to simply insert Firewall code that I didn't fully understand, and came from situations that were in any case not IDENTICAL to mine - concerned more with connecting things that I DIDN'T want to connect. I'm learning the iptables and have installed FWBuilder, but can't trust even myself till I know what I'm doing! And this is crucial stuff!

5) It has ALL the connectivity that I want and, so far, seems to have NONE of the connectivity that I don't want! (i.e. Security Loopholes) None of you egg-sperts has so far found fault with it's security......

6) Yes - It's very certain that it's NOT using dd-wrt to the max, but while I'm still learning iptables, it does offer me sufficient security in my network.

7) Specifically it provides me with disconnection from the software of the Router Manufacturer.
I don't trust these manufacturers! My last Router was a Netgear and they seemed as if they didn't care... Over a year ago, they were informed of a very serious flaw in a whole list of their Routers. The rule is that after they are informed they have six months to "Get it sorted" and then the notice of the bug is released publically. Netgear took 9 months before providing a "remedy". Their failure of due care for their users, makes me feel that they could not be trusted at all! They seem to only show interest in providing ever more "advanced features"..........................
I don't want to run any manufacturers "Stellar Router Controlling App". I DON'T WANT THEM CONTROLLING MY ROUTER! People need to grow up and learn how to control their own routers! (and why that's important)
Specifically I don't want to have to run a bloatware (and possibly spyware) APP, just to get "Automatic Updates"! (and yes I run "NV CleanStall" for my Video Card updates too - same issue).

Cool Most of all it provides a level of disconnection from the Router of the Cable Provider. This has software which is all about PREVENTING the user from having any serious control.
Like locking the DNS servers to THEIR choice.
Hey - my setup gives me "My Choice" of DNS Server, since I'm running a separate DHCP server on each network! Eat your heart out Orange!!! Freedom! Cool

9) And dd-wrt, while not "fully" Open Source software (I've read that it uses just a few libraries that aren't Open Source), it sure is more accessible than the Manufacturers promise of "Trust Us - (You Fools!)". I'm convinced that most actually install BACKDOORS into their Routers...

10) It gives me an upgrade path to much greater knowledge about my own network and networking in general. I'm learning about iptables, and while this is proving an uphill struggle at the moment, the long term benefit should be large. Rolling Eyes

11) Testing this setup was another large learning experience. I've used various tests, both in the past and now, but I'd not used "ping" much before. But now with so many different things to ping, I pinged every which way!
I've even setup an excel file using the "Concatenate" Function to give me any series of 256 IPs that I want to test. Now I don't have to type them into the Command line, I can just copy, and paste "ping 192.168.x.y" when the previous ping's done it's stuff. Using this I've already found one secret virtual network on the Livebox 6+ (or is it the "Network" of the ONT and upwards??) I can't log onto that YET, but I'm trying... and learning!
It ain't malicious "hacking" if you're just trying to get the "connection parameters", that they should have given you when they installed the service - so that you can fully replace their piece of sh-sh-sh-sugar. Rolling Eyes

12) It shows the dd-wrt "experienced people" here what Mega-Millions of ordinary people REALLY need (even if they don't know it yet).

With all these twelve concrete advantages I think that my dd-wrt "Hardware Setup" has merit and deserves to be used by other dd-wrt novices too!

Advantage 13) A hardware "On-Off Switch" on both my networks. I don't have to install an app or select a Google setting that I don't trust, to disconnect the internet. I can just turn one OFF while I'm still USING the other! Ideal! Very Happy

Regards - the Troglodyte Twisted Evil


Last edited by TechieTroglodyte on Fri Jun 10, 2022 21:34; edited 1 time in total
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Fri Jun 10, 2022 21:26    Post subject: Reply with quote
Still no setup screenshots and walls of text to read.... So thank you for helping us help you, not.

A picture is worth a thousand words, end of.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
TechieTroglodyte
DD-WRT Novice


Joined: 04 Jun 2022
Posts: 14

PostPosted: Fri Jun 10, 2022 21:54    Post subject: Reply with quote
the-joker wrote:
Still no setup screenshots


You really don't need those since the ONLY major setup changes to the default "reset" configuration are the IP's that actually ARE in the diagrams that I've included. Perhaps you didn't see? Static IP's, but the actual one's would need "blotting out".

I've specifically stated that I've made no additions of iptable rules to the Firewall, and no Virtual Networks or Routing.

I did clearly state that I changed one significant setting which was to disable Remote Management. I set it to a local address, which of course I would HAVE to blot out.

My Wi-Fi Settings all work fine, with WPA3, and are in any case "secret" so I'd just have to blot it all out anyway!

The only other CONCEIVABLE information that might be in a dd-wrt screen shot (as opposed to my diagrams) might be the Gateway configuration and DNS settings - but I'm a security guy - I'd be blotting them out too!!

The information that you need is ALREADY THERE. If it isn't there it's something that I would be "blotting out"!!
I've been quite comprehensive, hence "Walls of Text".
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat Jun 11, 2022 9:13    Post subject: Reply with quote
In order for anyone to hep you, you need to help them help you in a simple manner and that is screenshots, logs from all related devices.

One wrong setting one wrong check box/selection can have some impact, and it doesn't matter if you blot out mac addresses or any sensitive information, I wouldn't want it any other way.

Consider that not everyone here is a native English speaker, so things can get lost in translation or misunderstood as a course of the experience, while screenshots, logs and other needed information shows what may be happening even if it sensitive info is blotted out as you put it.

We have forum rules/guidelines that clearly state when we ask for something is to make our jobs easier and since we are all unpaid volunteers. Its all about helping us to help you better.

So with that, good luck to you.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum